Skip to main content

Security and Management

The Aserto control plane can be used to control certain operations on running edge authorizers. For example, one can list running edge authorizers and issue policy and directory sync commands. This link between the Aserto control plane and edge authorizers requires setting up a secure connection between the two.

Satellite Connections#

A satellite connection, which can be created from the Aserto console or API, provides an identity that edge authorizers can use to connect to the control plane by presenting a client certificate; performing a mutual TLS handshake. This identity is only authorized to establish a connection to the Aserto control plane for the purpose of receiving control commands.

Edge authorizers use one of these identities by presenting the client certificate associated with a given satellite connection. All edge authorizers presenting the same client certificate use the same identity and there can be as many satellite connections as needed.

Once an edge authorizer is connected to the Aserto control plane:

  • It will automatically refresh its policy state when a new policy image is pushed.
  • It will automatically refresh its policy state when the policy instance changes.
  • It can receive remote commands to refresh its policy and directory state.
  • Its ability to connect can be revoked by deleting the satellite connection from which its client certificates were obtained.

Configuration#

Onebox#

The Aserto CLI can be used to configure a onebox to use the control plane by adding an option to the configure sub-command:

aserto x configure <policy-name> --satellite <satellite-connection-id>

This will install the client certificates and configure the onebox to connect to the control plane using them. The satellite-connection-id can be acquired from the console, or using the Aserto CLI:

aserto p list-connections

The list-connections sub-command lists all the satellite connections the tenant has.

Sidecar#

To configure a sidecar authorizer, it is first necessary to get the client certificates for the desired satellite connection. This can be done with the Aserto CLI:

aserto p client-cert <satellite-connection-id>

This will return a JSON object with data about the client certificate, for example:

{                                                                                                                                              "certificate": "-----BEGIN CERTIFICATE----- <elided data> -----END CERTIFICATE-----",                                                                                                                                     "common_name": "sattest.69b537c3-8db5-11ec-8417-00c5cc9cb8c0.satellite.aserto.com",                                                          "expiration": "2022-06-24T17:11:31Z",                                                                                                        "id": "2b:d0:75:a0:7f:25:e8:2d:75:3d:20:cd:f3:e7:0c:f6:8d:02:94:01",                                                                         "private_key": "-----BEGIN RSA PRIVATE KEY----- <elided data> -----END RSA PRIVATE KEY-----"                                                                                                              }

The certificate field contains the certificate in PEM format and the private_key field contains the private key, also in PEM format. The contents of these fields should be saved as two files, for example ~/.config/aserto/sidecar.crt and ~/.config/aserto/sidecar.key.

Using the paths in the example, the configuration file of a sidecar can be updated to connect to the control plane by adding a section similar to:

controller:  enabled: true  server:    address: relay.prod.aserto.com:8443      client_cert_path: ~/.config/aserto/sidecar.crt      client_key_path: ~/.config/aserto/sidecar.key      tenant_id: <TENANT-ID>      policy_id: <POLICY-ID>

Aserto CLI#