Configuring Authentication for the Command Center Console

posted Nov 8, 2012, 12:30 PM by Sachi Ojha
When you installed Greenplum Command Center database and enabled the data collection agents, a gpmon superuser was created by the installation utility. This is the Greenplum role used to manage the Command Center components and data within the Greenplum environment. The gpmon role is configured to use md5-encrypted password authentication to connect to the Greenplum Database instance.

Typically, you will not be connecting to the Command Center Console as gpmon, and instead connect as another Greenplum user. The Command Center Console is configured by default to require md5-encrypted password authentication, so make sure the Greenplum role has an md5-encrypted password set.

Note: If you are using Greenplum Database version 4.2.1 or higher, you have the option of using SHA-256-encrypted password authentication. You can specify SHA-256 authentication by changing the password_hash_algorithm server parameter. This parameter can be set either system-wide or on a session level.

The Command Center administrative user, gpmon, is created automatically by the dca_setup utility on the Data Computing Appliance, and by the gpperfmon_install utility in a Greenplum Database software-only environment.

Any other Greenplum Database users with appropriate privileges can access Command Center.

To create a new Command Center user, first you have to create a Greenplum Database user, then edit the pg_hba.conf file to give that user access to Command Center. The following is an example of the steps necessary to create a new user for Command Center. This example uses the psql command line to create a user with read-only privileges.

See the Greenplum Database Administrator Guide for more detailed information about creating database users and roles.

1.On the Master host, login as gpadmin.

2.Start psql:
$psql

3.Enter the create role command to create a read-only user:
# create role CC_user with login password ‘new_password’;
To create a role with superuser privileges:
# create role CC_user with login password ‘new_password’; superuser createdb

4.Verify that the user was created successfully using the following command:
# \du

5.The new user you just created should be returned, along with the attributes you specified.

6.Exit psql.

7.Edit the pg_hba.conf file to give the new user access to Command Center:
$ vi $MASTER_DATA_DIRECTORY/pg_hba.conf
Scroll to the bottom of the file and insert the following text to give the new user, CC_user, access from any IP address using password authentication:
host all CC_user 127.0.0.1/28 md5

8.Save the file and exit the editor.

9.Enter the following command to reload Greenplum Database processes.

Using SSL Encryption

If you enable SSL at setup time, the installer creates a self-signed certificate and uses OpenSSL encryption for all connections to the Command Center web server.
Because this is a self-signed certificate, supported browsers may need to be configured to accept or allow it as a security exception. This does not detract from the added security gained from encrypting communications between the browser client and the web server.

Optionally, you can obtain and use a certificate signed by a trusted certificate authority such as Verisign. If you use a trusted certificate, edit the lighttpd.conf file (located in $GPPERFMONHOME/instances/instance_name/conf), and set the ssl.pemfile to point to the location of the certificate. For example:

ssl.pemfile = "$GPPERFMONHOME/instances/instance_name/conf/cert.pem"
Comments