Skip to main content

Redis ACL

Redis Access Control List (ACL) is a security feature that allows you to limit the commands and keys accessible by different connections. This is crucial for securing your Redis instance, especially in production environments.

Key Concepts

  • Authentication: After connecting, clients must provide a username and password to authenticate. This authentication determines the user's permissions.
  • Default User: Redis 6 introduced ACLs. By default, new congpt_sre_workspace_invoke_token_usage_sumnections are authenticated as the "default" user, which has full access. This is backward compatible with older clients. The requirepass configuration still works, but now sets a password for the default user.
  • AUTH Command: The AUTH command has been extended to accept a username and password. Using only the password authenticates against the default user.

When to Use ACLs

ACLs are beneficial for:

  • Enhanced Security: Restrict access to commands and keys, limiting untrusted clients' capabilities. For example, you can grant read-only access to specific clients.
  • Operational Safety: Prevent accidental or malicious actions by restricting access to potentially dangerous commands like FLUSHALL. This is particularly important in managed Redis environments.

Configuring ACLs

ACLs are defined using a domain-specific language (DSL). Rules are applied sequentially (left-to-right).

  • ACL LIST: Displays the current ACL configuration. The default user (default) typically has full access (~*, &*, +@all).
  • ACL Rules: Various rules control access:
    • on/off: Enables/disables a user.
    • +<command>/-<command>: Allows/blocks specific commands. Use | for subcommands (e.g., +config|get).
    • +@<category>/-@<category>: Allows/blocks commands in a category (e.g., +@read, -@dangerous). Categories like admin, dangerous, read, write are predefined.
    • ~<pattern>: Allows access to keys matching a glob pattern (e.g., ~* for all keys, ~user:* for keys starting with user:).
    • &<pattern>: Allows access to Pub/Sub channels matching a glob pattern.
    • > <password>: Sets a password for a user.
    • << <password>: Removes a password.
    • # <hash>: Sets a password using a SHA-256 hash.
    • !<hash>: Removes a password using a SHA-256 hash.
    • nopass: Removes all passwords, allowing any password to authenticate.
    • resetpass: Clears all passwords.
    • resetkeys: Clears all key patterns.
    • resetchannels: Clears all channel patterns.
    • reset: Resets a user to its initial state (no permissions).
    • Selectors (Redis 7.0+): Allow defining additional sets of rules. These are evaluated after the user's root permissions.
    • Key Permissions (Redis 7.0+): Define read/write access to keys using %R~<pattern> and %W~<pattern>.

ACL SETUSER Command

Use ACL SETUSER to create or modify user ACLs. This command is more flexible than directly editing the configuration file.

  • Example: ACL SETUSER alice on >mypassword ~user:* +get creates a user alice with read access to keys starting with user: and the ability to execute the GET command.

External ACL Files

For complex setups, use an external ACL file (aclfile). This file contains user definitions in the same format as the redis.conf file.

  • ACL LOAD: Loads ACLs from the external file.
  • ACL SAVE: Saves the current ACL configuration to the external file.

ACLs for Sentinel and Replicas

Sentinel and replicas require specific commands to be allowed. Consult the Redis documentation for details.

Important Considerations

  • Password Security: Use strong passwords and hashes. Avoid storing passwords in clear text.
  • Permissions Granularity: Grant only the necessary permissions to each user.
  • Default User: Be mindful of the default user's permissions.
  • Command Categories: Use command categories to simplify ACL management.
  • Selectors and Key Permissions: Use these features for more granular control (Redis 7.0+).