Internal user warning returned when using ACL with XDR non-compatible in Aerospike Server versions sending both internal and external authentication mode

Aerospike_Knowledge · November 18, 2019, 11:36pm

The Aerospike Knowledge Base has moved to https://support.aerospike.com. Content on https://discuss.aerospike.com is being migrated to either https://support.aerospike.com or https://docs.aerospike.com. Maintenance on articles stored in this repository ceased on December 31st 2022 and this article may be stale. If you have any questions, please do not hesitate to raise a case via https://support.aerospike.com.

Internal user warning returned when using an Access Control List (ACL) with Cross Datacenter Replication (XDR) non-compatible Aerospike Server versions sending both internal and external authentication mode

Problem Description

When using an Access Control List (ACL) and running Cross Datacenter Replication (XDR) on a cluster installed with Aerospike Enterprise Edition Server versions 4.1.0.1 to 4.3.0.6 shipping to an Aerospike Enterprise Edition Server version 4.6 or newer, the following warning is returned in the aerospike.log:

Oct 29 2019 14:59:07 GMT: WARNING (security): (security.c:2762) login - internal user using ldap

Explanation

This warning occurs when authentication fails when a user attempts login with a password being sent as encrypted ‘external’ (clear password encrypted) but the password is expected as hashed ‘internal’.

In XDR the Aerospike C Client is incorporated as the shipping client. For Aerospike Enterprise Edition Server versions 4.1.0.1 to 4.3.0.6 the XDR code utilized the Aerospike C Client 4.3.6. When using Aerospike Enterprise Edition Server 4.6 or newer with Aerospike Client versions, such as the Aerospike C Client 4.3.6, the ‘internal user…’ warning is returned in the aerospike.log and authentication would fail.

The Aerospike C Client 4.3.6 originally introduced external authentication for LDAP only. At that point, there was no support for explicit internal vs. external authentication mode, and passwords were being sent both as hashed ‘internal’ and as encrypted ‘external’ (clear password encrypted).

With Aerospike Server version 4.6, the following change [AER-6080] - (SECURITY) Do not allow logins by external (LDAP) users who have an internal password caused XDR having the older Aerospike C Client 4.3.6 library incorporated to fail authentication.

With this failure the incompatible Aerospike Enterprise Edition Server versions 4.1.0.1 to 4.3.0.6 cannot ship to Aerospike Enterprise Edition Server versions 4.6 or newer.

Solution

The simplest workaround is to avoid using those incompatible Aerospike Enterprise Edition Server versions 4.1.0.1 to 4.3.0.6.

Upgrade the cluster to the listed minimum required Aeropsike Enterprise Edition Server Client version 4.3.0.7 or newer.

Notes

Server downloads
Related knowledge base article: Aerospike Client versions sending both authentication mode.

Keywords

SECURITY INTERNAL EXTERNAL AUTHMODE AUTHENTICATION XDR ACL

Timestamp

November 2019

Topic		Replies	Views
How to troubleshoot warnings in Aerospike logs after node restart Configuration	1	1033	December 1, 2020
Security enabled, exception.NotAuthenticated: (80L, 'Failed to connect', 'src/main/aerospike/as_cluster.c', 254, False)	1	2302	November 11, 2019
__setDR: Assertion `!"setDR ERROR"' failed arm	5	2208	November 19, 2022
Aerospike Go Client Release 2.0.0 (March 20, 2019) Releases (Server, Client & Tools)	0	658	March 20, 2019
Aerospike outbound source connector 2.2.0 XDR (Cross Data Center Replication) query	2	140	December 18, 2023