Subscribe to RSS
The Redis ACL, short for Access Control List, is the feature that allows certain connections to be limited in terms of the commands that can be executed and the keys that can be accessed. The way it works is that, after connecting, a client is required to authenticate providing a username and a valid password: if the authentication stage succeeded, the connection is associated with a given user and the limits the user has. Redis can be configured so that new connections are already authenticated with a "default" user this is the default configurationso configuring the default user has, as a side effect, the ability to provide only a specific subset of functionalities to connections that are not explicitly authenticated. In the default configuration, Redis 6 the first version to have ACLs works exactly like older versions of Redis, that is, every new connection is capable of calling every possible command and accessing every key, so the ACL feature is backward compatible with old clients and applications. Also the old way to configure a password, using the requirepass configuration directive, still works as expected, but now what it does is just to set a password for the default user. What happens is that the username used to authenticate is "default", so just specifying the password implies that we want to authenticate against the default user. This provides perfect backward compatibility with the past. Before using ACLs you may want to ask yourself what's the goal you want to accomplish by implementing this layer of protection. Normally there are two main goals that are well served by ACLs:. Another typical usage of ACLs is related to managed Redis instances. Redis is often provided as a managed service both by internal company teams that handle the Redis infrastructure for the other internal customers they have, or is provided in a software-as-a-service setup by cloud providers. In both such setups we want to be sure that configuration commands are excluded for the customers. The way this was accomplished in the past, via command renaming, was a trick that allowed us to survive without ACLs for a long time, but is not ideal. ACLs are defined using a DSL domain specific language that describes what a given user is able to do or not. Such rules are always implemented from the first to the last, left-to-right, because sometimes the order of the rules is important to understand what the user is really able to do. By default there is a single user defined, that is called default. The command above reports the list of users in the same format that is used in the Redis configuration files, by translating the current ACLs set for the users back into their description. The first two words in each line are "user" followed by the username. The next words are ACL rules that describe different things. Also, in the special case of the default user, having the nopass rule means that new connections are automatically authenticated with the default user without any explicit AUTH call needed. The following is the list of the valid ACL rules. Certain rules are just single words that are used in order to activate or remove a flag, or to perform a given change to the user ACL.
Authenticating Users with the Redis AUTH Command
If you've got a moment, please tell us what we did right so we can do more of it. Thanks for letting us know this page needs work. We're sorry we let you down. If you've got a moment, please tell us how we can make the documentation better. Redis authentication tokens enable Redis to require a token password before allowing clients to execute commands, thereby improving data security. To set up a strong token, we recommend that you follow a strict token policy, such as requiring the following:. Nonalphanumeric characters! Tokens must not contain a dictionary word or a slightly modified dictionary word. You can require that users enter a token on a token-protected Redis server. To do this, include the parameter --auth-token API: AuthToken with the correct token when you create your replication group or cluster. Also include it in all subsequent commands to the replication group or cluster. Replace the subnet group sng-test with a subnet group that exists. This value must be the correct token for this token-protected Redis server. You can make this modification if the engine version is 5. Make these modification calls with the --apply-immediately parameter to apply changes immediately. Once the modification is complete, the cluster will support the previous AUTH token in addition to the one specified in the auth-token parameter. If this modification is performed on a server that already supports two AUTH tokens, the oldest AUTH token will also be removed during this operation, allowing a server to support up to two most recent AUTH tokens at a given time. At this point, you can proceed by updating the client to use the latest AUTH token. Once the clients are updated, you can use the SET strategy for AUTH token rotation explained in the following section to exclusively start using the new token. The auth-token parameter must be the same value as the last AUTH token rotated. After the modification is complete, the Redis server supports only the AUTH token specified in the auth-token parameter. After the modification is complete, the cluster supports the AUTH token specified in the auth-token parameter in addition to supporting connecting without authentication.
