How to Secure an SMD file?

Knowledge Base Operating
1

The Aerospike Knowledge Base has moved to https://support.aerospike.com. Content on https://discuss.aerospike.com is being migrated to either https://support.aerospike.com or https://docs.aerospike.com. Maintenance on articles stored in this repository ceased on December 31st 2022 and this article may be stale. If you have any questions, please do not hesitate to raise a case via https://support.aerospike.com.

How to Secure an SMD file?

Context

As the /opt/aerospike/smd/security.smd file stores sensitive information about user and roles, it is advisable to secure it and restrict the permissions outside of the asd process.

Method

Default permission on all SMD files allow read access to everyone. To secure the file, the permission of the /opt/aerospike/smd directory must be changed including the SMD files inside the directory:

root@011f72823081:/# ls -la /opt/aerospike/
total 40
drwxr-xr-x 1 aerospike aerospike 4096 Apr 24 13:17 .
drwxr-xr-x 1 root      root      4096 Apr 24 13:17 ..
drwxr-xr-x 2 aerospike aerospike 4096 Apr 24 13:17 bin
drwxr-xr-x 2 aerospike aerospike 4096 Nov 10  2020 data
drwxr-xr-x 2 aerospike aerospike 4096 Apr 24 13:17 doc
drwxr-xr-x 4 aerospike aerospike 4096 Apr 24 13:17 lib
drwxr-xr-x 1 aerospike aerospike 4096 Jun 22 12:26 smd   <<<<
drwxr-xr-x 3 aerospike aerospike 4096 Apr 24 13:17 usr

root@011f72823081:/# ls -la /opt/aerospike/smd/
total 20
drwxr-xr-x 1 aerospike aerospike 4096 Jun 22 12:26 .
drwxr-xr-x 1 aerospike aerospike 4096 Apr 24 13:17 ..
-rw-r--r-- 1 root      root       292 Jun 22 10:12 sindex.smd
-rw-r--r-- 1 root      root       292 Jun 22 10:12 security.smd
-rw-r--r-- 1 root      root       289 Jun 22 12:26 truncate.smd

The commands to restrict read permission on SMD files is as given below:

$cd /opt/aerospike/
$chmod 700 smd
$chmod 600 smd/security.smd  

// the same command can be used to secure other .smd files in this directory.

root@011f72823081:/# ls -la /opt/aerospike/
total 40
drwxr-xr-x 1 aerospike aerospike 4096 Apr 24 13:17 .
drwxr-xr-x 1 root      root      4096 Apr 24 13:17 ..
drwxr-xr-x 2 aerospike aerospike 4096 Apr 24 13:17 bin
drwxr-xr-x 2 aerospike aerospike 4096 Nov 10  2020 data
drwxr-xr-x 2 aerospike aerospike 4096 Apr 24 13:17 doc
drwxr-xr-x 4 aerospike aerospike 4096 Apr 24 13:17 lib
drwx------ 1 aerospike aerospike 4096 Jun 22 12:26 smd   <<<<
drwxr-xr-x 3 aerospike aerospike 4096 Apr 24 13:17 usr

root@011f72823081:/# ls -la /opt/aerospike/smd
total 20
drwx------ 1 aerospike aerospike 4096 Jun 22 12:26 .
drwxr-xr-x 1 aerospike aerospike 4096 Apr 24 13:17 ..
-rw-r--r-- 1 root      root       292 Jun 22 10:12 sindex.smd
-rw-r--r-- 1 root      root       289 Jun 22 12:26 truncate.smd
-rwx------ 1 root      root       289 Jun 22 12:26 security.smd

Notes

  • The ability to use hashed passwords from the client has been removed.
  • Refer the release notes to get the version of client (CLIENT-1485) where this was changed. For Aerospike Tools (TOOLS-1689), this is addressed in release 5.2.0

Keywords

SECURE SMD SECURITY.SMD

Timestamp

July 2021