Skip to main content

Configuring Access Control in EE and FE

Access control is a security feature of Aerospike Database Enterprise Edition (EE), and the FIPS 140-2 compliant Aerospike Database Enterprise Edition for United States Federal (AKA Federal Edition or FE). It includes user management, roles and privileges, setting up audit trails, and integrating with syslog.

There are different authentication modes for internal users, which are created within Aerospike EE and authenticated with a password or a certificate (PKI), and for external users, which are defined and authenticated against an LDAP server. See the Access Control feature guide for details.

Enabling access control on the cluster

In a running cluster, apply the following steps node-by-node. If the server node isn't running skip to step (3):

  1. Quiesce the node.

  2. Stop the Aerospike server.

  3. In the Aerospike server configuration file (aerospike.conf), verify that a security stanza is present.

    a. In version 5.7 or later, the presence of a security stanza enables security/access control. The server does not recognize the enable-security and will not start if it is present.

    b. In versions prior to 5.7, in the security stanza, set enable-security to true to enable security/access control.

  4. Optionally, to enable rate quotas, set enable-quotas to true in the security stanza.

    security {
# enable-security true # versions < 5.7 only
enable-quotas true

# Other security-related configuration...
}
  1. Start the Aerospike Server.

Verifying that access control is enabled

To verify that access control is enabled on the cluster, use asadm to connect to the server. In Aerospike EE, log in with the initial administrator user (username admin) and the default password admin.

Change the password immediately.

If you are using the Federal Edition, the default password in not admin, an admin user needs to create and sign the sertificate. Refer to create a user certificate request.

asadm -Uadmin
Seed: [('127.0.0.1', 3000, None)]
Aerospike Interactive Shell, version 2.0.0

Enter Password:
Found 1 nodes
Online: 10.0.0.1:3000

Admin> # change the admin user's password
Admin> enable
Admin+> #
Admin+> manage acl set-password user admin
Enter new password for user admin:
Successfully set password for user admin
Admin+> disable
Admin>

Creating users and assigning roles

You use asadm to create and edit custom roles consisting of one or more privileges. You create users and grant them one or more roles, with privileges acquired through those roles.

Creating a role

manage acl create role superuser priv read-write-udf
manage acl create role setA-user priv read-write-udf ns test set setA

Adding privileges to a role

manage acl grant role superuser priv sys-admin

Removing privileges from a role

manage acl revoke role superuser priv sys-admin

Creating a user with roles

manage acl create user superman password krypton roles superuser
manage acl create user fred password fredspwd roles user-admin setA-user setB-user

Add new roles to a user

manage acl grant user fred roles new-role

Removing roles from a user

manage acl revoke user fred roles setB-user

Changing a user password

manage acl set-password user admin

Deleting a role

manage acl delete role new-role

Deleting a user

manage acl delete use fred

Version changes

  • In version 3.7.0.1 or later, you can create a user without a role to allow exclusive cluster statistics read access.
  • In version 4.6 and later, you can assign a whitelist to a role, a comma-separated list of one or more IP addresses. Users with such roles are only allowed to connect to the server from a whitelisted address.
  • In version 5.6 and later, you can assign read and write rate quotas to a role, specifying the maximum read and write transactions per-second (TPS) allowed. A user with multiple roles, each with a separate quota, will have the maximum quota applied to all of their roles. For example, if the user has roleB on setB that has a quota of 1000 reads/sec, and a roleA on setA that has a quota of 2000 reads/sec, the effective quota for this user is 2000 reads/sec across any sets the user has access to (setA, setB).
  • Version 5.7 added PKI authentication as an alternative auth mode for internal users (ones created in Aerospike). You can restrict an internal user to PKI auth by generating a strong random password for the user and not communicating it to them. You create a user normally with asadm, but must generate an SSL cert for the user, signed by the server's root CA. The server must be configured for mTLS.
  • Added in version 6.0, the FIPS 140-2 compliant "Federal Edition" variant of Aerospike EE restricts access to PKI or LDAP authentication modes.
note

You can also create users and assign them roles from an Aerospike client application. See the API reference for your preferred programming language in the Client Libraries section of the Aerospike documentation.

