Redis Enterprise Software 中的 Redis ACL 概述

Redis Enterprise Software 中的 Redis ACL、语法和 ACL 命令支持概述。

Redis 企业软件

Redis 访问控制列表（Redis ACL）允许您为特定的 Redis 命令、键和发布/订阅频道定义命名权限。您可以为多个数据库和角色使用定义的 Redis ACL。

预定义的 Redis ACL

Redis Enterprise Software 提供了一个名为 Full Access 的预定义 Redis ACL。此 ACL 允许所有键上的所有命令，并且无法编辑。

Redis ACL 语法

Redis ACL 由 Redis 语法定义，您可以在其中指定允许用于特定键的命令或命令类别。

命令和类别

Redis ACL 规则可以允许或阻止特定的 Redis 命令或命令类别。

+包含命令
-excludes 命令
+@包括命令类别
-@排除命令类别

以下示例允许所有read命令和SET命令：

+@read +SET

Module commands have several ACL limitations:




Redis modules do not have command categories.


Other command category ACLs, such as +@read and +@write, do not include Redis module commands. +@all is the only exception because it allows all Redis commands.


You have to include individual module commands in a Redis ACL rule to allow them.
For example, the following Redis ACL rule allows read-only commands and the RediSearch commands FT.INFO and FT.SEARCH:
+@read +FT.INFO +FT.SEARCH


Key patterns
To define access to specific keys or key patterns, use the following prefixes:


~ or %RW~ allows read and write access to keys.


%R~ allows read access to keys.


%W~ allows write access to keys.


%RW~, %R~, and %W~ are only supported for databases with Redis version 7.2 or later.
The following example allows read and write access to all keys that start with "app1" and read-only access to all keys that start with "app2":
~app1* %R~app2*
Pub/sub channels

The & prefix allows access to pub/sub channels (only supported for databases with Redis version 6.2 or later).
To limit access to specific channels, include resetchannels before the allowed channels:
resetchannels &channel1 &channel2
Selectors

Selectors let you define multiple sets of rules in a single Redis ACL (only supported for databases with Redis version 7.2 or later). A command is allowed if it matches the base rule or any selector in the Redis ACL.


(<rule set>) creates a new selector.


clearselectors deletes all existing selectors for a user. This action does not delete the base ACL rule.


In the following example, the base rule allows GET key1 and the selector allows SET key2:
+GET ~key1 (+SET ~key2)
Default pub/sub permissions

Redis database version 6.2 introduced pub/sub ACL rules that determine which pub/sub channels a user can access.
The configuration option acl-pubsub-default, added in Redis Enterprise Software version 6.4.2, determines the cluster-wide default level of access for all pub/sub channels. Redis Enterprise Software uses the following pub/sub permissions by default:


For versions 6.4.2 and 7.2, acl-pubsub-default is permissive (allchannels or &*) by default to accommodate earlier Redis versions.


In future versions, acl-pubsub-default will change to restrictive (resetchannels). Restrictive permissions block all pub/sub channels by default, unless explicitly permitted by an ACL rule.


If you use ACLs and pub/sub channels, you should review your databases and ACL settings and plan to transition your cluster to restrictive pub/sub permissions in preparation for future Redis Enterprise Software releases.
Prepare for restrictive pub/sub permissions
To secure pub/sub channels and prepare your cluster for future Redis Enterprise Software releases that default to restrictive pub/sub permissions:


Upgrade Redis databases:


For Redis Enterprise Software version 6.4.2, upgrade all databases in the cluster to Redis DB version 6.2.


For Redis Enterprise Software version 7.2, upgrade all databases in the cluster to Redis DB version 7.2 or 6.2.




Create or update ACLs with permissions for specific channels using the resetchannels &channel format.


Associate the ACLs with relevant databases.


Set default pub/sub permissions (acl-pubsub-default) to restrictive. See Change default pub/sub permissions for details.


If any issues occur, you can temporarily change the default pub/sub setting back to permissive. Resolve any problematic ACLs before making pub/sub permissions restrictive again.




