Configuring Authentication for the Command Center Console
Greenplum Command Center users are Greenplum Database users, authenticated using the standard Greenplum Database host-based authentication system. When authentication is properly configured, a user can use the same credentials to log into a database with a database client such as psql
and into the Command Center web interface with a browser.
To create a new Command Center user, first you have to create a Greenplum Database user, then edit the Greenplum host-based authentication configuration file (pg_hba.conf
) to give that user access to Command Center.
A Greenplum Database user who can authenticate via the pg_hba.conf
file can log in to Greenplum Command Center and view or cancel their own queries and view metrics screens. A user’s Command Center permission level determines if additional Command Center features are accessible. See Authorization for information about permissions.
Note: Greenplum Command Center does not accept logins from the gpadmin user, or from local users configured with trust authentication in the pg_hba.conf
file. Allowing trust authentication for remote logins is discouraged because it is insecure.
The following are steps to create new Command Center users in an interactive psql
session. With the exception of the CREATE ROLE
command to create a new database user, all of these steps can be performed in the Command Center on the Admin>Permissions or Admin>Authorization screens.
See the Greenplum Database Administrator Guide for more detailed information about creating database users and roles.
- Login as
gpadmin
on the master host. Start
psql
:$ psql
Enter the
CREATE ROLE
command to create a user:# CREATE ROLE cc_user WITH LOGIN ENCRYPTED PASSWORD 'changeme';
To create an Admin user - a role with superuser privileges in the database and Greenplum Command Center:
# CREATE ROLE cc_admin WITH LOGIN ENCRYPTED PASSWORD 'changeme' SUPERUSER CREATEDB;
For users other than Admin, set the permission level by adding the user to a Command Center group role:
To create a Basic user: add the user to the
gpcc_basic
role:# GRANT gpcc_basic TO cc_user;
To create an Operator Basic user - add the user to the
gpcc_operator_basic
role:# GRANT gpcc_operator_basic TO cc_user;
To create an Operator user - add the user to the
gpcc_operator
role:# GRANT gpcc_operator TO cc_user;
Grant permissions to a group by granting the role to the group:
# CREATE ROLE cc_users; # GRANT cc_users to cc_user; # GRANT gpcc_operator to cc_users;
Verify that roles were created successfully using the following command:
# \du
The new users you created are returned along with the attributes you specified.
Edit the
pg_hba.conf
file to give new users access to databases and the Command Center. Open the file in an editor:$ vi $MASTER_DATA_DIRECTORY/pg_hba.conf
Scroll to the bottom of the file and insert the following lines to give the new users access from any IP address using password authentication:
host gpperfmon cc_user 127.0.0.1/28 md5 host gpperfmon cc_admin 127.0.0.1/28 md5
List additional databases the users can access after
gpperfmon
, or replacegpperfmon
withall
to allow the users to access any database.Note: If you subsequently have issues logging in to Command Center it may be due to your specific environment; check the
$GPPERFMON/instances/instance_name/logs/gpmonws.log
log file for authentication errors. Edit thepg_hba.conf
file based on the error message and your specific environment.Save the file and exit the editor.
Enter the following command to reload Greenplum Database processes.
# gpstop -u