The Aerospike Knowledge Base has moved to https://support.aerospike.com. Content on https://discuss.aerospike.com is being migrated to either https://support.aerospike.com or https://docs.aerospike.com. Maintenance on articles stored in this repository ceased on December 31st 2022 and this article may be stale. If you have any questions, please do not hesitate to raise a case via https://support.aerospike.com.
How to Secure an SMD file?
Context
As the /opt/aerospike/smd/security.smd
file stores sensitive information about user and roles, it is advisable to secure it and restrict the permissions outside of the asd
process.
Method
Default permission on all SMD files allow read access to everyone. To secure the file, the permission of the /opt/aerospike/smd directory must be changed including the SMD files inside the directory:
root@011f72823081:/# ls -la /opt/aerospike/
total 40
drwxr-xr-x 1 aerospike aerospike 4096 Apr 24 13:17 .
drwxr-xr-x 1 root root 4096 Apr 24 13:17 ..
drwxr-xr-x 2 aerospike aerospike 4096 Apr 24 13:17 bin
drwxr-xr-x 2 aerospike aerospike 4096 Nov 10 2020 data
drwxr-xr-x 2 aerospike aerospike 4096 Apr 24 13:17 doc
drwxr-xr-x 4 aerospike aerospike 4096 Apr 24 13:17 lib
drwxr-xr-x 1 aerospike aerospike 4096 Jun 22 12:26 smd <<<<
drwxr-xr-x 3 aerospike aerospike 4096 Apr 24 13:17 usr
root@011f72823081:/# ls -la /opt/aerospike/smd/
total 20
drwxr-xr-x 1 aerospike aerospike 4096 Jun 22 12:26 .
drwxr-xr-x 1 aerospike aerospike 4096 Apr 24 13:17 ..
-rw-r--r-- 1 root root 292 Jun 22 10:12 sindex.smd
-rw-r--r-- 1 root root 292 Jun 22 10:12 security.smd
-rw-r--r-- 1 root root 289 Jun 22 12:26 truncate.smd
The commands to restrict read permission on SMD files is as given below:
$cd /opt/aerospike/
$chmod 700 smd
$chmod 600 smd/security.smd
// the same command can be used to secure other .smd files in this directory.
root@011f72823081:/# ls -la /opt/aerospike/
total 40
drwxr-xr-x 1 aerospike aerospike 4096 Apr 24 13:17 .
drwxr-xr-x 1 root root 4096 Apr 24 13:17 ..
drwxr-xr-x 2 aerospike aerospike 4096 Apr 24 13:17 bin
drwxr-xr-x 2 aerospike aerospike 4096 Nov 10 2020 data
drwxr-xr-x 2 aerospike aerospike 4096 Apr 24 13:17 doc
drwxr-xr-x 4 aerospike aerospike 4096 Apr 24 13:17 lib
drwx------ 1 aerospike aerospike 4096 Jun 22 12:26 smd <<<<
drwxr-xr-x 3 aerospike aerospike 4096 Apr 24 13:17 usr
root@011f72823081:/# ls -la /opt/aerospike/smd
total 20
drwx------ 1 aerospike aerospike 4096 Jun 22 12:26 .
drwxr-xr-x 1 aerospike aerospike 4096 Apr 24 13:17 ..
-rw-r--r-- 1 root root 292 Jun 22 10:12 sindex.smd
-rw-r--r-- 1 root root 289 Jun 22 12:26 truncate.smd
-rwx------ 1 root root 289 Jun 22 12:26 security.smd
Notes
- The ability to use hashed passwords from the client has been removed.
- Refer the release notes to get the version of client (CLIENT-1485) where this was changed. For Aerospike Tools (TOOLS-1689), this is addressed in release 5.2.0
Keywords
SECURE SMD SECURITY.SMD
Timestamp
July 2021