Access Control for Aerospike Clusters on Kubernetes
Enable securityโ
To use Aerospike access control, you must enable security for the Aerospike clusters.
Aerospike server 5.7.x and laterโ
Enable security for your Aerospike clusters in the aerospikeConfig section of the custom resource (CR) file like so:
aerospikeConfig:
.
.
.
security: {}
.
.
.
Aerospike server 5.6.x and earlierโ
Enable security for your Aerospike clusters in the aerospikeConfig section of the CR like so:
aerospikeConfig:
.
.
.
security:
enable-security: true
.
.
.
Aerospike Access Control includes user, role, and privilege creation and maintenance. See the documentation for more information on Aerospike Access Control.
To manage your access controls from the operator, configure the aerospikeAccessControl section in the Aerospike cluster's CR file.
Access control changes on an operator-managed Aerospike cluster must be made through modifying the CR file.
Any changes made externally (such as by using aql or asadm) will revert to the values in the CR file.
Example access control tasksโ
Create or delete a roleโ
Add a role in the roles list under aerospikeAccessControl.
sys-admin and user-admin are standard predefined roles.
Here we add a new custom role called profiler, which has read privileges.
apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
To remove an existing role, delete it from the roles category.
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Add or remove privileges to a roleโ
Under privileges for a certain role under aerospikeAccessControl, add any additional privileges on new lines.
Here we add read-write to the profiler role.
Remove a privilege from the list under a role to remove the privilege from that role.
apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
- read-write
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Privilege scopeโ
To scope privileges to a namespace or set, add the following to the profiler role in the roles list under aerospikeAccessControl.
The order of the scope syntax is: privilege.namespace.set.
- To scope a
readprivilege to a namespace calledtest-namespace, add the privilege asread.test-namespace - To scope a
read-writeprivilege to a set calledtest-seton a different namespace calledtest-namespace-1, add the privilege asread-write.test-namespace-1.test-set
apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read.test-namespace
- read-write.test-namespace-1.test-set
users:
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Create or delete a userโ
Create the secret for the user and add the user in the users list under aerospikeAccessControl.
Create a secret profile-user-secret containing the password for the user profiler by passing the password from the command line:
kubectl -n aerospike create secret generic profile-user-secret --from-literal=password='userpass'
Add profileUser user with the profiler role.
apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: profile-user-secret
roles:
- profiler
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
To remove a user, delete the entry from the users category.
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Add or remove user rolesโ
Add or remove roles in the desired user's roles list.
Here we add user-admin and sys-admin to the profileUser roles list.
apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: profile-user-secret
roles:
- profiler
- user-admin
- sys-admin
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml
Change a user's passwordโ
Once a secret has been created, it cannot be changed. To change an existing password, create an entirely new secret and assign it to the user in place of the old secret.
Create a new secret new-profile-user-secret containing the password for Aerospike cluster user profileUser by passing the password from the command line:
kubectl -n aerospike create secret generic new-profile-user-secret --from-literal=password='newuserpass'
Update the secretName for profileUser to the new secret name new-profile-user-secret.
apiVersion: asdb.aerospike.com/v1
kind: AerospikeCluster
metadata:
name: aerocluster
namespace: aerospike
spec:
.
.
aerospikeAccessControl:
roles:
- name: profiler
privileges:
- read
users:
- name: profileUser
secretName: new-profile-user-secret
roles:
- profiler
- user-admin
- name: admin
secretName: auth-secret
roles:
- sys-admin
- user-admin
Save and exit the CR file, then use kubectl to apply the change.
kubectl apply -f aerospike-cluster.yaml