Security and Management
The Aserto control plane can be used to control certain operations on running edge authorizers. For example, one can list running edge authorizers and issue policy and directory sync commands. This link between the Aserto control plane and edge authorizers requires setting up a secure connection between the two.
#
Satellite ConnectionsA satellite connection, which can be created from the Aserto console or API, provides an identity that edge authorizers can use to connect to the control plane by presenting a client certificate; performing a mutual TLS handshake. This identity is only authorized to establish a connection to the Aserto control plane for the purpose of receiving control commands.
Edge authorizers use one of these identities by presenting the client certificate associated with a given satellite connection. All edge authorizers presenting the same client certificate use the same identity and there can be as many satellite connections as needed.
Once an edge authorizer is connected to the Aserto control plane:
- It will automatically refresh its policy state when a new policy image is pushed.
- It will automatically refresh its policy state when the policy instance changes.
- It can receive remote commands to refresh its policy and directory state.
- Its ability to connect can be revoked by deleting the satellite connection from which its client certificates were obtained.
#
Configuration#
OneboxThe Aserto CLI can be used to configure a onebox to use the control plane by adding an option to the configure
sub-command:
aserto x configure <policy-name> --satellite <satellite-connection-id>
This will install the client certificates and configure the onebox to connect to the control plane using them. The satellite-connection-id can be acquired from the console, or using the Aserto CLI:
aserto p list-connections
The list-connections
sub-command lists all the satellite connections the tenant has.
#
SidecarTo configure a sidecar authorizer, it is first necessary to get the client certificates for the desired satellite connection. This can be done with the Aserto CLI:
aserto p client-cert <satellite-connection-id>
This will return a JSON object with data about the client certificate, for example:
{ "certificate": "-----BEGIN CERTIFICATE----- <elided data> -----END CERTIFICATE-----", "common_name": "sattest.69b537c3-8db5-11ec-8417-00c5cc9cb8c0.satellite.aserto.com", "expiration": "2022-06-24T17:11:31Z", "id": "2b:d0:75:a0:7f:25:e8:2d:75:3d:20:cd:f3:e7:0c:f6:8d:02:94:01", "private_key": "-----BEGIN RSA PRIVATE KEY----- <elided data> -----END RSA PRIVATE KEY-----" }
The certificate
field contains the certificate in PEM format and the private_key
field contains the private key,
also in PEM format. The contents of these fields should be saved as two files, for example
~/.config/aserto/sidecar.crt
and ~/.config/aserto/sidecar.key
.
Using the paths in the example, the configuration file of a sidecar can be updated to connect to the control plane by adding a section similar to:
controller: enabled: true server: address: relay.prod.aserto.com:8443 client_cert_path: ~/.config/aserto/sidecar.crt client_key_path: ~/.config/aserto/sidecar.key tenant_id: <TENANT-ID> policy_id: <POLICY-ID>