How to enable security on an existing cluster without disrupting traffic

Context

In order to enable security on an existing cluster, you must enable it in a rolling fashion. However, new users cannot be created, roles cannot be assigned, and privileges cannot be granted until all nodes in the cluster have security enabled. At some point, clients wouldn’t be able to make connections to the nodes with security enabled and/or start getting permission issues when reading, writing, or querying the cluster.

Method

Method 1 - enable security on one node first

1. Ensure that your client is passing in future credentials to a user that has the correct permissions for the transactions you’re doing. See our documentation on Privileges for more details. 

2. Quiesce one node and stop Aerospike on it

   Admin+> asinfo -v 'quiesce:' with 192.168.100.233
   Admin+> manage recluster

3. Edit the aerospike.conf file on the node that was just brought down and change cluster-name to a different name than the original cluster-name.

4. Add the security stanza to aerospike.conf

   security {
   
   }

5. Start up the node (it should form its own cluster)

6. Add the user/password with the correct roles/privileges through asadm. These new changes should save into the security.smd file

7. Stop Aerospike on the node again

8. Reset the cluster-name back to the original one

9. Start Aerospike

10. Quiesce the next node and stop Aerospike

11. Add the security stanza to aerospike.conf

12. Start Aerospike (this node should have already picked up the security.smd file from the other node in the cluster that already has security enabled)

13. Repeat steps 10-12 until all nodes have security enabled

Method 2 - copy security.smd file from a separate cluster

1. Ensure that your client is passing in future credentials to a user that will eventually have the correct permissions for the transactions you’re doing.

2. On a dev or QA environment, enable security using any method, but include the credentials that are being used on the client side to prod

3. Quiesce a node on prod and stop Aerospike

4. Add the security stanza on prod

5. Copy the security.smd file from dev/QA onto prod (this should include the credentials you are planning to use)

6. Start Aerospike

7. Quiesce and stop Aerospike on the next node on prod

8. Add the security stanza

9. Start Aerospike (we would not need to copy the security.smd file this time as it should get it from the node that already has security enabled)

10. Repeat steps 7-9 until all nodes have security enabled

Applies To Earliest Version

Applies To Latest Version