How to protect a set from being accessed

How to protect a set from being accessed

Problem Description

Given all users with a role that allow read/write access to a namespace, is it possible to modify the role to prevent all those users to access a particular set?

Example:

Let’s use the following example where the role RoleAll has complete read/write access to the namespace test:

sql> show role RoleAll
+-----------+-------------------+-----------+
| role      | privileges        | whitelist |
+-----------+-------------------+-----------+
| "RoleAll" | "read-write.test" | ""        |
+-----------+-------------------+-----------+
1 row in set (0.001 secs)

The following command to modify the RoleAll role to have read-write access to the namespace test except for the set SetA, will actually not prevent this role to read or write into set SetA despite it returning success:

revoke privilege read-write.test.SetA from RoleAll

Explanation

The revoke command actually requires an exact match for the string to be removed from the privileges list. It will not return any error if the specified privilege does not exist.

aql> show role RoleAll
[
    {
      "role": "RoleAll",
      "privileges": "read-write.test, read-write.test.Set2, read-write.test.Set9",
      "whitelist": ""
    }
]

A privilege without specifying any set is applied to the entire namespace. Therefore, in the example above, the extra privileges related to sets are redundant.

Solution

As the feature to blacklist a specific set from a namespace is not supported as of the writing of this article, there are a couple of potential workarounds, neither of which is very elegant:

1- Move the set to be blacklisted in its own namespace in order to separately control access to it

To move the set to a new namespace, you can use the asrestore command:

https://www.aerospike.com/docs/tools/backup/asrestore.html#data-selection-options

   asrestore --namespace originalNamespace,newNamespace --set-list SetA, ....

The new namespace would of course need to be sized accordingly.

2- Explicitly define the sets that would be allowed to be accessed (and disallow the use of the null set).

  • Refer to the disallow-null-setname in order to prevent records from being created without a set name specified.

  • Modify the existing role by the removing the global privilege for the entire namespace and add privileges for each specific set:

   revoke privilege read-write.test from RoleAll
   grant privilege read-write.test.set1 to RoleAll
   grant privilege read-write.test.set2 to RoleAll
   grant privilege read-write.test.set3 to RoleAll
   .
   .
   .
   grant privilege read-write.test.set9 to RoleAll

One caveat, though: a role with 256 or more privileges can be safely created as long as the privileges are added to the role in groups of less than 256 (e.g. one at a time as this example does). The privileges will be correctly enforced by the server. Nevertheless, if a client requests the description of the role, that server-client communication is broken because at this point, the security message protocol prevents more than 255 privileges from being sent to the client.

One way to workaround this and make the role somewhat query-able through AQL or any client, is to create separate roles and then add those to the user:

create role Role1  privileges read-write.test.set10,read-write.test.set11,read-write.test.set12,read-write.test.set13,read-write.test.set14,read-write.test.set15,read-write.test.set16,read-write.test.set17,read-write.test.set18,read-write.test.set19
grant role Role1 TO user1
create role Role2  privileges read-write.test.set20,read-write.test.set21,read-write.test.set22,read-write.test.set23,read-write.test.set24,read-write.test.set25,read-write.test.set26,read-write.test.set27,read-write.test.set28,read-write.test.set29
grant role Role2 TO user1
create role Role3  privileges read-write.test.set30,read-write.test.set31,read-write.test.set32,read-write.test.set33,read-write.test.set34,read-write.test.set35,read-write.test.set36,read-write.test.set37,read-write.test.set38,read-write.test.set39
grant role Role3 TO user1
create role Role4  privileges read-write.test.set40,read-write.test.set41,read-write.test.set42,read-write.test.set43,read-write.test.set44,read-write.test.set45,read-write.test.set46,read-write.test.set47,read-write.test.set48,read-write.test.set49
grant role Role4 TO user1
.
.
.

As the maximum number of sets in a namespace is 1023, with 10 sets per role, the maximum of 1023 sets could be covered.

Notes

  • We are considering blacklisting sets and/or wildcard pattern match. Check Aerospike Release notes for potential future enhancements.

Keywords

ACCESS CONTROL SECURITY SET ROLE ROLES PRIVILEGE

Timestamp

April 2020

© 2015 Copyright Aerospike, Inc. | All rights reserved. Creators of the Aerospike Database.