Securing the gpmon Database User
The Greenplum Database gpmon user is a superuser role used to manage the gpperfmon database. The gpperfmon_install
utility, which must be run before you install Greenplum Command Center Console, creates the gpmon role.
Greenplum Database uses the gpmon role to update the gpperfmon database with data collected by agents running on the segment hosts. The Command Center web server uses the gpmon role to connect to the gpperfmon database as well as databases monitored by the Command Center.
When gpperfmon_install
creates the gpmon role, it prompts for a password, which it then adds to the .pgpass
file in the gpadmin user’s home directory. The entry in the .pgpass
file is similar to the following:
*:5432:gpperfmon:gpmon:changeme
See The Password File in the PostgreSQL documentation for details about the .pgpass
file.
The .pgpass
file is required on the Greenplum Database master host to start the gpperfmon data collection agents. If you run Greenplum Command Center on a different host, you can copy the .pgpass
file to that host, or you can run the Command Center gpcc
management utility with the -W
option to request password entry each time you start or stop Command Center or request status.
In the $MASTER_DATA_DIRECTORY/pg_hba.conf
authentication file, gpperfmon_install
creates these entries:
local gpperfmon gpmon md5
host all gpmon 127.0.0.1/28 md5
host all gpmon ::1/128 md5
If you authenticate users with Kerberos, you can also set up Kerberos authentication for the gpmon role on the Greenplum master and standby hosts. Kerberos authentication is supported with TCP connections only; local
entries use Linux sockets and authenticate with the .pgpass
file password, even if you have enabled Kerberos for host
entries.
Changing the gpmon Password
To change the gpmon password, follow these steps:
Log in to Greenplum Database as a superuser and change the gpmon password with the
ALTER ROLE
command:# ALTER ROLE gpmon WITH ENCRYPTED PASSWORD 'new_password';
On the Greenplum master host, update the password in the
.pgpass
file in the gpadmin home directory (~/.pgpass
). Replace the existing password in the line or lines for gpmon with the new password.*:5432:gpperfmon:gpmon:new_password
Ensure that the
.pgpass
file is owned by gpadmin and RW-accessible by gpadmin only.$ chown gpadmin:gpadmin ~/.pgpass $ chmod 600 ~/.pgpass
Restart Greenplum Command Center with the
gpcc
utility.$ gpcc stop $ gpcc start
Be sure to also update the .pgpass
file on the standby master host.
Authenticating gpmon with Kerberos
If you authenticate Greenplum Database and Command Center users with Kerberos, you can also authenticate the gpmon user with Kerberos.
To prepare for installing Command Center with Kerberos authentication, follow these steps:
Create the gpperfmon database using the Greenplum Database
gpperfmon-install
management utility. See Creating the gpperfmon Database.On the KDC, create a keytab file containing the Kerberos principal for the gpmon user, just as you would for any Kerberos-authenticated client. Install the file on the Greenplum master and standby hosts.
Update the entries for gpmon in the
$MASTER_DATA_DIRECTORY/pg_hba.conf
file to use thegss
authentication method.host all gpmon 0.0.0.0/0 gss include_realm=0 krb_realm=GPDB.EXAMPLE.COM
Note that
local
entries inpg_hba.conf
cannot be authenticated with Kerberos. If there is alocal
entry for the gpmon user, it will use the.pgpass
file to authenticate with the database. See The pg_hba.conf file in the PostgreSQL documentation for completepg_hba.conf
file documentation.Log in to the master host as gpadmin and authenticate the gpmon user.
$ kinit gpmon
Install Greenplum Command Center to set up the Kerberos-enabled Command Center.