Securing the gpmon Database User

The Greenplum Database gpmon role is a superuser role used to manage the gpperfmon database and to retrieve other information from Greenplum databases used in the Command Center interface. The Command Center installer creates the gpperfmon database and the gpmon database role if they do not already exist.

Authentication for the gpmon Role

If the $MASTER_DATA_DIRECTORY/pg_hba.conf authentication file contains no entries for the gpmon role, the installer adds these entries:

local      gpperfmon     gpmon                 md5
host       all           gpmon  127.0.0.1/28   md5
host       all           gpmon  ::1/128        md5
host       all           gpmon  samenet        md5

If the pg_hba.conf file already has one or more gpmon entries, the installer will add the samenet entry if it is not already present. If samenet does not work with your network configuration, you must manually edit the pg_hba.conf file to allow gpmon access from all hosts in the cluster.

The Command Center Table Browser requires the all entry in the database field to allow gpmon to retrieve table metadata and statistics from each database.

If you use a method other than md5 to authenticate the gpmon role, such as LDAP or Kerberos, edit the pg_hba.conf file manually to enable gpmon connections from all hosts and access to all databases.

If any of these entries are missing from pg_hba.conf Command Center may fail to start, or some features may not work properly.

Administrators can view and update the pg_hba.conf file in Command Center on the Admin> Authentication page. If you update the pg_hba.conf outside of Command Center, be sure to use the gpstop -u command to have Greenplum Database reload the file.

$ gpstop -u

Setting the gpmon Password

If you run the gpccinstall command with the -W option, it prompts you to enter a password for the gpmon role. If you do not supply the -W option, gpccinstall uses a default password. It adds the password to the .pgpass file in the gpadmin user’s home directory. The entry in the .pgpass file is similar to the following:

*:5432:gpperfmon:gpmon:changeme

See The Password File in the PostgreSQL documentation for details about the .pgpass file.

The .pgpass file is required on the Greenplum Database master host to start the gpperfmon data collection agents. If you run Greenplum Command Center on the standby master host, you can copy the .pgpass file to that host, or you can run the Command Center gpcc management utility with the -W option to request password entry each time you start or stop Command Center or request status.

To change the gpmon password, follow these steps:

  1. Log in to Greenplum Database as a superuser and change the gpmon password with the ALTER ROLE command:

    # ALTER ROLE gpmon WITH ENCRYPTED PASSWORD 'new_password';
    
  2. On the Greenplum master host, update the password in the .pgpass file in the gpadmin home directory (~/.pgpass). Replace the existing password in the line or lines for gpmon with the new password.

    *:5432:gpperfmon:gpmon:new_password
    
  3. Ensure that the .pgpass file is owned by gpadmin and RW-accessible by gpadmin only.

    $ chown gpadmin:gpadmin ~/.pgpass
    $ chmod 600 ~/.pgpass
    
  4. Restart Greenplum Command Center with the gpcc utility.

    $ gpcc stop
    $ gpcc start
    

Be sure to also update the .pgpass file on the standby master host.

Authenticating gpmon with Kerberos

If you authenticate Greenplum Database and Command Center users with Kerberos, you can also authenticate the gpmon user with Kerberos.

To prepare for installing Command Center with Kerberos authentication, follow these steps:

  1. Create the gpperfmon database using the Greenplum Database gpperfmon-install management utility.

  2. On the KDC, create a keytab file containing the Kerberos principal for the gpmon user, just as you would for any Kerberos-authenticated client. Install the file on the Greenplum master and standby hosts.

  3. Update the entries for gpmon in the $MASTER_DATA_DIRECTORY/pg_hba.conf file to use the gss authentication method.

    host all gpmon 0.0.0.0/0 gss include_realm=0 krb_realm=GPDB.EXAMPLE.COM
    

    Note that local entries in pg_hba.conf cannot be authenticated with Kerberos. If there is a local entry for the gpmon user, it will use the .pgpass file to authenticate with the database. See The pg_hba.conf file in the PostgreSQL documentation for complete pg_hba.conf file documentation.

  4. Log in to the master host as gpadmin and authenticate the gpmon user.

    $ kinit gpmon
    
  5. Install Greenplum Command Center to set up the Kerberos-enabled Command Center.