Does Greenplum Command Center (GPCC) 6.x Web UI support SCRAM-SHA-256 authentication method?
search cancel

Does Greenplum Command Center (GPCC) 6.x Web UI support SCRAM-SHA-256 authentication method?

book

Article ID: 297043

calendar_today

Updated On:

Products

VMware Tanzu Greenplum

Issue/Introduction

In Greenplum 6.x it is possible to specify authentication method "scram-sha-256" for users when they are connection to the database.
The ${MASTER_DATA_DIRECTORY}/pg_hba.conf file can be modified directly using a text editor such as "vi".
For example:

[gpadmin@mdw gpseg-1]$ vi pg_hba.conf
# testuser
host all gpadmin 0.0.0.0/0 scram-sha-256
host all testuser 0.0.0.0/0 scram-sha-256
host all testuser2 0.0.0.0/0 trust

However, there is no option for "scram-sha-256" in authentication method menu in GPCC Web UI as shown below.
Additionally there is problem that the entries with scram-sha-256 as the authentication method can be removed by GPCC.

scram-sha-256(1).PNG

scram-sha-256(2).PNG

 


Environment

Product Version: 6.23
OS: RHEL or CentOS 7

Resolution

Fix

Currently GPCC versions lower than 6.8.x does not recognise scram-sha-256 in the pg_hba.conf.
It will be introduced and allowed in GPCC 6.9 and above.

Workaround

For earlier versions of GPCC, it is possible to apply the following workaround to avoid the entries being removed by GPCC. It will not allow new entries to be created with authentication method "scram-sha-256"

The change will not persist after a GPCC restart. It would be necessary to create a script and run it after each GPCC restart. See below for details.

[1] Get a copy of the function definition:

$ mkdir ~/GPCC_fix
$ psql -At -U gpmon -d gpperfmon -c "SELECT pg_get_functiondef('gpcc_schema.read_pghba'::regproc)::text;" > ~/GPCC_fix/s2

[2] Use a text editor to edit the output file ~/GPCC_fix/s2.

Find the line:

methods = ["trust", "reject", "md5", "password", "gss", "sspi", "krb5", "ident", "pam", "ldap", "radius", "cert"]

Add "scram-sha-256" to it as below example.

methods = ["scram-sha-256", "trust", "reject", "md5", "password", "gss", "sspi", "krb5", "ident", "pam", "ldap", "radius", "cert"]

[3] Save the file, and then execute it using psql utility

$ psql -U gpmon -d gpperfmon -f ~/GPCC_fix/s2

This will replace the original function read_pghba created by GPCC and it will accept the entries with "scram-sha-256" authentication method.

[4] Create a script ~/GPCC_fix/fix_function.sh with the contents:

#!/bin/sh

psql -U gpmon -d gpperfmon -f ~/GPCC_fix/s2

[5] Give execute  permissions on the script:

$ chmod a+x ~/GPCC_fix/fix_function.sh

[6] Keep the files in ~/GPCC_fix directory and run the script ~/GPCC_fix/fix_function.sh after each restart of GPCC


Powered by Wolken Software