# Access control for Aerospike on Kubernetes ## Enable security To use Aerospike access control, you must enable security for the Aerospike clusters. Enable security for your Aerospike clusters in the `aerospikeConfig` section of the custom resource (CR) file like so: ```yaml aerospikeConfig: ... security: {} ... ``` Aerospike Access Control includes user, role, and privilege creation and maintenance. See the Aerospike Database documentation section for [more information on Aerospike Access Control](https://aerospike.com/docs/database/manage/security/rbac). To manage your access controls from AKO, configure the `spec.aerospikeAccessControl` section in the Aerospike cluster’s CR file. ::: caution Access control changes on an AKO-managed Aerospike cluster must be made through modifying the CR file. Any changes made externally (such as by using `aql` or `asadm`) will revert to the values in the CR file. ::: ## Example access control tasks ### Create or delete a role Add a role in the `roles` list under `spec.aerospikeAccessControl`. `sys-admin` and `user-admin` are standard predefined roles. Here we add a new custom role called `profiler`, which has `read` privileges. ```yaml spec: ... aerospikeAccessControl: roles: - name: profiler privileges: - read users: - name: admin secretName: auth-secret roles: - sys-admin - user-admin ``` To remove an existing role, delete it from the `roles` category. Save and exit the CR file, then use `kubectl` to apply the change. Terminal window ```sh kubectl apply -f aerospike-cluster.yaml ``` ### Add or remove privileges to a role Under `privileges` for a certain role under `spec.aerospikeAccessControl`, add any additional privileges on new lines. Here we add `read-write` to the `profiler` role. Remove a privilege from the list under a role to remove the privilege from that role. ```yaml spec: ... aerospikeAccessControl: roles: - name: profiler privileges: - read - read-write users: - name: admin secretName: auth-secret roles: - sys-admin - user-admin ``` Save and exit the CR file, then use `kubectl` to apply the change. Terminal window ```sh kubectl apply -f aerospike-cluster.yaml ``` #### Privilege scope To scope privileges to a namespace or set, add the following to the `profiler` role in the `roles` list under `spec.aerospikeAccessControl`. The order of the scope syntax is: `privilege.namespace.set`. - To scope a `read` privilege to a namespace called `test-namespace`, add the privilege as `read.test-namespace` - To scope a `read-write` privilege to a set called `test-set` on a different namespace called `test-namespace-1`, add the privilege as `read-write.test-namespace-1.test-set` ```yaml spec: ... aerospikeAccessControl: roles: - name: profiler privileges: - read.test-namespace - read-write.test-namespace-1.test-set users: - name: admin secretName: auth-secret roles: - sys-admin - user-admin ``` Save and exit the CR file, then use `kubectl` to apply the change. Terminal window ```sh kubectl apply -f aerospike-cluster.yaml ``` ### Create or delete a user Create the secret for the user and add the user in the `users` list under `spec.aerospikeAccessControl`. Create a secret `profile-user-secret` containing the password for the user `profiler` by passing the password from the command line: Terminal window ```sh kubectl -n aerospike create secret generic profile-user-secret --from-literal=password='userpass' ``` Add `profileUser` user with the `profiler` role. ```yaml spec: ... aerospikeAccessControl: roles: - name: profiler privileges: - read users: - name: profileUser secretName: profile-user-secret roles: - profiler - name: admin secretName: auth-secret roles: - sys-admin - user-admin ``` To remove a user, delete the entry from the `users` category. Save and exit the CR file, then use `kubectl` to apply the change. Terminal window ```sh kubectl apply -f aerospike-cluster.yaml ``` ### Add or remove user roles Add or remove roles in the desired user’s `roles` list. Here we add `user-admin` and `sys-admin` to the `profileUser` roles list. ```yaml spec: ... aerospikeAccessControl: roles: - name: profiler privileges: - read users: - name: profileUser secretName: profile-user-secret roles: - profiler - user-admin - sys-admin - name: admin secretName: auth-secret roles: - sys-admin - user-admin ``` Save and exit the CR file, then use `kubectl` to apply the change. Terminal window ```sh kubectl apply -f aerospike-cluster.yaml ``` ### Change a user’s password Once a secret has been created, it cannot be changed. To change an existing password, create an entirely new secret and assign it to the user in place of the old secret. Create a new secret `new-profile-user-secret` containing the password for Aerospike cluster user `profileUser` by passing the password from the command line: Terminal window ```sh kubectl -n aerospike create secret generic new-profile-user-secret --from-literal=password='newuserpass' ``` Update the `secretName` for `profileUser` to the new secret name `new-profile-user-secret`. ```yaml spec: ... aerospikeAccessControl: roles: - name: profiler privileges: - read users: - name: profileUser secretName: new-profile-user-secret roles: - profiler - user-admin - name: admin secretName: auth-secret roles: - sys-admin - user-admin ``` Save and exit the CR file, then use `kubectl` to apply the change. Terminal window ```sh kubectl apply -f aerospike-cluster.yaml ```