Skip to main content
Loading
Version: Operator 3.3.0

Access Control for Aerospike Clusters on Kubernetes

Enable security

To use Aerospike Access control you need to enable security for the Aerospike clusters.

Aerospike server 5.7.x and later

Enable security for your Aerospike clusters in the aerospikeConfig section of the custom resource (CR) file like so:

  aerospikeConfig:
.
.
.
security: {}
.
.
.

Aerospike server 5.6.x and prior

Enable security for your Aerospike clusters in the aerospikeConfig section of the CR like so:

  aerospikeConfig:
.
.
.
security:
enable-security: true
.
.
.

Aerospike Access Control includes user, role, and privilege creation and maintenance. See the documentation for more information on Aerospike Access Control.

To manage your access controls from the operator, configure the aerospikeAccessControl section in the Aerospike cluster's CR file.

danger

Access control changes on an operator-managed Aerospike cluster must be made through modifying the CR file. Any changes made externally (such as by using aql or asadm) will revert to the values in the CR file.

Example access control tasks

note

For these examples, assume that the cluster is deployed using a file named aerospike-cluster.yaml.

Create or delete a role

Add a role in the roles list under aerospikeAccessControl.

sys-admin and user-admin are standard predefined roles. Here we add a new custom role called profiler, which has read privileges.

apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike

spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin

To remove an existing role, delete it from the roles category.

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Add or remove privileges to a role

Under privileges for a certain role under aerospikeAccessControl, add any additional privileges on new lines. Here we add read-write to the profiler role. Remove a privilege from the list under a role to remove the privilege from that role.


apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike

spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
- read-write
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Privilege scope

To scope privileges to a namespace or set, add the following to the profiler role in the roles list under aerospikeAccessControl.

The order of the scope syntax is: privilege.namespace.set.

  • To scope a read privilege to a namespace called test-namespace, add the privilege as read.test-namespace
  • To scope a read-write privilege to a set called test-set on a different namespace called test-namespace-1, add the privilege as read-write.test-namespace-1.test-set

apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike

spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read.test-namespace
- read-write.test-namespace-1.test-set
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Create or delete a user

Create the secret for the user and add the user in the users list under aerospikeAccessControl.

Create a secret profile-user-secret containing the password for the user profiler by passing the password from the command line:

kubectl  -n aerospike create secret generic profile-user-secret --from-literal=password='userpass'

Add profileUser user with the profiler role.

apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike

spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: profile-user-secret
roles:
- profiler

- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin

To remove a user, delete the entry from the users category.

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Add or remove user roles

Add or remove roles in the desired user's roles list.

Here we add user-admin and sys-admin to the profileUser roles list.

apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike

spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: profile-user-secret
roles:
- profiler
- user-admin
- sys-admin

- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Change a user's password

Once a secret has been created, it cannot be changed. To change an existing password, create an entirely new secret and assign it to the user in place of the old secret.

Create a new secret new-profile-user-secret containing the password for Aerospike cluster user profileUser by passing the password from the command line:

kubectl  -n aerospike create secret generic new-profile-user-secret --from-literal=password='newuserpass'

Update the secretName for profileUser to the new secret name new-profile-user-secret.

apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike

spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: new-profile-user-secret
roles:
- profiler
- user-admin

- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml