Configuring Authentication for the Command Center Console
The installation utility created the Greenplum Command Center database, enabled the data collection agents, and created a
gpmon superuser. This is the Greenplum role used to manage the Command Center components and data within the Greenplum environment. The
gpmon role is configured to use md5-encrypted password authentication to connect to the Greenplum Database instance. The
gpmon role must be configured in
pg_hba.conf to allow access to every database that will be monitored using the Command Center.
Greenplum Command Center does not accept logins from the
gpadmin user, or from local users configured with
trust authentication in the
pg_hba.conf file. Allowing
trust authentication for remote logins is discouraged because it is insecure.
There are three user levels in Greenplum Command Center.
- Regular user – Regular users may only view their own database queries and do not have access to administrative functions.
- Operator – Operators have access to more functionality in the Command Center Console than regular users, but they do not have to be a Greenplum Database superuser. Operators can view and cancel all queries and have limited access to administrative tasks. The Operator role must be created and users must be assigned to that role. The procedures are described below.
- Superuser – A Greenplum Database superuser can use all GPCC features, including viewing information for all database queries, system metrics, and administrative tasks.
The Command Center Console is configured by default to require md5-encrypted password authentication, so make sure each GPCC user role has an md5-encrypted password set.
If you are using Greenplum Database version 4.2.1 or higher, you have the option of using SHA-256-encrypted password authentication. You can specify SHA-256 authentication by changing the
password_hash_algorithm server parameter. This parameter can be set either system-wide or on a session level.
Any other Greenplum Database users with appropriate privileges can access Command Center.
To create a new Command Center user, first you have to create a Greenplum Database user, then edit the
pg_hba.conf file to give that user access to Command Center.
The following are steps to create new Command Center users.
See the Greenplum Database Administrator Guide for more detailed information about creating database users and roles.
- Login as
gpadminon the master host.
CREATE ROLEcommand to create a user: To create a regular user - a database read-only role:
# CREATE ROLE cc_user WITH LOGIN PASSWORD 'new_password';
To create an Operator user - a database role that is a member of the
Create the role
# CREATE ROLE gpcc_operator;
Grant Operator permissions to a user by making the user a member of the
# GRANT gpcc_operator TO cc_user;
Grant Operator permissions to a group by granting the
gpcc_operatorrole to the group:
# CREATE ROLE cc_users; # GRANT cc_users to cc_user; # GRANT gpcc_operator to cc_users;
To create a superuser - a database role with superuser privileges:
# CREATE ROLE cc_admin WITH LOGIN PASSWORD 'new_password' SUPERUSER CREATEDB;
Verify that roles were created successfully using the following command:
The new users you just created should be returned along with the attributes you specified.
pg_hba.conffile to give the new user access to Command Center. Open the file in an editor:
$ vi $MASTER_DATA_DIRECTORY/pg_hba.conf
Scroll to the bottom of the file and insert the following lines to give the new users access from any IP address using password authentication:
host gpperfmon cc_user 127.0.0.1/28 md5 host gpperfmon cc_admin 127.0.0.1/28 md5
- - - **Note:** If you subsequently have issues logging in to Command Center it may be due to your specific environment; check the `$GPPERFMON/instances/instance_name/logs/gpmonws.log` log file for authentication errors. Edit the `pg_hba.conf` file based on the error message and your specific environment. - - -
- Save the file and exit the editor.
Enter the following command to reload Greenplum Database processes.
# gpstop -u