Redis Enterprise Software 发行说明 6.4.2-30(2023 年 2 月)

发布/订阅ACL和默认权限。按使用者属性验证客户端证书。

Redis 企业软件

Redis 企业软件版本 6.4.2 现已推出!

此版本提供:

  • 通过 mTLS(双向 TLS)完整主题支持扩展客户端证书验证

  • 使用发布/订阅命令和 ACL(访问控制列表)时支持默认限制性权限

  • 增强了 Redis 在响应中返回大型数组时的 TLS 性能

  • 开源 Redis 6.2.7 的兼容性

  • 其他增强功能和错误修复

下表显示了可用软件包的 MD5 校验和:

MD5 校验和(6.4.2-30 2 月版本)
Ubuntu 16 版本 b0dbecaa974ca08245dda55d53b6fe9b
Ubuntu 18 的 A5192E8B0734DB80D6B7C2B98A170C58
RedHat Enterprise Linux (RHEL) 7
Oracle Enterprise Linux (OL) 7		 c1537855dcfe7a7cedf9031ce01e2b9b
RedHat Enterprise Linux (RHEL) 8
Oracle Enterprise Linux (OL) 8
Rocky Enterprise Linux		 a24dc749d6dcb5df2162d7a41791c7aa

新增功能和增强功能

按使用者属性验证客户端证书

现在,您可以通过客户端证书的Subject属性。当客户端尝试连接到数据库时,Redis Enterprise Software 会将客户端证书使用者属性的值与数据库允许的使用者值进行比较。仅当主题值匹配时,客户端才能连接到数据库。这在控制哪些客户端可以访问哪些数据库方面提供了更大的灵活性。

有关更多信息,请参阅启用 TLS

默认发布/订阅 ACL 权限

Redis 不断增强其 ACL(访问控制列表)功能和覆盖范围。Redis 版本 6.2 增强了 ACL 以允许和禁止发布/订阅频道。

保护发布/订阅频道的一部分需要将默认访问权限从 permissive 更改为 restrictive,这将阻止所有发布/订阅频道,除非 ACL 规则明确允许。为了允许在集群中的所有数据库之间进行此转换,Redis Enterprise Software 6.4.2 提供了新的配置选项acl-pubsub-default这会将所有通道的集群范围默认值设置为 Allowed 或 Restricted。

6.4.2 安装提供的acl-pubsub-default是宽松的 (allchannels) 以符合早期的 Redis 版本。将集群中的所有数据库升级到 Redis 数据库版本 6.2(或未来版本中的更高版本)后,您可以使用rladmin或 REST API 将值更改为 restrictive (resetchannels).

要允许某些用户访问特定的发布/订阅渠道,请定义相应的 ACL。Redis 企业软件 6.4.2 增强了管理控制台 (UI)、CLI 和 REST API,以支持发布/订阅通道 ACL 定义。

如果您使用 ACL 和发布/订阅通道,我们建议您查看数据库和 ACL 设置,并计划将集群更改为受限模式。这将帮助您为将来使用限制性resetchannels作为acl-pubsub-default.

Redis 模块

Redis Enterprise Software v6.4.2 包括以下 Redis 模块:

请参阅升级模块以了解如何升级数据库的模块。

安装、升级和故障排除

  • 添加了install.sh即使已启用 “Upgrade Mode” 也运行,以便在上一次运行失败的情况下允许重新运行 (RS77319)

  • redis_mgr进程 (RS77891)、job_scheduler 进程 (RS82673) 和install.sh脚本 (RS82673)

  • 改进rladmin证书验证 (RS79933) 的错误消息

  • 向命令行实用程序添加了节点间加密端口rlcheck验证 (RS68965)

  • 添加了警报,以便在节点作(例如维护模式)失败、中止或取消时发出通知。默认情况下,警报处于启用状态 (RS76089)

版本变更

重大更改

  • REST API:的authorized_names字段已弃用。使用新的authorized_subjects字段。

新的默认 Redis 数据库版本

Redis 企业软件版本 6.2.x 和 6.4.x 都包含两个 Redis 数据库版本:Redis DB 6.0 和 Redis DB 6.2。到目前为止,用于创建新数据库和升级现有数据库的默认 Redis 数据库版本为 6.0(由redis_upgrade_policy参数)。

为了让客户在未来的升级中具有更大的灵活性,从 Redis Enterprise Software 6.4.2 开始,对于所有升级策略 (redis_upgrade_policy=majorredis_upgrade_policy=latest).

