Skip to content
Inviting nominations for the Champions of Scale - Nominate a leader building internet-scale data infastructure today! Nominate someone
Database ( latest 8.1.0 )
/Learn/Security/Access control

Access control with LDAP and PKI

This page describes the authentication modes you can use separately or concurrently with Aerospike Database Enterprise Edition (EE).

Overview

Aerospike Database uses role-based access control (RBAC) to manage internal and external users.

  • Internal users are created by a user admin within the Aerospike server and assigned roles. They are authenticated upon connection with either a password or public-key infrastructure (PKI) certificate-based auth.
  • External users are created by an admin in a Lightweight Directory Access Protocol (LDAP) service. External users log in using credentials from this service. They use LDAP credentials for authentication.

The password sent by the client for any auth mode (password-based or LDAP) is never stored in cleartext on the Aerospike server.

Using Federal Edition (FE)

You can use only external LDAP authentication or PKI authentication with the FIPS 140-2 compliant Aerospike Enterprise Edition for United States Federal (AKA Federal Edition or FE). Password-based authentication is disabled.

Password-based authentication

To create a user relying on password authentication:

  • The system administrator creates an internal user with a password and RBAC roles.
  • Permanently disabling password authentication is a feature added in Database 8.1.

PKI authentication

PKI (public key infrastructure) authentication is an alternative authentication mode for internal users, leveraging mutual-TLS (mTLS). To create a user relying on PKI authentication:

  • The Aerospike cluster nodes must be configured to support mutual-TLS authentication.
  • The user’s certificate must be signed by the server’s root CA.
  • The CN field of the Subject Distinguished Name (DN) must contain the username of this user.
    • Starting with Database 8.1, you can use pki-user-append-ou to include the certificate’s OU (Organizational Unit Name) value in the username for PKI authentication.
  • The system administrator creates an internal user of the Aerospike cluster. The administrator also permanently disables password authentication for this user.
    • Prior to Database 8.1 the procedure was to set a strong random password to a PKI-only user and then not communicate it.
  • The client uses the PKI auth mode, and configures it for mTLS as described in Managing mTLS with a Java client.

External authentication with LDAP

An Aerospike Database cluster which has LDAP enabled supports authentication against an external LDAP server, without matching internal users. Internal users cannot use LDAP authentication. An internal user can only use the access control password-based or PKI authentication.

To use LDAP authentication:

  1. The client uses the EXTERNAL auth mode.
  2. The client sends a username and password.
  3. The Aerospike server authenticates these credentials against the external LDAP server.
  4. Authorization happens when the Aerospike server queries the LDAP server for the user’s roles. Roles that match local role names are assigned to the user, granting the privileges associated with these roles.
  5. Aerospike Database caches a local copy of successful authentication and authorization. This local directory is distributed to every cluster node for lower query latency and reduced load on the LDAP server.
  6. The external LDAP server is queried on a configurable polling period for changes to the user’s access.

For instructions, see Configuring LDAP.

TLS encryption between the client and server should be enabled when external authentication is used, since the external LDAP server needs a cleartext password forwarded to it.

Sessions

Regardless of the authentication mode, if the authentication succeeds, an access token is returned to the client. The client uses the access token on subsequent TCP connections, until the session it is associated with expires. See the session-ttl configuration parameter.

Access control features by database version

  • Aerospike EE version 8.1 adds the ability to disable password authentication, and a configuration controlling whether to involve the user certificate’s OU in selecting the username from the cert.
  • Aerospike EE version 6.3 removed the syslog subcontext of the security config context. Audit trail messages can be sent to any log sink type (file, console or syslog) that is defined in the logging config context.
  • Aerospike FE version 6.0 is FIPS 140-2 compliant
  • Aerospike EE version 5.7 added support for PKI authentication.

Compatible Aerospike EE servers required for XDR

What next?

For detailed instructions see Configuring access control.

Feedback

Was this page helpful?

What type of feedback are you giving?

What would you like us to know?

+Capture screenshot

Can we reach out to you?