Skip to main content
Loading
Version: Graph 2.2.0

RBAC for Aerospike Graph

Overview

This page descibes how to set up Role based Access Control (RBAC) for the Aerospike Graph Service (AGS) using Java Web Tokens (JWTs).

RBAC is recommended for use on a secure network connection between client applications and AGS.

Enable RBAC

Enable RBAC for your AGS instance with the following configuration options:

OptionRequired?Value
aerospike.graph-service.auth.jwt.secretyesAny string that you choose.
aerospike.graph-service.auth.jwt.issueryesYour organization or a third-party authentication service.
aerospike.graph-service.auth.jwt.algorithmnoOne of: HMAC256, HMAC384, HMAC512. Default is HMAC256.

Once RBAC security is enabled, all connections with AGS must carry a Java Web Token (JWT) with the correct secret and issuer, and all users must have sufficient privileges to execute their queries.

note

When authentication is enabled, the evaluationTimeout parameter is ignored when it is part of Gremlin queries. To use the evaluationTimeout parameter when authentication is enabled, set it globally with the aerospike.graph-service.evaluationTimeout option in your configuration file.

Roles

The following role access levels are available:

READ

Can read data. No write or admin privileges.

The following commands are blocked for READ users:

Blocked Gremlin steps
addV
addE
mergeE
mergeV
property
Blocked call steps
aerospike.graph.admin.rbac-jwt.issue-token
aerospike.graph.admin.index.drop
aerospike.graph.admin.index.drop
aerospike.graph.admin.index.create
aerospike.graph.admin.index.create
aerospike.graphloader.admin.bulk-load.* (all bulk-load steps are blocked)

READ_WRITE

Can read data and perform write operations (addV(), addE(), property(), etc.)

All Gremlin steps are available to READ_WRITE users. The following commands are blocked:

Blocked call steps
aerospike.graph.admin.rbac-jwt.issue-token
aerospike.graph.admin.index.drop
aerospike.graph.admin.index.create

ADMIN

Can perform read and write operations, plus create and delete indexes. No Gremlin steps or call steps are blocked.

Creating JWTs

Use the following procedure to create JWTs for use with graph authentication.

Create the ADMIN JWT

An admin user first creates a token with admin-level privileges. The first admin token must be created via an external token authority.

The following diagram shows the procedure for creating a token with an external token issuer:

Creating JWT with an external token issuer

Create Subsequent JWTs using Admin Token

The admin user can create additional tokens for other users, including admin tokens. Other users can use their tokens for graph queries, and the issuer and secret credentials don't need to be included with the application code.

The following diagram shows the procedure for creating a token with the AGS aerospike.graph.admin.rbac-jwt.issue-token command:

Creating JWT with AGS

The admin user can create new tokens with the Gremlin call step aerospike.graph.admin.rbac-jwt.issue-token. Provide the new token's username and intended role as parameters:

g.call("aerospike.graph.admin.rbac-jwt.issue-token")
.with("username", "<USERNAME>")
.with("role", "<ROLE>")
.next()

Connect to AGS using a JWT

Users connect to AGS with the JWTs.

The following diagram shows the procedure for connecting to AGS with a JWT:

Connecting to AGS with a JWT

Using a JWT over a Gremlin server connection

The following Java code example demonstrates a Gremlin server login with a JWT:

final Cluster cluster = Cluster.build()
.addContactPoint("localhost").port(8182)
.credentials(<USERNAME>, <TOKEN>)
.create();

Using a JWT over an HTTP connection

To authenticate an HTTP connection with a JWT, set the Authorization property to Bearer <JWT>, where <JWT> is a base64 encoded string of a JWT.

The following Java code example demonstrates setting up an HTTP connection with a JWT:

    public String adminIndexListHeaders(final String userCredentials) {
try {
final URL url = new URL("http://localhost:9090/admin/index/list");
final HttpURLConnection con = (HttpURLConnection) url.openConnection();

// Send request to the server and read reply
final String token = "Bearer " + new String(Base64.getEncoder().encode(userCredentials.getBytes()));

// Send request to the server and read reply
con.setRequestMethod("GET");
con.setRequestProperty("Authorization", token);

// Read input stream into String
final byte[] bytes = con.getInputStream().readAllBytes();
final String response = new String(bytes);
return response;
} catch (final Exception e) {
throw new RuntimeException(e);
}
}