Skip to main content
Loading
Version: Operator 2.5.0

Access Control for Aerospike Clusters on Kubernetes

Enable securityโ€‹

To use Aerospike Access control you need to enable security for the Aerospike clusters.

Aerospike server 5.7.x and laterโ€‹

Enable security for your Aerospike clusters in aerospikeConfig section of the CR like so

  aerospikeConfig:
.
.
.
security: {}
.
.
.

Aerospike server 5.6.x and priorโ€‹

Enable security for your Aerospike clusters in aerospikeConfig section of the CR like so

  aerospikeConfig:
.
.
.
security:
enable-security: true
.
.
.

Aerospike Access Control includes user, role, and privilege creation and maintenance. See the documentation for more information on Aerospike Access Control.

To manage your access controls from the operator, configure the aerospikeAccessControl section in the Aerospike cluster's Custom Resource (CR) file.

danger

Access control changes on an operator-managed Aerospike cluster will be reverted if made externally using a tool such as aql or asadm.

Here are a few examples for common access control tasks:

note

For these examples, assume that cluster is deployed using a file named aerospike-cluster.yaml.

Create a Roleโ€‹

Add a role in the roles list under aerospikeAccessControl.

sys-admin and user-admin are standard predefined roles. Here we are adding a new custom role called "profiler" which is given read privileges.

apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike

spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Add Privileges to a Roleโ€‹

Add the read and read-write privileges to the profiler role in the roles list under aerospikeAccessControl.


apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike

spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
- read-write
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

To scope privileges to a namespace or set, add the following to the profiler role in the roles list under aerospikeAccessControl:

  • For a namespace add the test namespace-scoped read as read.test
  • For a set, add the testset set-scoped read-write as read-write.test1.testset

apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike

spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read.test
- read-write.test1.testset
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Remove Privileges from a Roleโ€‹

Remove privileges from the desired role in the roles list under aerospikeAccessControl.

Remove read-write privilege.

apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike

spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Create a Userโ€‹

Create the secret for the user and add the user in the users list under aerospikeAccessControl.

Create a secret profile-user-secret containing the password for the user profiler by passing the password from the command line:

kubectl  -n aerospike create secret generic profile-user-secret --from-literal=password='userpass'

Add profileUser user with the profiler role.

apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike

spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: profile-user-secret
roles:
- profiler

- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Add a New Role to a Userโ€‹

Add roles in the desired user's roles list.

Add user-admin and sys-admin to the profileUser roles list.

apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike

spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: profile-user-secret
roles:
- profiler
- user-admin
- sys-admin

- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Remove a Role from a Userโ€‹

Remove roles from the desired user's roles list.

Remove sys-admin from the profileUser's roles list.

apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike

spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: profile-user-secret
roles:
- profiler
- user-admin

- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Change a User's Passwordโ€‹

Create a new secret new-profile-user-secret containing the password for Aerospike cluster user profileUser by passing the password from the command line:

kubectl  -n aerospike create secret generic new-profile-user-secret --from-literal=password='newuserpass'

Update the secretName for profileUser to the new secret name new-profile-user-secret.

apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike

spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: new-profile-user-secret
roles:
- profiler
- user-admin

- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Remove a Roleโ€‹

Remove the desired role from the roles list under aerospikeAccessControl. Also remove this role from the roles list of all the users.

Remove the profiler role.

apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike

spec:
.
.
aerospikeAccessControl:
users:
- name: profileUser
secretName: new-profile-user-secret
roles:
- sys-admin

- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Remove a userโ€‹

Remove the desired user from the users list under aerospikeAccessControl.

Remove profileUser user.

apiVersion: asdb.aerospike.com/v1beta1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike

spec:
.
.
aerospikeAccessControl:
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml