Redis ACL(Access Control List) is the feature that allows one to control & restrict user access.
The restriction includes commands that are executed and the keys that can be accessed.
When connecting to Redis, the default user gains full access without requiring a password, which is not the best approach when it comes to security. Redis ACL feature is only available for Redis 6.0 & Above.
View Redis ACL
To view existing Redis ACL we use the command ACL LIST. This shows a list of users available under Redis ACL.
[root@siddhesh ~]# redis-cli
127.0.0.1:6379> ACL LIST
1) "user default on nopass ~* &* +@all"
127.0.0.1:6379> Here, user: user flag. default: Name of the user. on: Auth status of the user. nopass : There is no password associated with this default user & the user can connect to Redis without a password.
~* : Allow access to all keys.
&* : Allow access to Pub/Sub channels. +@all: Allow access to all commands.
Create Redis ACL User
Let's create a test user with various types of restrictions to better understand this.
[root@siddhesh ~]# redis-cli
127.0.0.1:6379> ACL SETUSER devops
OK
127.0.0.1:6379>
127.0.0.1:6379> ACL LIST
1) "user default on nopass ~* &* +@all"
2) "user devops off resetchannels -@all"
127.0.0.1:6379> Redis by default disabled the newly created user. As you can see here in the output above the status of this user is off.
Enable & Set the Password
Let's enable the user and set the password.
[root@siddhesh ~]# redis-cli
127.0.0.1:6379> ACL SETUSER devops on >pass@123#
OK
127.0.0.1:6379> ACL LIST
1) "user default on nopass ~* &* +@all"
2) "user devops on #f125095428f05d209add63aa22a89676934e0372784d45b22b921a63defdedf6 resetchannels -@all"
127.0.0.1:6379> Here, ACL SETUSER: Modify or create the rules for a specific ACL user devops: Name of the user on: Enable user >pass@123#: New password of user devops
Redis Authentication & Access Validation
Now we'll try to connect Redis using this newly created user.
[root@siddhesh ~]# redis-cli
127.0.0.1:6379> auth devops pass@123#
OK
127.0.0.1:6379>Let me try to create a string using the SET command to see if restrictions are really working.
127.0.0.1:6379> set teststr "this is test string"
(error) NOPERM this user has no permissions to run the 'set' command
127.0.0.1:6379> So this is working as expected as user devops doesn't have access to any command.
Allow Command Access to Redis User
Now we'll allow SET & GET commands to user devops from default (full user) login.
[root@siddhesh ~]# redis-cli
127.0.0.1:6379> ACL SETUSER devops ~teststr:* +set +get
OK
127.0.0.1:6379> ACL LIST
1) "user default on nopass ~* &* +@all"
2) "user devops on #f125095428f05d209add63aa22a89676934e0372784d45b22b921a63defdedf6 ~teststr* resetchannels -@all +get +set"127.0.0.1:6379> Here,
ACL SETUSER: Modify or create the rules for a specific ACL user devops: Name of the user ~teststr* : Name of key to allow access +set +get : Commands to allow execution
Let's replicate the same testing again of creating a string from devops user login.
[root@siddhesh ~]# redis-cli
127.0.0.1:6379> auth devops pass@123#
OK
127.0.0.1:6379> set teststr "this is test string"
OK
127.0.0.1:6379> get teststr
"this is test string"
127.0.0.1:6379> Delete User and ACL Rules
Let us now attempt to remove the SET permission from user devops and completely delete the user.
[root@siddhesh ~]# redis-cli
127.0.0.1:6379> ACL SETUSER devops -set
OK
127.0.0.1:6379> ACL LIST
1) "user default on nopass ~* &* +@all"
2) "user devops on #f125095428f05d209add63aa22a89676934e0372784d45b22b921a63defdedf6 ~teststr:* ~teststr* resetchannels -@all +get"
127.0.0.1:6379> To remove the ACL rules, we used the minus (-) sign followed by the command name.
[root@siddhesh ~]# redis-cli
127.0.0.1:6379> ACL DELUSER devops
(integer) 1
127.0.0.1:6379> ACL LIST
1) "user default on nopass ~* &* +@all"
127.0.0.1:6379> We used ACL DELUSER to completely remove the ACL user from a Redis.
Comments