Access control with LDAP and PKI
This page describes the authentication modes you can use separately or concurrently with Aerospike Database Enterprise Edition (EE).
Overview
Aerospike Database uses role-based access control (RBAC) to manage internal and external users.
- Internal users are created by a user admin within the Aerospike server and assigned roles. They are authenticated upon connection with either a password or public-key infrastructure (PKI) certificate-based auth.
- External users are created by an admin in a Lightweight Directory Access Protocol (LDAP) service. External users log in using credentials from this service. They use LDAP credentials for authentication.
The password sent by the client for any auth mode (password-based or LDAP) is never stored in cleartext on the Aerospike server.
Using Federal Edition (FE)
You can use only external LDAP authentication or PKI authentication with the FIPS 140-2 compliant Aerospike Enterprise Edition for United States Federal (AKA Federal Edition or FE). Password-based authentication is disabled.
Password-based authentication
To create a user relying on password authentication:
- The system administrator creates an internal user with a password and RBAC roles.
- Permanently disabling password authentication is a feature added in Database 8.1.
PKI authentication
PKI (public key infrastructure) authentication is an alternative authentication mode for internal users, leveraging mutual-TLS (mTLS). To create a user relying on PKI authentication:
- The Aerospike cluster nodes must be configured to support mutual-TLS authentication.
- The user’s certificate must be signed by the server’s root CA.
- The
CN
field of the Subject Distinguished Name (DN
) must contain the username of this user.- Starting with Database 8.1, you can use
pki-user-append-ou
to include the certificate’sOU
(Organizational Unit Name) value in the username for PKI authentication.
- Starting with Database 8.1, you can use
- The system administrator creates an internal user of the Aerospike cluster. The administrator also permanently disables password authentication for this user.
- Prior to Database 8.1 the procedure was to set a strong random password to a PKI-only user and then not communicate it.
- The client uses the
PKI
auth mode, and configures it for mTLS as described in Managing mTLS with a Java client.
External authentication with LDAP
An Aerospike Database cluster which has LDAP enabled supports authentication against an external LDAP server, without matching internal users. Internal users cannot use LDAP authentication. An internal user can only use the access control password-based or PKI authentication.
To use LDAP authentication:
- The client uses the
EXTERNAL
auth mode. - The client sends a username and password.
- The Aerospike server authenticates these credentials against the external LDAP server.
- Authorization happens when the Aerospike server queries the LDAP server for the user’s roles. Roles that match local role names are assigned to the user, granting the privileges associated with these roles.
- Aerospike Database caches a local copy of successful authentication and authorization. This local directory is distributed to every cluster node for lower query latency and reduced load on the LDAP server.
- The external LDAP server is queried on a configurable polling period for changes to the user’s access.
For instructions, see Configuring LDAP.
TLS recommended
TLS encryption between the client and server should be enabled when external authentication is used, since the external LDAP server needs a cleartext password forwarded to it.
Sessions
Regardless of the authentication mode, if the authentication succeeds, an access token
is returned to the client. The client uses the access token on subsequent
TCP connections, until the session it is associated with expires. See the
session-ttl
configuration parameter.
Access control features by database version
- Aerospike EE version 8.1 adds the ability to disable password authentication, and a configuration controlling whether to involve the user certificate’s
OU
in selecting the username from the cert. - Aerospike EE version 6.3 removed the
syslog
subcontext of thesecurity
config context. Audit trail messages can be sent to any log sink type (file
,console
orsyslog
) that is defined in thelogging
config context. - Aerospike FE version 6.0 is FIPS 140-2 compliant
- Aerospike EE version 5.7 added support for PKI authentication.
Compatible Aerospike EE servers required for XDR
What next?
For detailed instructions see Configuring access control.