Problem Description
After upgrading to 6.x, one of the new Aerospike preset roles has multiple privileges.
Admin+> show roles
~Roles (2023-08-28 17:57:01 UTC)~
Role | Privileges
data-admin | data-admin
read | read
read-write | read-write
read-write-udf| read-write-udf
sindex-admin |sindex-admin,read
sys-admin | sys-admin
truncate | truncate
udf-admin | udf-admin
user-admin | user-admin
write | write
Number of rows: 10
Explanation
Roles such as sindex-admin, truncate, and udf-admin weren’t introduced in Aerospike until 6.0. If you are running a version that’s before 6.0, you can create roles using the reserved role names in 6.0.
For example, if I’m running 5.x, I can create a role called sindex-admin and grant it read privileges.
Admin+> manage acl create role sindex-admin priv read
Successfully created role sindex-admin.
Admin+> show roles
~Roles (2023-08-28 17:53:48 UTC)~
Role | Privileges
data-admin | data-admin
read | read
read-write | read-write
read-write-udf|read-write-udf
sindex-admin | read
sys-admin | sys-admin
user-admin | user-admin
write | write
Number of rows: 8
After upgrading to 6.x, sindex-admin would become a reserved role. Trying to revoke the read privilege from sindex-admin or trying to remove the role sindex-admin wouldn’t work post upgrade to 6.x, because you can’t alter predefined roles.
Solution
A workaround besides downgrading and removing the role, would be to modify the security.smd file. Because nodes in the cluster use each other to fill out the smd files, you would need to cluster down and modify all smd files before starting Aerospike again.
Please proceed this workaround with caution as it does force you to have to stop Aerospike on all nodes in the cluster.
1) Take a backup of the current security.smd file
2) Stop Aerospike on all nodes in the cluster
3) Remove a block of text in the security.smd file that looks similar to the one below:
{
"key": "|R|sindex-admin|V|10||",
"value": "",
"generation": 1,
"timestamp": 430941226426
},
Be sure to include the comma at the end when removing it.
4) Start Aerospike on all nodes in the cluster
This should remove the unwanted privilege from the default role. It should also keep any roles you assigned to users prior to removing the privilege from the security.smd file.