Let’s see how it works!<\/p>\n\n\n\n
Definition <\/h2>\n\n\n\n
ACL <\/strong>stands for access control list.<\/p>\n\n\n\n It is the functionality that allows certain connections to be limited in terms of the commands that can be executed and the keys that can be accessed. <\/p>\n\n\n\n It works as follows: <\/p>\n\n\n\n After logging in, a client must provide a valid username and password to authenticate itself. If authentication is successful, the connection is associated with a given user and the limits available to that user. <\/p>\n\n\n\n Redis can be configured so that new connections are already authenticated with a “default” user (this is the default configuration). <\/p>\n\n\n\n Note:<\/span><\/p>\n\n\n\n The default user configuration has the side effect of only providing a specific subset of functionality to connections that are not explicitly authenticated.<\/p>\n\n\n\n In the default configuration, Redis 6<\/strong> (the first version to have ACL) works exactly like older versions of Redis. <\/p>\n\n\n\n Each new connection is able to call all possible commands and access all keys, so the ACL functionality is backwards compatible with older clients and applications. <\/p>\n\n\n\n The old way of setting a password, using the “requirepass” configuration directive, still works as expected. However, it now defines a password for the default user<\/p>\n\n\n\n To check your Redis version you have many ways:<\/p>\n\n\n\n If you are not in the CLI use directly redis-cli INFO <\/strong>in the terminal <\/p>\n\n\n\n Use the ACL whoami<\/strong> command<\/p>\n\n\n\n ( remember commands are not case sensitive )<\/p>\n\n\n\n There is two main reasons to use ACL:<\/p>\n\n\n\n You can get more info and use case of ACL <\/strong>by checking the Redis official site<\/p>\n\n\n\n To configure the right access for our users, we will use the DSL <\/strong>command ACL <\/strong>command <\/p>\n\n\n\n Note:<\/p>\n\n\n\n Such rules are always implemented from the first to the last, left-to-right, because sometimes the order of the rules is important to understand what the user is really able to do.<\/p>\n\n\n\n You can list all the users created by using the command ACL LIST<\/strong><\/p>\n\n\n\n As you can see I have created other users with different ACL<\/strong>, we will analyze also the different component of this ACL LIST <\/strong>output <\/p>\n\n\n\n ACL list command reports the list of users in the same format that is used in the Redis configuration files<\/strong>, by translating the current ACLs set for the users back into their description.<\/p>\n\n\n\n let’s take the default user as example:<\/p>\n\n\n\n Also, in the special case of the default user, having the nopass<\/em> rule means that new connections are automatically authenticated with the default user without any explicit The following is the list of valid ACL rules extracted from the Redis site. <\/p>\n\n\n\n Certain rules are just single words that are used in order to activate or remove a flag, or to perform a given change to the user ACL. <\/p>\n\n\n\n Other rules are char prefixes that are concatenated with command or category names, key patterns, and so forth.<\/p>\n\n\n\n As explained above with the default user we know now how to enable or disable the user:<\/p>\n\n\n\n Note: if a user is not flagged with nopass and has no list of valid passwords, that user is effectively impossible to use because there will be no way to log in as that user.<\/em><\/p>\n\n\n\n Reset the user:<\/p>\n\n\n\n To allow and block commands you must use the @all argument (You can be more granular by using +\/- to add or disable commands).<\/p>\n\n\n\n +@all will enable all commands , even the most critical <\/p>\n\n\n\n -@all will disable the commands <\/p>\n\n\n\n If you input the above command it will send you OK but when you will try to authenticate you will get an issue because we didn’t set a password<\/strong> and also the on option is not activated <\/p>\n\n\n\n Example:<\/p>\n\n\n\n We will add specific commands by using -@all followed by the command you want to enable ( here SET <\/strong>and also ACL <\/strong>command to have the whoami feature)<\/p>\n\n\n\n The command will give the right to user GUEST_USER for the command get for the “ACL” <\/strong>command and for the “SET<\/strong>” command<\/p>\n\n\n\n 127.0.0.1:6379> ACL GETUSER GUEST_USER<\/p>\n\n\n\n This is the end of the first part , now you know how and why you can use Redis ACL.<\/p>\n\n\n\n You can enhance your database security by limiting the access to users in order to let them do only what they have to do.We know also how to list the users and see their right access level.<\/p>\n\n\n\n Next time we will see how to give specific rights and also the different command categories.<\/p>\n\n\n\n We will also see how to allow or block sub-commands and even more security features \ud83d\ude42<\/p>\n\n\n\n Don’t hesitate to view or review my previous blogs<\/a> and also my colleagues blogs<\/a>.