You can configure a user name and password that GPSS will use for client-to-server authentication. When you configure GPSS client authentication, you identify the credentials in the gpss.json server configuration file. Users that access the GPSS server instance must then provide (a variation of) the credentials to any gpsscli subcommand that they invoke as described below.

You can configure client authentication as follows:

1. Identify a user name for authenticating.

2. Specify the user name in the Authentication:Username property setting of the gpss.json GPSS server configuration file. For example:

   "Authentication": {
       "Username": "client_auth_username",
       "Password": "<shadow_passwd_string>"
   }
   

3. Identify a password for authenticating.

4. Optionally configure a Shadow:Key, and then generate a shadowed password string from the password as described in steps 1 and 2 of Shadowing the Greenplum Database Password.

5. Specify the shadow password string returned by gpsscli shadow in the Authentication:Password property setting of the gpss.json GPSS server configuration file. For example:

   "Authentication": {
       "Username": "client_auth_username",
       "Password": "SHADOW:ERTBKXDWLAJHUF5UOGJY34QTXIBNYP4ULTWVHIUZIF4UYFPRIJVA"
   }
   

   Always quote the complete shadow password string.

6. (Re)Start the GPSS server.

7. Notify users of the GPSS server instance of the new client authentication requirements, and provide them the user name and original (not shadowed) password.

All gpsscli subcommands directed to a GPSS server instance that is configured for client authentication must specify the authentication credentials via the ‑U client_auth_username and ‑P original_passwd command line options. For example:

$ gpsscli submit -U client_auth_username -P changeme loadcfg.yaml