Skip to main content
Aerospike 8 introduces a new era of real-time transaction processingLearn more
Loading

Access control with LDAP and PKI

This page describes the authentication modes you can use separately or concurrently with Aerospike Database Enterprise Edition (EE).

Overviewโ€‹

Aerospike Database uses role-based access control (RBAC) to manage internal and external users.

  • Internal users are created by a user admin within the Aerospike server and assigned roles. They are authenticated upon connection with either a password or public-key infrastructure (PKI) certificate-based auth.
  • External users are created by an admin in a Lightweight Directory Access Protocol (LDAP) service. External users log in using credentials from this service. They use LDAP credentials for authentication.

The password sent by the client for any mode (password-based or LDAP) is never stored in cleartext on the Aerospike server.

Using Federal Edition (FE)โ€‹

You can use only external LDAP authentication or PKI authentication with the FIPS 140-2 compliant Aerospike Enterprise Edition for United States Federal (AKA Federal Edition or FE). Password-based authentication is disabled.

Compatible Aerospike EE servers required for XDRโ€‹

danger

When access control is enabled with Cross-Datacenter Replication (XDR), a cluster with Aerospike EE 4.1.0.1 to 4.3.0.6 cannot ship to an Aerospike EE Database 4.6 or later. The simplest workaround is to avoid using incompatible Aerospike EE versions (4.1.0.1 to 4.3.0.6). Refer to this support article for more information.

Password-based authenticationโ€‹

The default password-based authentication method:

  • The system administrator creates internal users of the Aerospike cluster with a username and password. A role assignment is optional.
  • The client uses the INTERNAL auth mode. It sends the username and a hash of the user's password, to be matched against the one stored in the Aerospike cluster.

PKI authenticationโ€‹

PKI (public key infrastructure) authentication is an alternative authentication mode for internal users. The default PKI authentication method:

  • The Aerospike EE cluster nodes must be configured to check the client's TLS certificate.
  • The user's certificate must be signed by the server's root CA.
  • The CN field of the Subject DN must contain the username of this user.
  • The system administrator creates internal users of the Aerospike cluster with a username and a strong random password.
    • If a user is restricted to only PKI mTLS-based access, the administrator does not communicate a password to the user.
  • The client uses the PKI auth mode, and configures it for mTLS as described in Managing mTLS with a Java client.

External authentication with LDAPโ€‹

An Aerospike Database cluster which has LDAP enabled supports authentication against an external LDAP server, without matching internal users. Internal users cannot use LDAP authentication. An internal user can only use the access control password-based or PKI authentication.

To use LDAP authentication:

  1. The client uses the EXTERNAL auth mode.
  2. The client sends a username and password.
  3. The Aerospike server authenticates these credentials against the external LDAP server.
  4. Authorization happens when the Aerospike server queryies the LDAP server for the user's roles. Roles that match local role names are assigned to the user, granting the privileges associated with these roles.
  5. Aerospike Database caches a local copy of successful authentication and authorization. This local directory is distributed to every cluster node for lower query latency and reduced load on the LDAP server.
  6. The external LDAP server is queried on a configurable polling period for changes to the user's access.

For instructions, see Configuring LDAP.

TLS encryption between the client and server should be enabled when external authentication is used, since the external LDAP server needs a cleartext password forwarded to it.

Sessionsโ€‹

Regardless of the authentication mode, if the authentication succeeds, an access token is returned to the client. The client uses the access token on subsequent TCP connections, until the session it is associated with expires. See the session-ttl configuration parameter.

Access control features by Aerospike Database versionsโ€‹

  • Aerospike EE version 6.3 removed the syslog subcontext of the security config context. Audit trail messages can be sent to any log sink type (file, console or syslog) that is defined in the logging config context.
  • Aerospike FE version 6.0 is FIPS 140-2 compliant
  • Aerospike EE version 5.7 added support for PKI authentication.

What next?โ€‹

For detailed instructions see Configuring access control.

Last updated on