  
  
  
  
  Note:
  When you change the cluster's default pub/sub permissions to restrictive, &* is added to the Full Access ACL. Before you make this change, consider the following:


Because pub/sub ACL syntax was added in Redis 6.2, you can't associate the Full Access ACL with database versions 6.0 or lower after this change.


The Full Access ACL is not reverted if you change acl-pubsub-default to permissive again.


Every database with the default user enabled uses the Full Access ACL.





Change default pub/sub permissions
As of Redis Enterprise version 6.4.2, you can configure acl_pubsub_default, which determines the default pub/sub permissions for all databases in the cluster. You can set acl_pubsub_default to the following values:


resetchannels is restrictive and blocks access to all channels by default.


allchannels is permissive and allows access to all channels by default.


To make default pub/sub permissions restrictive:


Upgrade all databases in the cluster to Redis version 6.2 or later.


Set the default to restrictive (resetchannels) using one of the following methods:


New Cluster Manager UI (only available for Redis Enterprise versions 7.2 and later):


Navigate to Access Control > Settings > Pub/Sub ACLs and select Edit.


For Default permissions for Pub/Sub ACLs, select Restrictive, then Save.




rladmin tune cluster:
rladmin tune cluster acl_pubsub_default resetchannels


Update cluster policy REST API request:
PUT /v1/cluster/policy
{ "acl_pubsub_default": "resetchannels" }




ACL command support
Redis Enterprise Software does not support certain Redis ACL commands. Instead, you can manage access controls from the Cluster Manager UI.



  
  
      
          Command
          Supported
      
  
  
      
          ACL CAT
          ✅ Supported
      
      
          ACL DELUSER
          ❌ Not supported
      
      
          ACL DRYRUN
          ✅ Supported
      
      
          ACL GENPASS
          ❌ Not supported
      
      
          ACL GETUSER
          ✅ Supported
      
      
          ACL HELP
          ✅ Supported
      
      
          ACL LIST
          ✅ Supported
      
      
          ACL LOAD
          ❌ Not supported
      
      
          ACL LOG
          ❌ Not supported
      
      
          ACL SAVE
          ❌ Not supported
      
      
          ACL SETUSER
          ❌ Not supported
      
      
          ACL USERS
          ✅ Supported
      
      
          ACL WHOAMI
          ✅ Supported
      
  



Redis ACLs also have the following differences in Redis Enterprise Software:


The MULTI, EXEC, DISCARD commands are always allowed, but ACLs are enforced on MULTI subcommands.


Nested selectors are not supported.
For example, the following selectors are not valid in Redis Enterprise: +GET ~key1 (+SET (+SET ~key2) ~key3)


Key and pub/sub patterns do not allow the following characters: '(', ')'


The following password configuration syntax is not supported: '>', '<', '#!', 'resetpass'
To configure passwords in Redis Enterprise Software, use one of the following methods:


rladmin cluster reset_password:
rladmin cluster reset_password <user email>


REST API PUT /v1/users request and provide password





        

  
  
    
      RATE THIS PAGE
      
        
        
        ★
        
        
        ★
        
        
        ★
        
        
        ★
        
        
        ★
        
      
      
    
      Back to top ↑

Redis Enterprise Software 中的 Redis ACL 概述

预定义的 Redis ACL

Redis ACL 语法

命令和类别

Key patterns

`Pub/sub channels`

`Selectors`

`Default pub/sub permissions`

Prepare for restrictive pub/sub permissions

Change default pub/sub permissions

ACL command support

On this page

Command	Supported
ACL CAT	✅ Supported
ACL DELUSER	❌ Not supported
ACL DRYRUN	✅ Supported
ACL GENPASS	❌ Not supported
ACL GETUSER	✅ Supported
ACL HELP	✅ Supported
ACL LIST	✅ Supported
ACL LOAD	❌ Not supported
ACL LOG	❌ Not supported
ACL SAVE	❌ Not supported
ACL SETUSER	❌ Not supported
ACL USERS	✅ Supported
ACL WHOAMI	✅ Supported