Managing Allow Lists for a Role

manage acl allowlist role superuser allow 10.0.0.1
manage acl allowlist role setA-user allow 127.0.0.0/8
manage acl allowlist role setC-user clear

Connecting with PKI auth

If you are using Aerospike Federal Edition (FE) you cannot use password authentication. Use PKI authentication or LDAP, which are available both EE and FE.

For PKI authentication:

  • Verify that the server is using Mutual TLS (mTLS), if not configure it, refer to TLS Configuration
  • Create a user and grant privileges and roles
  • Generate an SSL certificate for each user (with the username as the Common Name CN).
  • Sign each certificate using the server root certificate authority (CA). Refer to create a user certificate request
asadm -p 4333 --tls-enable --tls-name server \
--tls-certfile=/root/rootca/output/admin.pem --tls-keyfile=/root/rootca/output/admin.key \
--tls-cafile=/etc/aerospike/tls/server/rootCA.pem --auth=pki
Seed: [('127.0.0.1', 4333, 'server')]
Aerospike Interactive Shell, version 2.7.3

Found 2 nodes
Online: 172.17.0.4:4333, 172.17.0.5:4333
Admin>

Privileges, permissions, and scopes

Aerospike's access control system is role based (RBAC). A role is a set of privileges.

A privilege consists of:

  • Permissions
  • A scope of a permission is global, per namespace, or per namespace and set.

For examples of the asadm syntax for roles, privileges, permissions, and scope, refer to Create users and assign roles.

PrivilegePermissionScope
read- get record
- scan
- query
- get server configuration and statistics
- change user password
Global, per namespace, or per namespace and set.
write (separated from read-write as of Server 4.6)- record-level write operations (put, touch, delete)
-bin-level write operations (such as List or Map write operations)
- truncate or undo a truncation of namespaces or sets (Server 5.1 - 5.7)
Global, per namespace, or per namespace and set.
read-write- all read user role privileges
- all write user role privileges
Global, per namespace, or per namespace and set.
read-write-udf- all read-write user role privileges
- execute User-Defined Functions (UDFs)
- execute queries using UDFs
Global, per namespace, or per namespace and set.
truncate (Server 6.0+)- truncate or undo a truncation of namespaces or setsGlobal, per namespace, or per namespace and set.
data-admin- create and drop secondary indexes
- register and remove UDFs
- use the scan-query job monitoring system
- abort scans and queries
- change user password
- truncate or undo a truncation of namespaces or sets
Global
sindex-admin (Server 6.0+)- create and drop secondary indexesGlobal
sys-admin- all data-admin role privileges
- set dynamic server configuration variables
- enable specialized logging
- get server configuration and statistics
Global
udf-admin (Server 6.0+)- register and remove UDFsGlobal
user-admin- create and drop users
- change any user password
- grant roles to users
- revoke user roles
- create and drop user roles
- grant user role privileges
- revoke role privileges
- set whitelists for roles (Server 4.6+)
- set read/write rate quotas for roles (Server 5.6+)
- query all users and their roles
- query all roles and their privileges
- get server configuration and statistics
Global

Correlation of Aerospike-defined roles and permissions

Aerospike provides defined roles corresponding with each permission level. Each defined role has one privilege that consists of a permission and a global scope.

Permissions and their corresponding Aerospike defined role names are the same. It is important to pay attention to their context.

Generating valid passwords

Aerospike EE can accept any password set directly by clients for password-based authentication. However, asadm (and before it aql) limits the characters you can use when setting a password explicitly with the command

manage acl set-password user <username> password <password>

Valid passwords can contain alphanumeric characters and the symbols .*-:/_{}@.

When setting a user password with a hidden prompt these restrictions do not apply.

manage acl set-password user <username>

Example: user and role management

The following asadm session demonstrates user and role management.

asadm -Uadmin
Seed: [('127.0.0.1', 3000, None)]
Aerospike Interactive Shell, version 2.0.0

Enter Password:
Found 1 nodes
Online: 10.0.0.1:3000

Admin> enable
Admin+> #
Admin+> # create a superuser role with all privileges
Admin+> manage acl create role superuser priv read-write-udf
Successfully created role superuser
Admin+> #
Admin+> manage acl grant role superuser priv sys-admin
Successfully granted privilege to role superuser
Admin+> #
Admin+> manage acl grant role superuser priv user-admin
Successfully granted privilege to role superuser
Admin+> #
Admin+> # list all roles
Admin+> show roles
~~~~~~~~~~Roles (2021-01-23 01:13:13 UTC)~~~~~~~~~~~
Role| Privileges
data-admin | data-admin
read | read
read-write | read-write
read-write-udf| read-write-udf
superuser |user-admin, sys-admin, read-write-udf
superwoman | read.test, write.bar.testset
sys-admin | sys-admin
user-admin | user-admin
write | write
Number of rows: 9
Admin+> # Add allowlist to role -- Aerospike server 4.6 or later
Admin+> manage acl allowlist role superuser allow 10.0.0.1
Successfully updated allowlist for role superuser
Admin+> # list all users
Admin+> show roles
~~~~~~~~~~~~~~~Roles (2021-01-23 01:16:24 UTC)~~~~~~~~~~~~~~~~
Role| Privileges|Allowlist
data-admin | data-admin| --
read | read| --
read-write | read-write| --
read-write-udf| read-write-udf| --
superuser |user-admin, sys-admin, read-write-udf| 10.0.0.1
superwoman | read.test, write.bar.testset| --
sys-admin | sys-admin| --
user-admin | user-admin| --
write | write| --
Number of rows: 9
Admin+> # create a user with the superuser role
Admin+> manage acl create user superman password krypton roles superuser
Successfully created user superman
Admin+> # list all users
Admin+> show users
~~~~~~~~~~~~~~Users (2021-01-23 01:18:12 UTC)~~~~~~~~~~~~~~
User| Roles|Connections
Bob-Ross | Painter|2
Kelly | read-write-udf|--
Mr-Rogers| Good-Neighbor|3
admin | read-write, sys-admin, user-admin|3
george | --|--
jesse | read-write-udf|--
superman | superuser|--
superuser|read-write-udf, sys-admin, user-admin|--
Number of rows: 8

Admin+> # create a role with read-write-udf privileges on set "setA" in namespace "test"
Admin+> manage acl create role setA-user priv read-write-udf ns test set setA
Successfully created role setA-user
Admin+> #
Admin+> show role like setA-user
~Roles (2021-01-23 01:20:21 UTC)~~
Role| Privileges
setA-user|read-write-udf.test.setA
Number of rows: 1

Admin+> # add a whitelist to this role so that it must connect from a 127.xx.xx.xx address
Admin+> # (Aerospike server 4.6 or later)
Admin+> manage acl allowlist role setA-user allow 127.0.0.0/8
Successfully updated allowlist for role setA-user
Admin+> #
Admin+> show role like setA-user
~~~~~~~Roles (2021-01-23 01:22:05 UTC)~~~~~~~~
Role| Privileges| Allowlist
setA-user|read-write-udf.test.setA|127.0.0.0/8
Number of rows: 1

Admin+> # create a role with read-write-udf privileges on set "setB" in namespace "test"
Admin+> manage acl create role setB-user priv read-write-udf ns test set setB
Successfully created role setB-user
Admin+> #
Admin+> # create a role with read-write-udf privileges on set "setC" in namespace "test"
Admin+> # that is only allowed to connect from a specific IP address (Aerospike server 4.6 or later)
Admin+> manage acl create role setC-user priv read-write-udf ns test set setC allow 127.23.45.67
Successfully created role setC-user
Admin+> #
Admin+> # remove the whitelist from this role (Aerospike server 4.6 or later)
Admin+> manage acl allowlist role setC-user clear
Successfully cleared allowlist from role setC-user
Admin+> #
Admin+> # create a user with several roles (user-admin setA-user setB-user)
Admin+> manage acl create user fred password fredspwd roles user-admin setA-user setB-user
Successfully created user fred
Admin+> #
Admin+> show user like fred
~~~Users (2021-01-23 01:25:56 UTC)~~~
User| Roles
fred|setA-user, setB-user, user-admin
Number of rows: 1

Admin+> # create a user without a role
Admin+> manage acl create user sally password foo
Successfully created user sally
Admin+> #
Admin+> show users like sally
~Users (2021-01-23 01:30:31 UTC)~
User
sally
Number of rows: 1

Admin+> # remove a role from a user
Admin+> manage acl revoke user fred roles setB-user
Successfully revoked roles from user fred
Admin+> #
Admin+> show user like fred
~Users (2021-01-23 01:31:26 UTC)~
User| Roles
fred|setA-user, user-admin
Number of rows: 1

Admin+> # create a role with read-write privileges on namespaces "test" and "bar"
Admin+> manage acl create role new-role priv read-write ns test
Successfully created role new-role
Admin+> #
Admin+> manage acl grant role new-role priv read-write ns bar
Successfully granted privilege to role new-role
Admin+> #
Admin+> show roles like new-role
~~~~Roles (2021-01-23 01:33:05 UTC)~~~~~
Role| Privileges
new-role|read-write.bar, read-write.test
Number of rows: 1

Admin+> # add a role to a user
Admin+> manage acl grant user fred roles new-role
Successfully granted roles to user fred
Admin+> #
Admin+> show users like fred
~~Users (2021-01-23 01:34:02 UTC)~~~
User| Roles
fred|new-role, setA-user, user-admin
Number of rows: 1

Admin+> # add a privilege to a role (affects any users who have that role)
Admin+> show roles like new-role
~~~~Roles (2021-01-23 01:34:30 UTC)~~~~~
Role| Privileges
new-role|read-write.bar, read-write.test
Number of rows: 1

Admin+> manage acl grant role new-role priv data-admin
Successfully granted privilege to role new-role
Admin+> #
Admin+> show role like new-role
~~~~~~~~~~Roles (2021-01-23 01:35:04 UTC)~~~~~~~~~~~
Role| Privileges
new-role|data-admin, read-write.bar, read-write.test
Number of rows: 1

Admin+> # remove a privilege from a role (affects any users who have the role)
Admin+> manage acl revoke role new-role priv read-write ns bar
Successfully revoked privilege from role new-role
Admin+> #
Admin+> show roles like new-role
~~Roles (2021-01-23 01:36:04 UTC)~~~
Role| Privileges
new-role|data-admin, read-write.test
Number of rows: 1

Admin+> # eliminate a role (Affects any users having the role)
Admin+> manage acl delete role new-role
Successfully deleted role new-role
Admin+> #
Admin+> show users like fred
~Users (2021-01-23 01:36:40 UTC)~
User| Roles
fred|setA-user, user-admin
Number of rows: 1

Admin+> disable
Admin>

Example: managing rate quotas

The following example demonstrates rate quota management:

asadm -Uadmin

Seed: [('127.0.0.1', 3000, None)]
Config_file: /home/citrusleaf/.aerospike/astools.conf, /etc/aerospike/astools.conf
Aerospike Interactive Shell, version 2.1.1-6-gbac0297

Enter Password:
Found 1 nodes
Online: 192.168.1.65:3000

Admin> # Verify that quotas are enabled
Admin> show config like enable-quotas
~~test Namespace Statistics (2021-10-22 22:18:16 UTC)~~
Node |10.0.0.1:3000|10.0.0.1:3000|10.0.0.1:3000
enable-quotas|true |true |true

Admin> # enable access control management:
Admin> enable

Admin+> # show existing roles:
Admin+> show roles
~Roles (2021-05-03 22:48:52 UTC)~
Role| Privileges
data-admin | data-admin
read | read
read-write | read-write
read-write-udf|read-write-udf
sys-admin | sys-admin
user-admin | user-admin
write | write
Number of rows: 7

Admin+> # create new worker role with read, write, and udf privileges:
Admin+> manage acl create role worker priv read-write-udf
Successfully created role worker.

