Access Control for Aerospike Clusters on Kubernetes
Enable securityโ
To use Aerospike Access control you need to enable security for the Aerospike clusters.
Aerospike server 5.7.x and laterโ
Enable security for your Aerospike clusters in aerospikeConfig section of the CR like so
aerospikeConfig:
.
.
.
security: {}
.
.
.
Aerospike server 5.6.x and priorโ
Enable security for your Aerospike clusters in aerospikeConfig section of the CR like so
aerospikeConfig:
.
.
.
security:
enable-security: true
.
.
.
Aerospike Access Control includes user, role, and privilege creation and maintenance. See the documentation for more information on Aerospike Access Control.
To manage your access controls from the operator, configure the aerospikeAccessControl
section in the Aerospike cluster's Custom Resource (CR) file.
Access control changes on an operator-managed Aerospike cluster will be reverted if made externally (e.g. using aql
or asadm
).
Here are a few examples for common access control tasks:
For these examples, assume that cluster is deployed using a file named aerospike-cluster.yaml
.
Create a Roleโ
Add a role in the roles
list under aerospikeAccessControl
.
sys-admin
and user-admin
are standard predefined roles. Here we are adding a new custom role called "profiler" which is given read
privileges.
apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Add Privileges to a Roleโ
Add the read
and read-write
privileges to the profiler
role in the roles
list under aerospikeAccessControl
.
apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
- read-write
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Remove Privileges from a Roleโ
Remove privileges from the desired role in the roles
list under aerospikeAccessControl
.
Remove read-write
privilege
.
apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Create a Userโ
Create the secret for the user and add the user in the users
list under aerospikeAccessControl
.
Create a secret profile-user-secret
containing the password for the user profiler
by passing the password from the command line:
kubectl -n aerospike create secret generic profile-user-secret --from-literal=password='userpass'
Add profileUser
user with the profiler
role.
apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: profile-user-secret
roles:
- profiler
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Add a New Role to a Userโ
Add roles in the desired user's roles
list.
Add user-admin
and sys-admin
to the profileUser
roles list.
apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: profile-user-secret
roles:
- profiler
- user-admin
- sys-admin
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Remove a Role from a Userโ
Remove roles from the desired user's roles
list.
Remove sys-admin
from the profileUser's
roles list.
apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: profile-user-secret
roles:
- profiler
- user-admin
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Change a User's Passwordโ
Create a new secret new-profile-user-secret
containing the password for Aerospike cluster user profileUser
by passing the password from the command line:
kubectl -n aerospike create secret generic new-profile-user-secret --from-literal=password='newuserpass'
Update the secretName
for profileUser
to the new secret name new-profile-user-secret
.
apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: new-profile-user-secret
roles:
- profiler
- user-admin
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Remove a Roleโ
Remove the desired role from the roles
list under aerospikeAccessControl
. Also remove this role from the roles
list of all the users.
Remove the profiler
role.
apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
users:
- name: profileUser
secretName: new-profile-user-secret
roles:
- sys-admin
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Remove a userโ
Remove the desired user from the users
list under aerospikeAccessControl
.
Remove profileUser
user.
apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml