Role_violation when restoring namespace containing UDFs

The Aerospike Knowledge Base has moved to https://support.aerospike.com. Content on https://discuss.aerospike.com is being migrated to either https://support.aerospike.com or https://docs.aerospike.com. Maintenance on articles stored in this repository ceased on December 31st 2022 and this article may be stale. If you have any questions, please do not hesitate to raise a case via https://support.aerospike.com.

role_violation when restoring namespace containing UDFs

Problem Description

When restoring a backup from a namespace containing UDFs (User Defined Functions) the following error is thrown:

2016-03-29 06:04:36 GMT [INF] [42570] Opened backup file nsNamespaceUDF/BB9D1A59E05BE24_00016.asb
2016-03-29 06:04:36 GMT [INF] [42570] Restoring 1 UDF file(s)
2016-03-29 06:04:36 GMT [ERR] [42570] Error while putting UDF file MyUDF.lua - code 100: error=role_violation
at src/main/aerospike/as_info.c:214
2016-03-29 06:04:36 GMT [ERR] [42570] Error while restoring UDFs to cluster

Explanation

This error indicates that there is a permission missing for the user being used to restore the backup file. To register UDFs the restore user needs the data-admin role. The restore process is, in effect, registering the UDF in the target cluster.

Solution

Grant the data-admin role to the user restoring the backup, retry the restore process.

Notes

  • The same permissions structure applies to secondary indices and so data-admin is also required if the source namespace (and therefore backup file) contains secondary indices
  • The restore process can be started with – no udfs (or –no indexes) if UDFs (or indices) are not required in the target asrestore command-line options | Aerospike Documentation
  • The sys-admin role inherits all permissions of data-admin as it is a superuser so it would be able to overcome this error. Care should be taken when granting the sys-admin role as this includes wide ranging permissions.
  • It is important to note that different permissions are required for backup and restore of namespaces containing UDFs. This topic is covered fully here:

Security link is broken use www.aerospike.com/docs/guide/security/index.html

Thanks for raising. Should be fixed soon.