<\/p>\n\n\n\n Stay tuned for the part 2 of how to use Redis ACL \ud83d\ude09 .<\/p>\n","protected":false},"excerpt":{"rendered":" Introduction: Security is an important matter when using or allowing access to your database.You need to be sure that nobody will harm your infrastructure by passing some dangerous commands. Aim is to limit the access to user to specifics rights when he will authenticate on the database. For that we will use the Redis ACL […]<\/p>\n","protected":false},"author":40,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1739],"tags":[947,2991],"type_dbi":[],"class_list":["post-27222","post","type-post","status-publish","format-standard","hentry","category-nosql","tag-nosql","tag-redis"],"acf":[],"yoast_head":"\nKnow your Redis version <\/h2>\n\n\n\n
\n
nso@DBI-LT-NSO:~> redis-server --version<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/08\/image-4.png\")
<\/figure>\n\n\n\n\n
127.0.0.1:6379> INFO<\/code><\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/08\/image-6.png\")
<\/figure>\n\n\n\nAuthentication command<\/h2>\n\n\n\n
\n
AUTH<\/code><\/a> command was extended in Redis 6, so now it is possible to use it in the two-arguments form:<\/li>\n<\/ul>\n\n\n\n![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/08\/image-9-1024x136.png\")
<\/figure>\n\n\n\n\n
![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/08\/image-10-1024x132.png\")
<\/figure>\n\n\n\n\n
127.0.0.1:6379> ACL WHOAM<\/code>I<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/08\/image-11-1024x180.png\")
<\/figure>\n\n\n\nWhen ACL is efficient<\/h2>\n\n\n\n
\n
Configure ACL<\/h2>\n\n\n\n
List your users<\/h2>\n\n\n\n
\n
127.0.0.1:6379> ACL LIST<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/08\/image-12-1024x177.png\")
<\/figure>\n\n\n\nACL LIST description and format<\/h2>\n\n\n\n
\"user default on nopass ~* &* +@all\"<\/code><\/pre>\n\n\n\n\n
~*<\/code>)<\/li>\n\n\n\n&*<\/code>)<\/li>\n\n\n\n+@all<\/code>.To disable use -@all<\/code><\/li>\n<\/ul>\n\n\n\nAUTH<\/code><\/a> call needed.<\/p>\n\n\n\nACL Rules<\/h2>\n\n\n\n
Enable and disallow users:<\/h3>\n\n\n\n
\n
on<\/code>: Enable the user: it is possible to authenticate as this user.<\/li>\n\n\n\noff<\/code>: Disallow the user: it’s no longer possible to authenticate with this user; however, previously authenticated connections will still work. Note that if the default user is flagged as off<\/em>, new connections will start as not authenticated and will require the user to send AUTH<\/code><\/a> or HELLO<\/code><\/a> with the AUTH option in order to authenticate in some way, regardless of the default user configuration.<\/li>\n<\/ul>\n\n\n\n![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/08\/image-18-1024x144.png\")
<\/figure>\n\n\n\nAllow\/Disallow commands:<\/h3>\n\n\n\n
\n
+<command><\/code>: Add the command to the list of commands the user can call. Can be used with |<\/code> for allowing subcommands (e.g “+config|get”).<\/li>\n\n\n\n-<command><\/code>: Remove the command to the list of commands the user can call. Starting Redis 7.0, it can be used with |<\/code> for blocking subcommands (e.g “-config|set”).<\/li>\n\n\n\n+@<category><\/code>: Add all the commands in such category to be called by the user, with valid categories being like @admin, @set, @sortedset, … and so forth, see the full list by calling the ACL CAT<\/code><\/a> command. The special category @all means all the commands, both the ones currently present in the server, and the ones that will be loaded in the future via modules.<\/li>\n\n\n\n-@<category><\/code>: Like +@<category><\/code> but removes the commands from the list of commands the client can call.<\/li>\n\n\n\n+<command>|first-arg<\/code>: Allow a specific first argument of an otherwise disabled command. It is only supported on commands with no sub-commands, and is not allowed as negative form like -SELECT|1, only additive starting with “+”. This feature is deprecated and may be removed in the future.<\/li>\n\n\n\nallcommands<\/code>: Alias for +@all. Note that it implies the ability to execute all the future commands loaded via the modules system.<\/li>\n\n\n\nnocommands<\/code>: Alias for -@all.<\/li>\n<\/ul>\n\n\n\nAllow and disallow certain keys and key permissions:<\/h3>\n\n\n\n
\n
~<pattern><\/code>: Add a pattern of keys that can be mentioned as part of commands. For instance ~*<\/code> allows all the keys. The pattern is a glob-style pattern like the one of KEYS<\/code><\/a>. It is possible to specify multiple patterns.<\/li>\n\n\n\n%R~<pattern><\/code>: (Available in Redis 7.0 and later) Add the specified read key pattern. This behaves similar to the regular key pattern but only grants permission to read from keys that match the given pattern. See key permissions<\/a> for more information.<\/li>\n\n\n\n%W~<pattern><\/code>: (Available in Redis 7.0 and later) Add the specified write key pattern. This behaves similar to the regular key pattern but only grants permission to write to keys that match the given pattern. See key permissions<\/a> for more information.<\/li>\n\n\n\n%RW~<pattern><\/code>: (Available in Redis 7.0 and later) Alias for ~<pattern><\/code>.<\/li>\n\n\n\nallkeys<\/code>: Alias for ~*<\/code>.<\/li>\n\n\n\nresetkeys<\/code>: Flush the list of allowed keys patterns. For instance the ACL ~foo:* ~bar:* resetkeys ~objects:*<\/code>, will only allow the client to access keys that match the pattern objects:*<\/code>.<\/li>\n<\/ul>\n\n\n\nAllow or disallow Pub\/Sub channels:<\/h3>\n\n\n\n