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together. Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community. Already on GitHub? Sign in to your account. My main job is a kind of maintenance for a service which can provide a cloud storage for Korean. I mean most of users are Korean. I think that when nutcracker is executed, redis AUTH command is not sent from twem to a original redis server. I downloaed nutcracker from git master. I tested a redis command, simple SET. So, I think that when nutcracker is executed, redis AUTH command is not sent from twemproxy to a original redis server. Is that wrong? I misunderstood about AUTH support on twem. I thought that twem is not supporting in terms of redis AUTH command. But, it is wrong. It is necessary to use AUTH command in redis client side, too. Thank you very much. The password relates to the redis. Download the twemproxy source from the github server using git clone, not zipfile. The code is added by charsyam. Hi sjang I have downloaded and got twemproxy running in docker. Im trying to use twemproxy as a redis cache for Google PageSpeed. This document provides an introduction to the topic of security from the point of view of Redis: the access control provided by Redis, code security concerns, attacks that can be triggered from the outside by selecting malicious inputs and other similar topics are covered. For security related contacts please open an issue on GitHub, or when you feel it is really important that the security of the communication is preserved, use the GPG key at the end of this document. Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket. For instance, in the common context of a web application implemented using Redis as a database, cache, or messaging system, the clients inside the front-end web side of the application will query Redis to generate pages or to perform operations requested or triggered by the web application user. In this case, the web application mediates access between Redis and untrusted clients the user browsers accessing the web application. This is a specific example, but, in general, untrusted access to Redis should always be mediated by a layer implementing ACLs, validating user input, and deciding what operations to perform against the Redis instance. In general, Redis is not optimized for maximum security but for maximum performance and simplicity. Access to the Redis port should be denied to everybody but trusted clients in the network, so the servers running Redis should be directly accessible only by the computers implementing the application using Redis. In the common case of a single computer directly exposed to the internet, such as a virtualized Linux instance Linode, EC2, Clients will still be able to access Redis using the loopback interface. Note that it is possible to bind Redis to a single interface by adding a line like the following to the redis. Failing to protect the Redis port from the outside can have a big security impact because of the nature of Redis. Unfortunately many users fail to protect Redis instances from being accessed from external networks. Many instances are simply left exposed on the internet with public IPs. For this reasons since version 3. In this mode Redis only replies to queries from the loopback interfaces, and reply to other clients connecting from other addresses with an error, explaining what is happening and how to configure Redis properly. We expect protected mode to seriously decrease the security issues caused by unprotected Redis instances executed without proper administration, however the system administrator can still ignore the error given by Redis and just disable protected mode or manually bind all the interfaces. While Redis does not try to implement Access Control, it provides a tiny layer of authentication that is optionally turned on editing the redis. When the authorization layer is enabled, Redis will refuse any query by unauthenticated clients. A client can authenticate itself by sending the AUTH command followed by the password. The password is set by the system administrator in clear text inside the redis. It should be long enough to prevent brute force attacks for two reasons:. The goal of the authentication layer is to optionally provide a layer of redundancy. If firewalling or any other system implemented to protect Redis from external attackers fail, an external client will still not be able to access the Redis instance without knowledge of the authentication password. The AUTH command, like every other Redis command, is sent unencrypted, so it does not protect against an attacker that has enough access to the network to perform eavesdropping. Redis has optional support for TLS on all communication channels, including client connections, replication links and the Redis Cluster bus protocol. It is possible to disable commands in Redis or to rename them into an unguessable name, so that normal clients are limited to a specified set of commands. For instance, a virtualized server provider may offer a managed Redis instance service. In this context, normal users should probably not be able to call the Redis CONFIG command to alter the configuration of the instance, but the systems that provide and remove instances should be able to do so. In this case, it is possible to either rename or completely shadow commands from the command table. This feature is available as a statement that can be used inside the redis. For example:. It is also possible to completely disable it or any other command by renaming it to the empty string, like in the following example:. There is a class of attacks that an attacker can trigger from the outside even without external access to the instance. An example of such attacks are the ability to insert data into Redis that triggers pathological worst case algorithm complexity on data structures implemented inside Redis internals.