In this tutorial, we will explore how to use ACL features in Redis to enhance the security of the Redis server.
How does it Work?
You start by defining users in the ACL. Once a client connects to the Redis CLI, they must authenticate using a username and password specified in the Access Control List.
After successful authentication, Redis associates that connection with the user and assigns the defined permission to that connection.
For example, if a client authenticates with a user with view-only permission, the connection will inherit that user’s permissions.
NOTE: ACL feature is only available in Redis 6.0 and above.
Redis Auth Command
In the newer version of Redis, we use the AUTH command followed by the username and password.
If only the password is supplied, Redis will automatically authenticate as the default user.
Redis Configure ACL
Redis comes with a default user, called default in the ACL. You can view this using the ACL LIST command:
1) “user default on #5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 ~* +@all”
The output of the ACL list command follows a specific pattern. Let us break it down:
- The first part is the keyword user.
- Next is the username of the user in the ACL list
- The third part is the keyword “on”, which defines the user’s access keys.
- The fourth part is the password hashed in sha256 format. If no password is set, the value is set to nopass
- Last but not least is the list of keys the user can access. In our case, it’s all keys, hence (~*).
- Finally, is the commands that the user can run. In our example, it’s all commands.
Redis has an extensive list of ACL rules you can use. First, however, let us list down some essential ones.
- On – This enables the specified user. Hence, clients are allowed to auth with this username and password.
- Off – Disables the specified user. No client can access auth with that username or password.
- +<command> – Adds a command to the list of commands a user can run. Each command is separated with a pipe. For example, if the user can run set and get, we can do +SET|GET
- -<command> – Removes a command from the list of allowed commands. Similarly, separate each command with a pipe. Example -<CONFIG|FLUSHDB
- @all or allcommands – Allows the user to run all commands on the server.
- ~<pattern> – Adds a pattern to the type of keys a user can access. For example, ~* specifies all keys.
- ><password> – adds the specified password to the list of passwords the user can authenticate.
- <<password> – Opposite of above.
- Resetpass -Delete the list of allowed passwords.
- Nopass – Let the user login with no password.
Redis Configure ACL Users
To add a user to the ACL list, use the ACL SETUSER command. The command takes the username and the list of rules to apply to the specified user.
An example is as shown below:
The command will add a user with the specified username.
You can check the users in the ACL LIST as:
1) “user default on <HASH> ~* +@all”
2) “user linuxhint off -@all”
Note that the “linuxhint” user is disabled by default and can execute no commands or access any keys.
Redis will create a new user with the least privileges possible.
We can run the command below to enable the user and set a password.
In the command above, we enable the user by setting the value to ON and adding a password as >password.
To add commands to the user, we can do:
This should add a few commands to the linuxhint user.
However, the user cannot access any key. We can enable the user to access all keys as shown in the command below:
Keep in mind that the usernames are case-sensitive.
We can now list the users in ACL as:
1) “user default on <HASH> ~* +@all”
2) “user linuxhint on <HASH> ~* -@all +set|GET|DEL”
Redis Describe User
To get descriptive information of an ACL user, run the command ACL GETUSER followed by the target username.
2) 1) “on”
4) 1) “5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8”
6) “-@all +set|GET|DEL”
8) 1) “*”
ACL Generate Password
If you do not want to generate a password for your user, you can use the ACL GENPASS command.
An example is as shown:
The command above should return a random password hash.
This was a distilled article describing the Redis ACL feature. We covered how to enable and use ACL in Redis, add users, set ACL rules, etc.
We highly recommend checking the documentation to learn more.
Thanks for reading, see you next time.