Admin+> # show roles, including new worker role:
Admin+> show roles
~Roles (2021-05-03 22:49:11 UTC)~
Role| Privileges
data-admin | data-admin
read | read
read-write | read-write
read-write-udf|read-write-udf
sys-admin | sys-admin
user-admin | user-admin
worker |read-write-udf
write | write
Number of rows: 8

Admin+> # show existing users:
Admin+> show users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Users (2021-05-03 22:49:27 UTC)~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
User| Roles|Connections|~~~~~~~~~~~~~~~Read~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~Write~~~~~~~~~~~~~~~
| | |Quota|Single|Scan/Query|Scan/Query|Quota|Single|Scan/Query|Scan/Query
| | | |Record| Limited| Limitless| |Record| Limited| Limitless
| | | | TPS| RPS| | | TPS| RPS|
admin|user-admin|2 |0 |0 |0 |0 |0 |0 |0 |0
Number of rows: 1

Admin+> # add new user steve with password steve-pass and role worker:
Admin+> manage acl create user steve password steve-pass roles worker
Successfully created user steve.

Admin+> # show users, including new user steve:
Admin+> show users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Users (2021-05-03 22:49:46 UTC)~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
User| Roles|Connections|~~~~~~~~~~~~~~~Read~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~Write~~~~~~~~~~~~~~~
| | |Quota|Single|Scan/Query|Scan/Query|Quota|Single|Scan/Query|Scan/Query
| | | |Record| Limited| Limitless| |Record| Limited| Limitless
| | | | TPS| RPS| | | TPS| RPS|
admin|user-admin|2 |0 |0 |0 |0 |0 |0 |0 |0
steve| worker|-- |0 |0 |0 |0 |0 |0 |0 |0
Number of rows: 2

Admin+> # add 4,000 rps read quota and 2,000 rps write quota to role worker:
Admin+> manage acl quotas role worker read 4000 write 2000
Successfully set quotas for role worker.

