Boosting Greenplum security

Dmitrii Bezrukov — Fri, 31 Mar 2023 10:32:07 +0000

Meet Greenplum

Greenplum, our advanced, open-source data warehouse pal, is a cousin of the PostgreSQL database project. It's got a knack for large-scale analytics and big data processing, thanks to its MPP (Massively Parallel Processing) architecture. Greenplum hustles, distributing data and queries across multiple nodes for top-notch performance and scalability.

Greenplum's Comical Confession

Greenplum has a little secret: the pg_hba.conf file. This undercover file controls client authentication and hangs out in the master data directory, usually placing at $MASTER_DATA_DIRECTORY/pg_hba.conf.

Base pg_hba.conf from opensource installation looks something like this:

host     all         gpadmin         10.130.2.230/32       trust
host     all         gpadmin         10.130.2.227/32       trust

Groovy, right? But wait, there's a twist!

Just hop on over to the master/standby host;
An just execute the command

/usr/local/greenplum-db/bin/psql -d ${db_name} -U gpadmin -h ${master_address}

Voilà!
You're now an all-powerful admin with the keys to the kingdom.
Connect to any database, access or delete data, and reconfigure the base as you please.

How to fix?

To fix the potential security issue in the pg_hba.conf file of your Greenplum installation, you should update the authentication settings to enforce stricter access control. Here are some recommendations to improve the security of your Greenplum database:

1. Restrict IP addresses: Limit the IP addresses allowed to connect to your Greenplum cluster. Be specific about the IP addresses or ranges you want to grant access. For example, you can allow only certain subnets or individual IP addresses:

host    all    gpadmin    192.168.1.0/24    md5

This example allows only connections from the 192.168.1.0/24 subnet using the md5 password authentication method.

2. Use strong authentication methods: Instead of using the trust method, which allows connections without a password, use a more secure authentication method like md5, scram-sha-256, or integrate with an external authentication provider such as LDAP, Kerberos, or others. For example:

host    all    gpadmin    192.168.1.0/24    scram-sha-256

3. Limit user access: Configure the pg_hba.conf file to allow access only to specific users or groups, rather than granting access to all users. For example:

host    mydatabase    myuser    192.168.1.0/24    md5

This example allows only the myuser to connect to the mydatabase from the specified IP range using the md5 password authentication method.

4. Use separate roles for different tasks: Avoid using the gpadmin superuser account for everyday tasks. Instead, create separate roles with the least privileges necessary for each task.

5. Regularly review and update your configuration: Periodically review your pg_hba.conf file and other security settings to ensure they are up-to-date and follow best practices.

How can we put our trust in this configuration?

After updating the pg_hba.conf file, make sure to reload the Greenplum configuration for the changes to take effect. You can do this by running the following command as the gpadmin user:

gpstop -u

This will perform a "soft" restart, reloading the configuration without stopping the database.

Forem: Dmitrii Bezrukov

Boosting Greenplum security

Meet Greenplum

Greenplum's Comical Confession

How to fix?

How can we put our trust in this configuration?