Access Control for Aerospike Clusters on Kubernetes
Enable securityโ
To use Aerospike Access control you need to enable security for the Aerospike clusters.
Aerospike server 5.7.x and laterโ
Enable security for your Aerospike clusters in the aerospikeConfig
section of the custom resource (CR) file like so:
aerospikeConfig:
.
.
.
security: {}
.
.
.
Aerospike server 5.6.x and priorโ
Enable security for your Aerospike clusters in the aerospikeConfig
section of the CR like so:
aerospikeConfig:
.
.
.
security:
enable-security: true
.
.
.
Aerospike Access Control includes user, role, and privilege creation and maintenance. See the documentation for more information on Aerospike Access Control.
To manage your access controls from the operator, configure the aerospikeAccessControl
section in the Aerospike cluster's CR file.
Access control changes on an operator-managed Aerospike cluster must be made through modifying the CR file.
Any changes made externally, such as by using aql
or asadm
, will revert to the values in the CR file.
Example access control tasksโ
For these examples, assume that the cluster is deployed using a file named aerospike-cluster.yaml
.
Create or delete a roleโ
Add a role in the roles
list under aerospikeAccessControl
.
sys-admin
and user-admin
are standard predefined roles.
Here we add a new custom role called profiler
, which has read
privileges.
apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
To remove an existing role, delete it from the roles
category.
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Add or remove privileges to a roleโ
Under privileges
for a certain role under aerospikeAccessControl
, add any additional privileges on new lines.
Here we add read-write
to the profiler
role.
Remove a privilege from the list under a role to remove the privilege from that role.
apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
- read-write
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Privilege scopeโ
To scope privileges to a namespace or set, add the following to the profiler
role in the roles
list under aerospikeAccessControl
.
The order of the scope syntax is: privilege.namespace.set
.
- To scope a
read
privilege to a namespace calledtest-namespace
, add the privilege asread.test-namespace
- To scope a
read-write
privilege to a set calledtest-set
on a different namespace calledtest-namespace-1
, add the privilege asread-write.test-namespace-1.test-set
apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read.test-namespace
- read-write.test-namespace-1.test-set
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl
to apply the change.
kubectl apply -f aerospike-cluster.yaml
Create or delete a userโ
Create the secret for the user and add the user in the users
list under aerospikeAccessControl
.
Create a secret profile-user-secret
containing the password for the user profiler
by passing the password from the command line:
kubectl -n aerospike create secret generic profile-user-secret --from-literal=password='userpass'
Add profileUser
user with the profiler
role.
apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: profile-user-secret
roles:
- profiler
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
To remove a user, delete the entry from the users
category.
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Add or remove user rolesโ
Add or remove roles in the desired user's roles
list.
Here we add user-admin
and sys-admin
to the profileUser
roles list.
apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: profile-user-secret
roles:
- profiler
- user-admin
- sys-admin
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Change a user's passwordโ
Once a secret has been created, it cannot be changed. To change an existing password, create an entirely new secret and assign it to the user in place of the old secret.
Create a new secret new-profile-user-secret
containing the password for Aerospike cluster user profileUser
by passing the password from the command line:
kubectl -n aerospike create secret generic new-profile-user-secret --from-literal=password='newuserpass'
Update the secretName
for profileUser
to the new secret name new-profile-user-secret
.
apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: new-profile-user-secret
roles:
- profiler
- user-admin
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml