Skip to main content
Aerospike 8 introduces a new era of real-time transaction processingLearn more
Loading
Version: Operator 4.0.0

Access Control for Aerospike Clusters on Kubernetes

Enable securityโ€‹

To use Aerospike access control, you must enable security for the Aerospike clusters.

Enable security for your Aerospike clusters in the aerospikeConfig section of the custom resource (CR) file like so:

  aerospikeConfig:
      ...
    security: {}
      ...

Aerospike Access Control includes user, role, and privilege creation and maintenance. See the Aerospike Database documentation section for more information on Aerospike Access Control.

To manage your access controls from AKO, configure the spec.aerospikeAccessControl section in the Aerospike cluster's CR file.

danger

Access control changes on an AKO-managed Aerospike cluster must be made through modifying the CR file. Any changes made externally (such as by using aql or asadm) will revert to the values in the CR file.

Example access control tasksโ€‹

Create or delete a roleโ€‹

Add a role in the roles list under spec.aerospikeAccessControl.

sys-admin and user-admin are standard predefined roles. Here we add a new custom role called profiler, which has read privileges.

spec:
  ...
  aerospikeAccessControl:
    roles:
      - name: profiler
        privileges:
          - read
    users:
      - name: admin
        secretName: auth-secret
        roles:
          - sys-admin
          - user-admin

To remove an existing role, delete it from the roles category.

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Add or remove privileges to a roleโ€‹

Under privileges for a certain role under spec.aerospikeAccessControl, add any additional privileges on new lines. Here we add read-write to the profiler role. Remove a privilege from the list under a role to remove the privilege from that role.

spec:
  ...
  aerospikeAccessControl:
    roles:
      - name: profiler
        privileges:
          - read
          - read-write
    users:
      - name: admin
        secretName: auth-secret
        roles:
          - sys-admin
          - user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Privilege scopeโ€‹

To scope privileges to a namespace or set, add the following to the profiler role in the roles list under spec.aerospikeAccessControl.

The order of the scope syntax is: privilege.namespace.set.

  • To scope a read privilege to a namespace called test-namespace, add the privilege as read.test-namespace
  • To scope a read-write privilege to a set called test-set on a different namespace called test-namespace-1, add the privilege as read-write.test-namespace-1.test-set
spec:
  ...
  aerospikeAccessControl:
    roles:
      - name: profiler
        privileges:
          - read.test-namespace
          - read-write.test-namespace-1.test-set
    users:
      - name: admin
        secretName: auth-secret
        roles:
          - sys-admin
          - user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Create or delete a userโ€‹

Create the secret for the user and add the user in the users list under spec.aerospikeAccessControl.

Create a secret profile-user-secret containing the password for the user profiler by passing the password from the command line:

kubectl  -n aerospike create secret generic profile-user-secret --from-literal=password='userpass'

Add profileUser user with the profiler role.

spec:
  ...
  aerospikeAccessControl:
    roles:
      - name: profiler
        privileges:
          - read
    users:
      - name: profileUser
        secretName: profile-user-secret
        roles:
          - profiler

      - name: admin
        secretName: auth-secret
        roles:
          - sys-admin
          - user-admin

To remove a user, delete the entry from the users category.

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Add or remove user rolesโ€‹

Add or remove roles in the desired user's roles list.

Here we add user-admin and sys-admin to the profileUser roles list.

spec:
  ...
  aerospikeAccessControl:
    roles:
      - name: profiler
        privileges:
          - read
    users:
      - name: profileUser
        secretName: profile-user-secret
        roles:
          - profiler
          - user-admin
          - sys-admin

      - name: admin
        secretName: auth-secret
        roles:
          - sys-admin
          - user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml

Change a user's passwordโ€‹

Once a secret has been created, it cannot be changed. To change an existing password, create an entirely new secret and assign it to the user in place of the old secret.

Create a new secret new-profile-user-secret containing the password for Aerospike cluster user profileUser by passing the password from the command line:

kubectl  -n aerospike create secret generic new-profile-user-secret --from-literal=password='newuserpass'

Update the secretName for profileUser to the new secret name new-profile-user-secret.

spec:
  ...
  aerospikeAccessControl:
    roles:
      - name: profiler
        privileges:
          - read
    users:
      - name: profileUser
        secretName: new-profile-user-secret
        roles:
          - profiler
          - user-admin

      - name: admin
        secretName: auth-secret
        roles:
          - sys-admin
          - user-admin

Save and exit the CR file, then use kubectl to apply the change.

kubectl apply -f aerospike-cluster.yaml