Admin+> # show roles, including worker role:
Admin+> show roles
~~~~Roles (2021-05-03 22:50:02 UTC)~~~~~
Role| Privileges|~~Quotas~~
| |Read|Write
data-admin | data-admin|-- |--
read | read|-- |--
read-write | read-write|-- |--
read-write-udf|read-write-udf|-- |--
sys-admin | sys-admin|-- |--
user-admin | user-admin|-- |--
worker |read-write-udf|4000|2000
write | write|-- |--
Number of rows: 8

Admin+> # show users, including user steve, showing steve's new quotas:
Admin+> show users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Users (2021-05-03 22:50:08 UTC)~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
User| Roles|Connections|~~~~~~~~~~~~~~~Read~~~~~~~~~~~~~~~|~~~~~~~~~~~~~~Write~~~~~~~~~~~~~~~
| | |Quota|Single|Scan/Query|Scan/Query|Quota|Single|Scan/Query|Scan/Query
| | | |Record| Limited| Limitless| |Record| Limited| Limitless
| | | | TPS| RPS| | | TPS| RPS|
admin|user-admin|2 |0 |0 |0 |0 |0 |0 |0 |0
steve| worker|-- |4000 |0 |0 |0 |2000 |0 |0 |0
Number of rows: 2

Admin> # disable access control management:
Admin+> disable
Admin>

Audit trail

A separate audit trail exists on every server. You can configure servers to generate audit log messages. Aerospike administrators can define and configure audit trails to log attempted and successful database operations to local files, the Aerospike log file, or the default sink. Refer to Configure - Log.

Aerospike supports granular levels of audit trail definitions to minimize performance impact:

  • Security violations (including authentication or role violations).
  • Successful authentications.
  • Successful or attempted data operations (including various write/read operations).
  • User administration operations, including:
    • creating/removing users
    • granting/revoking user privileges
    • creating/removing roles
  • System administration operation including:
    • creating/removing secondary indexes
    • registering/removing UDFs
    • changing dynamic server configurations

In general, auditing security violations and other seldom-occurring events have minimal performance impact. However, logging every attempted or successful data operation on numerous data sets can slow runtime performance in systems under heavy load, as well as increase storage requirements for the logs.

Refer to contexts of Server Log Reference and Access Control, LDAP and PKI.

Carefully review potential performance impact and storage needs in a test environment if you plan to maintain extensive audit records.

General

Authentication

Users

  • role violation, report violation
  • user administration operations
  • create, drop user
  • change user password
  • grant roles to user
  • revoke roles from user
  • create, drop role
  • grant privileges to role
  • revoke privileges from role
  • set whitelist for role (version 4.6+)
  • set read/write rate quotas for role (version 5.6+)
  • query users and their roles
  • query roles and their privileges For all user administration operations, refer to report user admin.

System administration

  • system administration operations
  • create, drop index
  • register, remove UDFs
  • set dynamic server configuration variables
  • enable specialized logging
  • get server configuration, server statistics, and other information For all system administration operations , refer to system-administration.

syslog

Servers can be configured to log audit messages to the following. Refer to syslog protocol definition.

  • syslog daemon default sink
  • local syslog facility (local file)
  • Aerospike log file

Example Audit Trail Output

This is example audit trail output.

In Aerospike EE version 3.7.0.1 or later, the audit trail output includes the IP address and port number of the client:

...
Oct 09 2018 04:22:36 GMT: INFO (security): (security.c:5482) permitted | client: 127.0.0.1:47692 | authenticated user: user1 | action: login | detail: user=user1
Oct 09 2018 04:22:36 GMT: INFO (security): (security.c:5482) permitted | client: 127.0.0.1:47694 | authenticated user: user1 | action: authentication | detail: user=user1
Oct 09 2018 04:22:38 GMT: INFO (security): (security.c:5482) permitted | client: 127.0.0.1:47694 | authenticated user: user1 | action: write | detail: {test|testset} [D|f59124986e96ad175b374c9487945bbcad537b74]
...

In Aerospike EE version 5.7 or later, the logging context for the audit trail output is "audit":

...
Sep 01 2021 18:37:56 GMT: INFO (audit): (security.c:7608) permitted | client: 127.0.0.1:51378 | authenticated user: user2 | action: login | detail: user=user2
Sep 01 2021 18:37:56 GMT: INFO (audit): (security.c:7608) permitted | client: 127.0.0.1:51380 | authenticated user: user2 | action: authentication | detail: user=user2
Sep 01 2021 18:37:56 GMT: INFO (audit): (security.c:7608) permitted | client: 127.0.0.1:51380 | authenticated user: user2 | action: read | detail: {test|eg-set} [D|1142f0217ababf9fda5b1a4de66e6e8d4e51765e]
...

Parsing the log file

  • The log message says in plain text what security action was attempted (if any), whether it succeeded or failed, and what user (if any) was involved.

  • Namespaces and sets are in braces: {namespace|set} or just {namespace|}

