gpfdists:// protocol is a secure version of the
To use it, you run the gpfdist utility with the
--ssl option. When specified in a URI, the
gpfdists:// protocol enables encrypted communication and secure identification of the file server and the Greenplum Database to protect against attacks such as eavesdropping and man-in-the-middle attacks.
gpfdists implements SSL security in a client/server scheme with the following attributes and limitations:
TLSv1protocol is used with the
gpfdistfile server (server.key) and for the Greenplum Database (client.key).
Issuing certificates that are appropriate for the operating system in use is the user’s responsibility. Generally, converting certificates as shown in https://www.sslshopper.com/ssl-converter.html is supported.
A server started with the
gpfdist --ssloption can only communicate with the
gpfdistsprotocol. A server that was started with
--ssloption can only communicate with the
Use one of the following methods to invoke the
--ssloption and then use the
gpfdistsprotocol in the
LOCATIONclause of a
CREATE EXTERNAL TABLEstatement.
gploadYAML control file with the
SSLoption set to true. Running
gpfdistserver with the
--ssloption, then uses the
gpfdists requires that the following client certificates reside in the
$PGDATA/gpfdists directory on each segment.
For an example of loading data into an external table security, see Example 3—Multiple gpfdists instances.
The server configuration parameter verify_gpfdists_cert controls whether SSL certificate authentication is enabled when Greenplum Database communicates with the
gpfdist utility to either read data from or write data to an external data source. You can set the parameter value to
false to deactivate authentication when testing the communication between the Greenplum Database external table and the
gpfdist utility that is serving the external data. If the value is
false, these SSL exceptions are ignored:
gpfdistis not trusted by Greenplum Database.
Warning: Deactivating SSL certificate authentication exposes a security risk by not validating the
gpfdists SSL certificate.
Parent topic: Defining External Tables