Skip to content
Visit booth 3171 at Google Cloud Next to see how to unlock real-time decisions at scaleMore info

Access Control for Aerospike Clusters on Kubernetes

Enable security

To use Aerospike access control, you must enable security for the Aerospike clusters.

Enable security for your Aerospike clusters in the aerospikeConfig section of the custom resource (CR) file like so:

  aerospikeConfig:
      ...
    security: {}
      ...

Aerospike Access Control includes user, role, and privilege creation and maintenance. See the Aerospike Database documentation section for more information on Aerospike Access Control.

To manage your access controls from AKO, configure the spec.aerospikeAccessControl section in the Aerospike cluster’s CR file.

Access control changes on an AKO-managed Aerospike cluster must be made through modifying the CR file. Any changes made externally (such as by using aql or asadm) will revert to the values in the CR file.

Example access control tasks

Create or delete a role

Add a role in the roles list under spec.aerospikeAccessControl.

sys-admin and user-admin are standard predefined roles. Here we add a new custom role called profiler, which has read privileges.

spec:
  ...
  aerospikeAccessControl:
    roles:
      - name: profiler
        privileges:
          - read
    users:
      - name: admin
        secretName: auth-secret
        roles:
          - sys-admin
          - user-admin

To remove an existing role, delete it from the roles category.

Save and exit the CR file, then use kubectl to apply the change.

Terminal window
kubectl apply -f aerospike-cluster.yaml

Add or remove privileges to a role

Under privileges for a certain role under spec.aerospikeAccessControl, add any additional privileges on new lines. Here we add read-write to the profiler role. Remove a privilege from the list under a role to remove the privilege from that role.

spec:
  ...
  aerospikeAccessControl:
    roles:
      - name: profiler
        privileges:
          - read
          - read-write
    users:
      - name: admin
        secretName: auth-secret
        roles:
          - sys-admin
          - user-admin

Save and exit the CR file, then use kubectl to apply the change.

Terminal window
kubectl apply -f aerospike-cluster.yaml

Privilege scope

To scope privileges to a namespace or set, add the following to the profiler role in the roles list under spec.aerospikeAccessControl.

The order of the scope syntax is: privilege.namespace.set.

  • To scope a read privilege to a namespace called test-namespace, add the privilege as read.test-namespace
  • To scope a read-write privilege to a set called test-set on a different namespace called test-namespace-1, add the privilege as read-write.test-namespace-1.test-set
spec:
  ...
  aerospikeAccessControl:
    roles:
      - name: profiler
        privileges:
          - read.test-namespace
          - read-write.test-namespace-1.test-set
    users:
      - name: admin
        secretName: auth-secret
        roles:
          - sys-admin
          - user-admin

Save and exit the CR file, then use kubectl to apply the change.

Terminal window
kubectl apply -f aerospike-cluster.yaml

Create or delete a user

Create the secret for the user and add the user in the users list under spec.aerospikeAccessControl.

Create a secret profile-user-secret containing the password for the user profiler by passing the password from the command line:

Terminal window
kubectl  -n aerospike create secret generic profile-user-secret --from-literal=password='userpass'

Add profileUser user with the profiler role.

spec:
  ...
  aerospikeAccessControl:
    roles:
      - name: profiler
        privileges:
          - read
    users:
      - name: profileUser
        secretName: profile-user-secret
        roles:
          - profiler


      - name: admin
        secretName: auth-secret
        roles:
          - sys-admin
          - user-admin

To remove a user, delete the entry from the users category.

Save and exit the CR file, then use kubectl to apply the change.

Terminal window
kubectl apply -f aerospike-cluster.yaml

Add or remove user roles

Add or remove roles in the desired user’s roles list.

Here we add user-admin and sys-admin to the profileUser roles list.

spec:
  ...
  aerospikeAccessControl:
    roles:
      - name: profiler
        privileges:
          - read
    users:
      - name: profileUser
        secretName: profile-user-secret
        roles:
          - profiler
          - user-admin
          - sys-admin


      - name: admin
        secretName: auth-secret
        roles:
          - sys-admin
          - user-admin

Save and exit the CR file, then use kubectl to apply the change.

Terminal window
kubectl apply -f aerospike-cluster.yaml

Change a user’s password

Once a secret has been created, it cannot be changed. To change an existing password, create an entirely new secret and assign it to the user in place of the old secret.

Create a new secret new-profile-user-secret containing the password for Aerospike cluster user profileUser by passing the password from the command line:

Terminal window
kubectl  -n aerospike create secret generic new-profile-user-secret --from-literal=password='newuserpass'

Update the secretName for profileUser to the new secret name new-profile-user-secret.

spec:
  ...
  aerospikeAccessControl:
    roles:
      - name: profiler
        privileges:
          - read
    users:
      - name: profileUser
        secretName: new-profile-user-secret
        roles:
          - profiler
          - user-admin


      - name: admin
        secretName: auth-secret
        roles:
          - sys-admin
          - user-admin

Save and exit the CR file, then use kubectl to apply the change.

Terminal window
kubectl apply -f aerospike-cluster.yaml
Feedback

Was this page helpful?

What type of feedback are you giving?

What would you like us to know?

+Capture screenshot

Can we reach out to you?