  • Custom role privileges are letter codes that correspond to Aerospike pre-defined privileges, and are followed by {namespace|set} scoping (if applicable).

    The letter codes are:

  • r = read

  • rw = read-write

  • rwf = read-write-udf

  • t = truncate

  • w = write

  • d = data-admin (a global privilege, scoping not applicable)

  • fa = udf-admin (a global privilege, scoping not applicable)

  • ia = sindex-admin (a global privilege, scoping not applicable)

  • s = sys-admin (a global privilege, scoping not applicable)

  • u = user-admin (a global privilege, scoping not applicable)

    For example:

  • rw{} indicates read-write privileges across all namespaces.

  • r{ns1},rw{ns2} indicates read privileges for the ns1 namespace and read-write privileges for the ns2 namespace.

  • u,rwf{ns1|setA} indicates user-admin privileges as well as read-write-udf privileges for setA in the ns1 namespace.

  • Key data is logged with successfully authenticated data transactions (as well as with data transactions that fail due to role violations) if the key is stored. If the key is not stored, the digest is logged. The eventual success or failure of the transaction does not affect this; this logging happens at the point at which authentication is checked.

    Key data appears as:

  • [S|mykey] if the key is a string.

  • [I|78654] if the key is an integer.

  • [B|AA C5 48] if the key is a blob of bytes.

    If the key is not stored, the digest is logged as a string:

  • [D|567895f996dd7dd3832222b57cd4a3031ecc6e24]

Configuration security and syslog

Add a security section to the Aerospike configuration file

This example shows configuration parameters that would:

  • Enable security, set enable-security=true
  • Define the syslog interface and events to transmit
  • Enable logging and define the events to log

For details about these parameters, see the Configuration Reference.


security {
# enable-security true # versions < 5.7 only

# Write the audit trail to syslog (optional).
syslog {
syslog-local 0 # write to "local0" facility as well as to default syslog sink

report-authentication true
report-user-admin true
report-sys-admin true
report-violation true
report-data-op test seta # report successful data transactions on set "seta" in namespace "test"
}

# Write audit trail to aerospike log file (optional).
log {
report-authentication true
report-user-admin true
report-sys-admin true
report-violation true
report-data-op test seta # report successful data transactions on set "seta" in namespace "test"
}
}

Optionally configure sending audit information to syslog

Use your own syslog implementation. rsyslog is shown below.

sudo vi /etc/rsyslog.conf
  • Add the following:
 local0.**    /var/log/aerospike_security_audit.log
  • Restart syslog (for example, for CentOS):
sudo /etc/init.d/rsyslog stop
sudo /etc/init.d/rsyslog start

Optionally configure the audit trail to use the Aerospike log file

log {
report-authentication true
report-user-admin true
report-sys-admin true
report-violation true
report-data-op test seta # report successful data transactions on set "seta" in namespace "test"
}

Aerospike version requirements

Aerospike server versions

Aerospike EE versions 4.6.0.4 and later, 4.5.3.6, 4.5.2.6, 4.5.1.11, and 4.5.0.15, support enabling access control through a rolling restart, allowing environments running on the latest client libraries (supporting mixed security modes) to turn on access control without downtime. The AER-6099 improvement was made to allow the System Metadata (SMD) sub-system to support mixed security modes on the server side.

In Aerospike EE versions without the AER-6099 improvement, enabling access control requires a cluster shut down. Use the following steps on all nodes while the cluster is shut down. For versions with the AER-6099 improvement and supporting mixed security modes, the following steps can be executed on one node at a time. Make sure the client library has access control enabled prior to starting this procedure. Clients supporting mixed mode cluster (as mentioned earlier) connect without authentication when reaching a server node without access control enabled.

Caveats

When access control is enabled with Aerospike EE versions 4.6 or later, a feature-compatible Aerospike client is required. Refer to the following Knowledge Base article for further details.

When access control is enabled with Cross-Datacenter Replication (XDR), a cluster installed with Aerospike EE versions 4.1.0.1 to 4.3.0.6 cannot ship to an Aerospike EE server version 4.6 or later. The simplest workaround is to avoid using incompatible Aerospike EE versions (4.1.0.1 to 4.3.0.6). Refer to the following Knowledge Base article for further details.

Client library versions

To use access control, the following minimum client versions are required:

  • Java 3.1.2
  • C / C++ 3.1.16
  • C# .NET 3.1.2
  • Python 1.0.44
  • Go 1.3.0

For enabling access control using a rolling restart, the following minimum client versions are required:

  • Java 4.4.4
  • C / C++ 4.6.5
  • C# 3.8.2
  • Python 3.7.3
  • Node.js 3.12.0