使用 Redis ACL 配置权限
| Redis 云 |
|---|
您可以定义自定义 Redis ACL 规则以分配给数据访问角色或使用预定义的 Redis ACL。
Redis 提供了三种预定义的 ACL 规则,这些规则都标有 Redis Logo,且无法更改:
- 完全访问权限:允许所有命令。
- Read-Write:允许读取和写入命令,并排除危险命令。
- Read-Only:仅允许读取命令。
未标有 Redis logo 的 ACL 是用户定义的 ACL 规则。
要配置可分配给数据访问角色的 Redis ACL,请执行以下作:
-
转到 Redis Cloud 控制台菜单中的 Data Access Control。
-
选择 Redis ACLs 选项卡。
-
选择创建新的 Redis ACL,或指向现有 ACL 并选择铅笔图标进行编辑。
+
注意:内置的 Redis ACL 无法编辑。 -
提供描述性名称并使用 ACL 语法创建 ACL 规则。
-
选择复选标记以保存更改。您的新 Redis ACL 应显示在列表中。
创建 Redis ACL 后,您可以将其分配给角色。Redis ACL 在分配给角色之前不会完全验证。有关更多信息,请参阅为主动-主动数据库创建角色或主动-主动访问角色。
使用 ACL 语法定义权限
您可以使用 Redis ACL 语法定义这些权限。通过此语法,您可以简明扼要指定要允许的命令、命令类别、键和发布/订阅渠道。
+包括命令或命令类别-排除命令或命令类别@表示命令类别~定义允许的密钥模式&允许访问 Pub/Sub 频道
Redis Cloud 控制台将在您键入时验证您的 ACL 语法。
命令 ACL 规则
命令可以是任何 Redis 命令。
例如,此 Redis ACL 规则指示SET命令:
+set
Command category ACL rules
A command category is a predefined, named set of commands.
For example, the Redis commands that
read data are available in the read command category. This Redis ACL rule permits access to all read commands:
+@read
To find out which commands are included in the
read command category, run the following command with redis-cli:
ACL CAT read
Key ACL rules
To specify which keys are accessible, use the key permissions syntax.
The following ACL rule allows access to all keys:
~*
Whereas, this ACL rule only allows access to keys prefixed with cache:
~cache:*
Starting with Redis 7.0, key patterns can also be used to define how a command is able to read or write a key.
The following ACL rule allows you to copy information from keys prefixed with cache: into keys prefixed with app::
+@all ~app:* %R~cache:*
For more information on how this works, see the key permissions syntax.
Pub/sub ACL rules
Pub/sub ACL rules determine which pub/sub channels a user can access. For more information see, Redis pub/sub
For versions older than Redis 7.0, pub/sub is permissive and allows access to all channels by default.
Redis 7.0 makes pub/sub restrictive and blocks access to all channels in Redis Software. However, Redis Cloud still defaults to permissive pub/sub even for Redis 7.0 subscriptions.
Redis
version
Redis Community Edition
pub/sub ACLs
Redis Cloud
pub/sub ACLs
6.0
Not supported
Not supported
6.2
Permissive
Permissive
7.0
Restrictive
Permissive
Restrict channel access
To block access to all channels, use the following ACL rule:
resetchannels
If you want to limit access to specific channels, first include resetchannels. Then use & syntax to allow access to particular channels:
resetchannels &channel1 &channel2
Allow all channels
To make pub/sub explicitly permissive and allow users to access all channels, set the following rule:
allchannels
Selectors
Starting with Redis 7.0, Redis supports adding multiple sets of rules that are evaluated independently of each other, called selectors.
The following ACL rule allows a user to execute GET on keys prefixed with cache and SET on keys prefixed with app:
+GET ~cache:* (+SET ~app:*)
Predefined permissions
Redis Cloud includes three predefined permissions:
-
Full-Access (+@all ~*) - All commands are allowed for all keys.
-
Read-Write (+@all -@dangerous ~*) - All commands except for the dangerous command category are allowed for all keys.
-
Read-Only (+@read ~*) - Only the read command category is allowed for all keys.
Advanced capability command permissions
Note that you can define permissions for the Redis commands of any advanced capabilities that are part of your subscription;
however, these permissions can only be used for databases that support those capabilities.
On this page