Redis

How to Use Redis ACL

2 years ago
by John Otieno
ACL or Access Control List is a security feature in Redis that allows you to limit and control connection to the Redis server. For example, you can specify what keys and commands a client connection can perform using the ACL feature.

In this tutorial, we will explore how to use ACL features in Redis to enhance the security of the Redis server.

How does it Work?

You start by defining users in the ACL. Once a client connects to the Redis CLI, they must authenticate using a username and password specified in the Access Control List.

After successful authentication, Redis associates that connection with the user and assigns the defined permission to that connection.

For example, if a client authenticates with a user with view-only permission, the connection will inherit that user’s permissions.

NOTE: ACL feature is only available in Redis 6.0 and above.

Redis Auth Command

In the newer version of Redis, we use the AUTH command followed by the username and password.

If only the password is supplied, Redis will automatically authenticate as the default user.

Redis Configure ACL

Redis comes with a default user, called default in the ACL. You can view this using the ACL LIST command:

127.0.0.1:6379> ACL LIST

1) “user default on #5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 ~* +@all

The output of the ACL list command follows a specific pattern. Let us break it down:

  1. The first part is the keyword user.
  2. Next is the username of the user in the ACL list
  3. The third part is the keyword “on”, which defines the user’s access keys.
  4. The fourth part is the password hashed in sha256 format. If no password is set, the value is set to nopass
  5. Last but not least is the list of keys the user can access. In our case, it’s all keys, hence (~*).
  6. Finally, is the commands that the user can run. In our example, it’s all commands.

ACL Rules

Redis has an extensive list of ACL rules you can use. First, however, let us list down some essential ones.

  1. On – This enables the specified user. Hence, clients are allowed to auth with this username and password.
  2. Off – Disables the specified user. No client can access auth with that username or password.
  3. +<command> – Adds a command to the list of commands a user can run. Each command is separated with a pipe. For example, if the user can run set and get, we can do +SET|GET
  4. -<command> – Removes a command from the list of allowed commands. Similarly, separate each command with a pipe. Example -<CONFIG|FLUSHDB
  5. @all or allcommands – Allows the user to run all commands on the server.
  6. ~<pattern> – Adds a pattern to the type of keys a user can access. For example, ~* specifies all keys.
  7. ><password> – adds the specified password to the list of passwords the user can authenticate.
  8. <<password> – Opposite of above.
  9. Resetpass -Delete the list of allowed passwords.
  10. Nopass – Let the user login with no password.

Redis Configure ACL Users

To add a user to the ACL list, use the ACL SETUSER command. The command takes the username and the list of rules to apply to the specified user.

An example is as shown below:

127.0.0.1:6379> ACL SETUSER linuxhint

OK

The command will add a user with the specified username.

You can check the users in the ACL LIST as:

127.0.0.1:6379> ACL LIST

1) “user default on <HASH> ~* +@all”

2) “user linuxhint off -@all”

Note that the “linuxhint” user is disabled by default and can execute no commands or access any keys.

Redis will create a new user with the least privileges possible.

We can run the command below to enable the user and set a password.

127.0.0.1:6379> ACL SETUSER linuxhint ON >password

OK

In the command above, we enable the user by setting the value to ON and adding a password as >password.

To add commands to the user, we can do:

127.0.0.1:6379> ACL SETUSER linuxhint +SET|GET|DEL

OK

This should add a few commands to the linuxhint user.

However, the user cannot access any key. We can enable the user to access all keys as shown in the command below:

127.0.0.1:6379> ACL SETUSER linuxhint ~*

OK

Keep in mind that the usernames are case-sensitive.

We can now list the users in ACL as:

1) “user default on <HASH> ~* +@all”

2) “user linuxhint on <HASH> ~* -@all +set|GET|DEL”

Redis Describe User

To get descriptive information of an ACL user, run the command ACL GETUSER followed by the target username.

127.0.0.1:6379> ACL GETUSER linuxhint

1) “flags”

2) 1) “on”

2) “allkeys”

3) “passwords”

4) 1) “5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8”

5) “commands”

6) “-@all +set|GET|DEL”

7) “keys”

8) 1) “*”

ACL Generate Password

If you do not want to generate a password for your user, you can use the ACL GENPASS command.

An example is as shown:

127.0.0.1:6379> ACL GENPASS

"1ac9687481067647ad39a959ab90f172d9c25ea7265cacdf06c711257125f18b"

The command above should return a random password hash.

Conclusion

This was a distilled article describing the Redis ACL feature. We covered how to enable and use ACL in Redis, add users, set ACL rules, etc.

We highly recommend checking the documentation to learn more.

Thanks for reading, see you next time.

About the author

John Otieno

My name is John and am a fellow geek like you. I am passionate about all things computers from Hardware, Operating systems to Programming. My dream is to share my knowledge with the world and help out fellow geeks. Follow my content by subscribing to LinuxHint mailing list

View all posts