Internal user warning returned when using ACL with XDR non-compatible in Aerospike Server versions sending both internal and external authentication mode

Internal user warning returned when using an Access Control List (ACL) with Cross Datacenter Replication (XDR) non-compatible Aerospike Server versions sending both internal and external authentication mode

Problem Description

When using an Access Control List (ACL) and running Cross Datacenter Replication (XDR) on a cluster installed with Aerospike Enterprise Edition Server versions 4.1.0.1 to 4.3.0.6 shipping to an Aerospike Enterprise Edition Server version 4.6 or newer, the following warning is returned in the aerospike.log:

Oct 29 2019 14:59:07 GMT: WARNING (security): (security.c:2762) login - internal user using ldap

Explanation

This warning occurs when authentication fails when a user attempts login with a password being sent as encryted ‘external’ (clear password encrypted) but the password is expected as hashed ‘internal’.

In XDR the Aerospike C Client is incorporated as the shipping client. For Aerospike Enterprise Edition Server versions 4.1.0.1 to 4.3.0.6 the XDR code utilized the Aerospike C Client 4.3.6. When using Aerospike Enterprise Edition Server 4.6 or newer with Aerospike Client versions, such as the Aerospike C Client 4.3.6, the ‘internal user…’ warning is returned in the aerospike.log and authentication would fail.

The Aerospike C Client 4.3.6 originally introduced external authentication for LDAP only. At that point, there was no support for explicit internal vs. external authentication mode, and passwords were being sent both as hashed ‘internal’ and as encrypted ‘external’ (clear password encrypted).

With Aerospike Server version 4.6, the following change [AER-6080] - (SECURITY) Do not allow logins by external (LDAP) users who have an internal password caused XDR having the older Aerospike C Client 4.3.6 library incorporated to fail authentication.

With this failure the incompatible Aerospike Enterprise Edition Server versions 4.1.0.1 to 4.3.0.6 cannot ship to Aerospike Enterprise Edition Server versions 4.6 or newer.

Solution

The simplest workaround is to avoid using those incompatible Aerospike Enterprise Edition Server versions 4.1.0.1 to 4.3.0.6.

Upgrade the cluster to the listed minimum required Aeropsike Enterprise Edition Server Client version 4.3.0.7 or newer.

Notes

Keywords

SECURITY INTERNAL EXTERNAL AUTHMODE AUTHENTICATION XDR ACL

Timestamp

November 2019

© 2015 Copyright Aerospike, Inc. | All rights reserved. Creators of the Aerospike Database.