gp

This GP MCP server provides a Spring Boot-based Model Context Protocol (MCP) interface for securely querying Greenplum and PostgreSQL databases. It enforces API key authentication, policy-driven query validation, and per-key connection pools to isolate access. The server exposes 12 MCP tools organized into schema discovery and query execution categories. Discovery is public, but actual tool execution requires authentication. Tools return results in a JSON Table format optimized for AI consumption, making it straightforward to feed data into AI assistants or agents. To use, obtain an API key, call the MCP endpoint to discover available tools, and then invoke the desired tool with your parameters; the server applies schema allow-lists, row/byte budgets, and SQL validation before running any query.

Prerequisites:

• Docker (for the provided containerized run) or Java 21+ with Maven if building locally
• Network access to Greenplum or PostgreSQL clusters
• OpenSSL available for encryption key generation (for initial secret setup)

Option A – Run via Docker (recommended for quick start):

1. Pull and run the container image: docker pull gp-mcp-image docker run -i --env SPRING_PROFILES_ACTIVE=prod --env DB_API_KEYS_TABLE=api_keys
   --env ENCRYPTION_KEY="<your-aes-key>" --env JAEGER_AGENT_HOST="<host>"
   --env PROMETHEUS_TARGET="<prometheus-endpoint>" gp-mcp-image

Option B – Build and run locally (if you have the source):

1. Build the project (assuming a Maven-based Spring Boot app): mvn -q -DskipTests package
2. Run the generated jar (adjust path as needed): java -jar target/greenplum-mcp-server-*.jar

Prerequisites for local development:

• Java 21+ and Maven 3.8+
• Access to Greenplum or PostgreSQL 13+ endpoints
• SSH/Networking configured for the target databases

Notes:

• If you use Docker, ensure the image gp-mcp-image is built with the correct configuration before running.
• Prepare and store encryption credentials securely; the server uses AES-256-GCM to encrypt stored database credentials.

Tips and common considerations:

• API keys: Manage per-client keys in the api_keys table. Each key maps to a dedicated HikariCP pool and separate credential set.
• Security: Tool discovery is public, but execution requires authentication. Use strong API keys and rotate them periodically.
• Observability: Enable OpenTelemetry tracing and Prometheus metrics to monitor tool usage, latency, and cache effectiveness.
• Caching: The server caches schema metadata for 15 minutes to improve performance; tune as needed based on schema churn.
• Limits: PolicyService enforces row/byte budgets and schema/table allow-lists; adjust limits to balance AI needs with data governance.
• Troubleshooting: If a tool fails due to authentication, verify the X-API-Key header or Authorization: Bearer token, and confirm the API key has the required tool permissions.