Greenplum Command Center (GPCC) provides provides possibility to authenticate with kerberos.
By default the GPCC web server connects to the Greenplum Database (GPDB) using the .pgpass file.
If pgpass authentication is not sufficient,  LDAP or kerberos authentication can be an alternative.

This article shows a simple example of kerberos authentication for GPCC webpages. For system configuration (online assistance), the local professional service team should be engaged.



 

Product Version: 6.25

In the example, gpdbsingle.vc.loca is the GPCC host name, VC.LOCA is the kerberos realm for gpdb.

1.  Create a new user in AD, or use an existing user (but have not created service principle name yet).
2. run ktpass command in AD :  (here the AD account is gpcc)

ktpass /out gpmon.keytab  /princ [email protected] -mapUser gpcc /pass Test#1234 /crypto all  /ptype KRB5_NT_PRINCIPAL

       3. On the client machine, run kinit: (need to setup kerberos environment, including the the environment setting for kerberos, KRB5_config need point to the krb5.ini config file.

kinit [email protected]

       4. Setup firefox browser (for other browser's setting, you need to google for it).

open a new page, at the address line, enter : about:config
search for network.negotiate-auth.trusted-uris:   add the hostname of the GPCC host (in my case, it's :  http://gpdbsingle.vc.loca)
search for network.auth.use-sspi,  change it to false.

        5. at the GPCC host, run "gpcc krbenable", I choose the normal mode, you may test different options.               
    6. if kerberos authentication is required at the database level, then the master host must sync system time with AD server (may use a NTP server for time sync up).                7. at the AD server, create a service principle name (SPN) for any AD user : 

setspn -A HTTP/gpdbsingle.vc.loca "AD username"

         8. at the client machine(where gpcc web to be used) : run  (Client machine need to install kerberos client, like MIT kerberos and setup the krb5.ini file, could be in OS envrionment setting).

kinit [email protected]" (VC.LOCA is the realm name)

         9. open the firefox browser, enter the address:  http://gpdbsingle.vc.loca:28080. If you have enabled kerberos authentication at the database level (pg_hba.conf), and also make sure gpmon user can login through kerberos authentication, then at the gpcc page, it will automatically login, it does not need a password (need client acquired the kerberos ticket first by kinit).  If the database level didn't enable kerberos authentication, then gpcc login page will ask for username and password ( this is the database username and password).