Securing the Database

A newer version of this documentation is available. Use the version menu above to view the most up-to-date release of the Greenplum 5.x documentation.

Securing the Database

Introduces Greenplum Database security topics.

The intent of security configuration is to configure the Greenplum Database server to eliminate as many security vulnerabilities as possible. This guide provides a baseline for minimum security requirements, and is supplemented by additional security documentation. 

The essential security requirements fall into the following categories:
  • Authentication covers the mechanisms that are supported and that can be used by the Greenplum database server to establish the identity of a client application.
  • Authorization pertains to the privilege and permission models used by the database to authorize client access.
  • Auditing, or log settings, covers the logging options available in Greenplum Database to track successful or failed user actions.
  • Data Encryption addresses the encryption capabilities that are available for protecting data at rest and data in transit. This includes the security certifications that are relevant to the Greenplum Database.

Accessing a Kerberized Hadoop Cluster

Greenplum Database can read or write external tables in a Hadoop file system. If the Hadoop cluster is secured with Kerberos ("Kerberized"), Greenplum Database must be configured to allow external table owners to authenticate with Kerberos. See Configuring PXF for Secure HDFS for the configuration procedure for PXF. See Enabling gphdfs Authentication with a Kerberos-secured Hadoop Cluster (Deprecated) for the steps to perform this setup for gphdfs (deprecated).

Platform Hardening

Platform hardening involves assessing and minimizing system vulnerability by following best practices and enforcing federal security standards. Hardening the product is based on the US Department of Defense (DoD) guidelines Security Template Implementation Guides (STIG). Hardening removes unnecessary packages, disables services that are not required, sets up restrictive file and directory permissions, removes unowned files and directories, performs authentication for single-user mode, and provides options for end users to configure the package to be compliant to the latest STIGs.