The VMware Greenplum gpmon role is a superuser role used to manage the gpperfmon database and to retrieve other information from VMware Greenplum used in the Command Center interface. The Command Center installer creates the gpperfmon database and the gpmon database role if they do not already exist.
Authentication for the gpmon Role
If the $COORDINATOR_DATA_DIRECTORY/pg_hba.conf authentication file contains no entries for the gpmon role, the installer adds these entries:
local gpperfmon gpmon md5
host all gpmon 127.0.0.1/28 md5
host all gpmon ::1/128 md5
host all gpmon samenet md5
If the pg_hba.conf file already has one or more gpmon entries, the installer will add the samenet entry if it is not already present. If samenet does not work with your network configuration, you must manually edit the pg_hba.conf file to allow gpmon access from all hosts in the cluster.
The Command Center Table Browser requires the all entry in the database field to allow gpmon to retrieve table metadata and statistics from each database.
If you use a method other than md5 to authenticate the gpmon role, such as LDAP or Kerberos, edit the pg_hba.conf file manually to enable gpmon connections from all hosts and access to all databases.
If any of these entries are missing from pg_hba.conf Command Center may fail to start, or some features may not work properly.
Administrators can view and update the pg_hba.conf file in Command Center on the Admin> Authentication page. If you update the pg_hba.conf outside of Command Center, be sure to use the gpstop -u command to have VMware Greenplum reload the file.
$ gpstop -u
Setting the gpmon Password
If you run the gpccinstall command with the -W option, it prompts you to enter a password for the gpmon role. If you do not supply the -W option, gpccinstall uses a default password. It adds the password to the .pgpass file in the gpadmin user's home directory. The entry in the .pgpass file is similar to the following:
*:5432:gpperfmon:gpmon:changeme
See The Password File in the PostgreSQL documentation for details about the .pgpass file.
The .pgpass file is required on the VMware Greenplum coordinator host to start the gpperfmon data collection agents. If you run Greenplum Command Center on the standby coordinator host, you can copy the .pgpass file to that host, or you can run the Command Center gpcc management utility with the -W option to request password entry each time you start or stop Command Center or request status.
To change the gpmon password, follow these steps:
Log in to VMware Greenplum as a superuser and change the gpmon password with the
ALTER ROLEcommand:# ALTER ROLE gpmon WITH ENCRYPTED PASSWORD 'new_password';On the Greenplum coordinator host, update the password in the
.pgpassfile in the gpadmin home directory (~/.pgpass). Replace the existing password in the line or lines for gpmon with the new password.*:5432:gpperfmon:gpmon:new_passwordEnsure that the
.pgpassfile is owned by gpadmin and RW-accessible by gpadmin only.$ chown gpadmin:gpadmin ~/.pgpass $ chmod 600 ~/.pgpassRestart Greenplum Command Center with the
gpccutility.$ gpcc stop $ gpcc start
Note: Be sure to also update the .pgpass file on the standby coordinator host.
Authenticating gpmon with Kerberos
If you authenticate VMware Greenplum and Command Center users with Kerberos, you can also authenticate the gpmon user with Kerberos.
To prepare for installing Command Center with Kerberos authentication, follow these steps:
Create the gpperfmon database using the VMware Greenplum
gpperfmon-installmanagement utility.On the KDC, create a keytab file containing the Kerberos principal for the gpmon user, just as you would for any Kerberos-authenticated client. Install the file on the Greenplum coordinator and standby hosts.
Update the entries for gpmon in the
$COORDINATOR_DATA_DIRECTORY/pg_hba.conffile to use thegssauthentication method.host all gpmon 0.0.0.0/0 gss include_realm=0 krb_realm=GPDB.EXAMPLE.COMNote that
localentries inpg_hba.confcannot be authenticated with Kerberos. If there is alocalentry for the gpmon user, it will use the.pgpassfile to authenticate with the database. See The pg_hba.conf file in the PostgreSQL documentation for completepg_hba.conffile documentation.Log in to the coordinator host as gpadmin and authenticate the gpmon user.
$ kinit gpmonInstall Greenplum Command Center to set up the Kerberos-enabled Command Center.