\n
&<pattern><\/code>: (Available in Redis 6.2 and later) Add a glob style pattern of Pub\/Sub channels that can be accessed by the user. It is possible to specify multiple channel patterns. Note that pattern matching is done only for channels mentioned by PUBLISH<\/code><\/a> and SUBSCRIBE<\/code><\/a>, whereas PSUBSCRIBE<\/code><\/a> requires a literal match between its channel patterns and those allowed for user.<\/li>\n\n\n\nallchannels<\/code>: Alias for &*<\/code> that allows the user to access all Pub\/Sub channels.<\/li>\n\n\n\nresetchannels<\/code>: Flush the list of allowed channel patterns and disconnect the user’s Pub\/Sub clients if these are no longer able to access their respective channels and\/or channel patterns.<\/li>\n<\/ul>\n\n\n\nConfigure valid passwords for the user:<\/h3>\n\n\n\n
\n
><password><\/code>: Add this password to the list of valid passwords for the user. For example >mypass<\/code> will add “mypass” to the list of valid passwords. This directive clears the nopass<\/em> flag (see later). Every user can have any number of passwords.<\/li>\n\n\n\n<<password><\/code>: Remove this password from the list of valid passwords. Emits an error in case the password you are trying to remove is actually not set.<\/li>\n\n\n\n#<hash><\/code>: Add this SHA-256 hash value to the list of valid passwords for the user. This hash value will be compared to the hash of a password entered for an ACL user. This allows users to store hashes in the acl.conf<\/code> file rather than storing cleartext passwords. Only SHA-256 hash values are accepted as the password hash must be 64 characters and only contain lowercase hexadecimal characters.<\/li>\n\n\n\n!<hash><\/code>: Remove this hash value from the list of valid passwords. This is useful when you do not know the password specified by the hash value but would like to remove the password from the user.<\/li>\n\n\n\nnopass<\/code>: All the set passwords of the user are removed, and the user is flagged as requiring no password: it means that every password will work against this user. If this directive is used for the default user, every new connection will be immediately authenticated with the default user without any explicit AUTH command required. Note that the resetpass<\/em> directive will clear this condition.<\/li>\n\n\n\nresetpass<\/code>: Flushes the list of allowed passwords and removes the nopass<\/em> status. After resetpass<\/em>, the user has no associated passwords and there is no way to authenticate without adding some password (or setting it as nopass<\/em> later).<\/li>\n<\/ul>\n\n\n\nConfigure selectors for the user:<\/h3>\n\n\n\n
\n
(<rule list>)<\/code>: (Available in Redis 7.0 and later) Create a new selector to match rules against. Selectors are evaluated after the user permissions, and are evaluated according to the order they are defined. If a command matches either the user permissions or any selector, it is allowed. See selectors<\/a> for more information.<\/li>\n\n\n\nclearselectors<\/code>: (Available in Redis 7.0 and later) Delete all of the selectors attached to the user.<\/li>\n<\/ul>\n\n\n\n\n
reset<\/code> Performs the following actions: resetpass, resetkeys, resetchannels, allchannels (if acl-pubsub-default is set), off, clearselectors, -@all. The user returns to the same state it had immediately after its creation.<\/li>\n<\/ul>\n\n\n\nAllow and block commands<\/h2>\n\n\n\n
Create and edit user ACLs<\/h2>\n\n\n\n
\n
![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/08\/image-15-1024x185.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/08\/image-16-1024x92.png\")
<\/figure>\n\n\n\n\n
127.0.0.1:6379> ACL SETUSER NEW_USER on N4b1l +get<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/08\/image-17-1024x187.png\")
<\/figure>\n\n\n\n\n
~<\/code>* ( wildcard stands for all the keys )<\/li>\n<\/ul>\n\n\n\n![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/08\/image-19-1024x284.png\")
<\/figure>\n\n\n\n\n
\n
![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/08\/image-20-1024x185.png\")
<\/figure>\n\n\n\n\n
127.0.0.1:6379> ACL SETUSER GUEST_USER -@all +get +acl +set<\/code><\/pre>\n\n\n\n\n
![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/08\/image-22-1024x492.png\")
<\/figure>\n\n\n\n\n
![\"\"](\"https:\/\/www.dbi-services.com\/blog\/wp-content\/uploads\/sites\/2\/2023\/08\/image-23-1024x386.png\")
<\/figure>\n\n\n\n\n
Conclusion <\/h2>\n\n\n\n