Greenplum Command Center Console can be secured by encrypting network traffic between the web server and users' browsers, authenticating Command Center users, and managing users' permissions to access Command Center features.
Greenplum Command Center supports SSL/TLS encryption to secure connections between browsers and the Command Center web server. Command Center supports TLS 1.2 protocol and higher. When enabled, Command Center uses the Secure WebSockets API, enabling long-lived, full-duplex connections, in addition to encryption.
To enable SSL/TLS encryption, you need a combined certificate/key file for the Command Center web server in place when you install Command Center. The file contains a private key and a server certificate.
You can request a key pair and certificate from your organization's internal certificate authority or from an external certificate authority. You can also create a self-signed certificate with a cryptography suite such as OpenSSL. If you create a self-signed certificate, however, clients will have to override a security warning when they first connect to the Command Center web server.
To create the combined certificate/key file, create a text file, for example server.pem
, and copy the entire body of private key and certificate into it. Make sure to include the beginning and end tags:
-----BEGIN RSA PRIVATE KEY-----
< private key >
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
< certificate >
-----END CERTIFICATE-----
You can concatenate additional certificates to the end of the file if a certificate chain is required to authenticate the server certificate.
Place the file on the server where Command Center will execute, for example in the /etc/ssl/certs
directory of the Greenplum Database master host. When you install Command Center the installer prompts you to enter the full path to this file. See Command Center Console Parameters for details.
Users logging in to Greenplum Command Center are authenticated with the Greenplum Database host-based authentication system. Users can enter credentials as a user name and password or, if Kerberos authentication is configured, by authenticating with Kerberos on their workstation before browsing to the Command Center web server.
Note: Greenplum Command Center does not accept logins from the gpadmin user, or from users configured with trust authentication in the pg_hba.conf
file.
Database users must first be added to the Greenplum Database by using commands such as CREATE ROLE
or CREATE USER
. The LOGIN
privilege is required. This example creates a login user with an encrypted password:
CREATE ROLE cc_user WITH LOGIN ENCRYPTED PASSWORD 'changeme';
The pg_hba.conf
configuration file determines how authentication will proceed. This file contains a list of entries that are compared to attributes of the user's connection request, including the type of connection, network location of the originating host, database name, and login user name. When a match is found, the authentication method specified in the entry is applied.
The pg_hba.conf
file can be viewed by Operators and edited by Admins in the Command Center console on the Admin>Authentication page.
The md5
and password
authentication methods authenticate the user name and password with the Greenplum Database pg_roles
system table. The md5
method requires the password to be MD5-encoded when sent over the network, so it is preferred over the password
method, which sends the password in clear text.
The ldap
authentication method authenticates the user name and password with an LDAP server. The LDAP server and parameters are specified in the options field of the pg_hba.conf
entry. See the PostgreSQL LDAP authentication documentation for the format of the LDAP options.
The gss
authentication method is used for Kerberos authentication. To use Kerberos with Command Center, Kerberos authentication must be enabled for the Greenplum Database system and Command Center must also be configured. Users authenticate with the Kerberos KDC on their workstations (using kinit
, for example) before connecting to the Command Center web server. The role name in Command Center is the user's Kerberos principal name.
For details about setting up Kerberos authentication, see Enabling Kerberos Authentication with Greenplum Command Center.
See the PostgreSQL Authentication methods documentation for additional details of the authentication options.
Note: The functionality described in this section has not been fully implemented in Greenplum Command Center 4.0.0. Only Admin and Self Only permission levels are available.
Command Center manages permission levels using Greenplum Database roles and groups. The Basic, Operator Basic, and Operator permission levels correspond to the gpcc_basic
, gpcc_operator_basic
, and gpcc_operator
group roles in the database. The Admin permission level is conferred to roles that have the SUPERUSER
privilege. A user who has not been added to any of the groups and does not have SUPERUSER
privilege has the most restrictive permission level, Self Only.
Greenplum Database superusers can manage permission levels on the Command Center User Management page. Superusers can also directly assign users roles in the database by using the ALTER USER
, ALTER GROUP
, and related commands to add or remove users from groups and add or remove the SUPERUSER
privilege. If a role is configured for more than one permission level, Command Center uses the highest permission level.
Command Center users have the following capabilities, according to their permission levels:
Users can view metrics and view and cancel their own queries.
Any Greenplum Database user successfully authenticated through the Greenplum Database authentication system can access Greenplum Command Center with Self Only permission. Higher permission levels are required to view and cancel other's queries and to access the System and Admin Control Center screens.
Allows users to view metrics, view all queries, and cancel their own queries.
Users with Basic permission are members of the Greenplum Database gpcc_basic
group.
Allows users to view metrics, view their own and others' queries, cancel their own queries, and view the System and Admin screens.
Users with Operator Read-only permission are members of the Greenplum Database gpcc_operator_basic
group.
Allows users to view their own and others' queries, cancel their own and other's queries, and view the System and Admin screens.
Users with Operator permission are members of the Greenplum Database gpcc_operator
group.
Allows users access to all views and capabilities in the Command Center.
Greenplum Database users with the SUPERUSER
privilege in Greenplum Database have Superuser permissions in Command Center.