Configuring Authentication for the Command Center Console

Configuring Authentication for the Command Center Console

The installation utility created the Greenplum Command Center database, enabled the data collection agents, and created a gpmon superuser. This is the Greenplum role used to manage the Command Center components and data within the Greenplum environment. The gpmon role is configured to use md5-encrypted password authentication to connect to the Greenplum Database instance. The gpmon role must be configured in pg_hba.conf to allow access to every database that will be monitored using the Command Center.

Greenplum Command Center does not accept logins from the gpadmin user, or from local users configured with trust authentication in the pg_hba.conf file. Allowing trust authentication for remote logins is discouraged because it is insecure.

There are three user levels in Greenplum Command Center.

  • Regular user – Regular users may only view their own database queries and do not have access to the Administrative tab.
  • Operator – Operators have access to more functionality in the Command Center Console than regular users, but they do not have to be a Greenplum Database superuser. Operators can view and cancel all queries and have limited access to administrative tasks. The Operator role must be created and users must be assigned to that role. The procedures are described below.
  • Superuser – A Greenplum Database superuser can use all GPCC features, including viewing information for all database queries, system metrics, and administrative tasks.

The Command Center Console is configured by default to require md5-encrypted password authentication, so make sure each GPCC user role has an md5-encrypted password set.

If you are using Greenplum Database version 4.2.1 or higher, you have the option of using SHA-256-encrypted password authentication. You can specify SHA-256 authentication by changing the password_hash_algorithm server parameter. This parameter can be set either system-wide or on a session level.

Any other Greenplum Database users with appropriate privileges can access Command Center.

To create a new Command Center user, first you have to create a Greenplum Database user, then edit the pg_hba.conf file to give that user access to Command Center.

The following are steps to create new Command Center users.

See the Greenplum Database Administrator Guide for more detailed information about creating database users and roles.

  1. Login as gpadmin on the master host.
  2. Start psql:
    $ psql
  3. Enter the CREATE ROLE command to create a user:
    To create a regular user - a database read-only role:
    # CREATE ROLE cc_user WITH LOGIN PASSWORD 'new_password';
    To create an Operator user - a database role that is a member of the gpcc_operator role:
    1. Create the role gpcc_operator:
      # CREATE ROLE gpcc_operator;
    2. Grant Operator permissions to a user by making the user a member of the gpcc_operator role:
      # GRANT gpcc_operator TO cc_user;
    3. Grant Operator permissions to a group by granting the gpcc_operator role to the group:
      # CREATE ROLE cc_users;
      # GRANT cc_users to cc_user;
      # GRANT gpcc_operator to cc_users;
    To create a superuser - a database role with superuser privileges:
    # CREATE ROLE cc_admin WITH LOGIN PASSWORD 'new_password' SUPERUSER CREATEDB;
  4. Verify that roles were created successfully using the following command:
    # \du
    The new users you just created should be returned along with the attributes you specified.
  5. Exit psql.
    # \q
  6. Edit the pg_hba.conf file to give the new user access to Command Center. Open the file in an editor:
    $ vi $MASTER_DATA_DIRECTORY/pg_hba.conf
  7. Scroll to the bottom of the file and insert the following lines to give the new users access from any IP address using password authentication:
    host     gpperfmon    cc_user    127.0.0.1/28     md5
    host     gpperfmon    cc_admin   127.0.0.1/28     md5
    Note: If you subsequently have issues logging in to Command Center it may be due to your specific environment; check the $GPPERFMON/instances/instance_name/logs/gpmonws.log log file for authentication errors.

    Edit the pg_hba.conf file based on the error message and your specific environment.

  8. Save the file and exit the editor.
  9. Enter the following command to reload Greenplum Database processes.
    # gpstop -u