Redis
企业版		 捆绑的 Redis
数据库版本		 默认数据库版本
(升级/新数据库)
6.2.x 版本 6.0, 6.2 6.0
6.4.2 6.0, 6.2 6.2

您可以使用rladmin;但是,我们建议您不要更改此设置。

弃用

Ubuntu 16.04 版本

Ubuntu 16 支持被视为已弃用,并将在未来发行版中删除。Ubuntu 16.04 LTS (Xenial) 已于 2021 年 4 月 30 日结束其免费的初始五年安全维护期。

主动-主动数据库持久性

主动-主动数据库持久性的 snapshot 选项已弃用。我们建议运行配置了快照数据持久性的主动-主动数据库的客户重新配置其数据持久性模式,以将 AOF(仅附加文件)选项与以下命令结合使用:

crdb-cli crdb update --crdb-guid <CRDB_GUID> \
    --default-db-config '{"data_persistence": "aof", "aof_policy":"appendfsync-every-sec"}'

TLS 1.0 and TLS 1.1

TLS 1.0 and TLS 1.1 connections are considered deprecated in favor of TLS 1.2 or later. Please verify that all clients, apps, and connections support TLS 1.2. Support for the earlier protocols will be removed in a future release. Certain operating systems, such as RHEL 8, have already removed support for the earlier protocols. Redis Enterprise Software cannot support connection protocols that are not supported by the underlying operating system.

3DES encryption cipher

The 3DES encryption cipher is considered deprecated in favor of stronger ciphers like AES. Please verify that all clients, apps, and connections support the AES cipher. Support for 3DES will be removed in a future release. Certain operating systems, such as RHEL 8, have already removed support for 3DES. Redis Enterprise Software cannot support cipher suites that are not supported by the underlying operating system.

Resolved issues

  • RS72866 - Improved performance for client connections which use TLS

  • RS78241 - Fixed shard placement to always respect rack-zone restrictions and avoid a state where a primary (master) and replica are on the same rack, even if temporarily

  • RS78144 - Removed the dependency on system-wide ldconfig so non-interactive processes will use their own dynamic libraries without impacting external services

  • RS78028 - Fixed race condition during rolling upgrade that might result in shards repeatedly restarting

  • RS77964 - Fixed module deletion to remove the old directory with the module

  • RS75259 - Fixed node to prevent using plain text communication instead of TLS after losing connectivity

  • RS69616 - Fixed validation for internode communication ports

  • RS83535 - Fixed sentinel_service to start on RHEL 8 with DISA STIG profile

  • RS87191 - Fixed a cross slot error when using Auto Tiering with Replica Of, in case a key on the source database swapped from RAM to flash and expired while it was also part of Lua script execution

Known limitations

Feature limitations

  • RS101204 - High memory consumption caused by the persistence_mgr service when AOF persistence is configured for every second. Monitor RAM usage of the process. In case of high usage, the temporary workaround is to restart the service by running supervisorctl restart persistence_mgr. A permanent fix is to install or upgrade to the 6.4.2 June maintenance release.

Upgrade limitations

Before you upgrade a cluster that hosts Active-Active databases with modules to v6.4.2-30, perform the following steps:

  1. Use crdb-cli to verify that the modules (modules) and their versions (in module_list) are as they appear in the database configuration and in the default database configuration:

    crdb-cli crdb get --crdb-guid <crdb-guid>

  2. From the admin console's redis modules tab, validate that these modules with their specific versions are loaded to the cluster.

  3. If one or more of the modules/versions are missing or if you need help, contact Redis support before taking additional steps.

This limitation has been fixed and resolved as of v6.4.2-43.

Operating system limitations

RHEL 7 and RHEL 8

If you have a custom installation with a non-default $installdir and use Active-Active or Auto Tiering features, failures might occur when you upgrade. This issue will be fixed in a future maintenance release.

RHEL 8

Due to module binary differences between RHEL 7 and RHEL 8, you cannot upgrade RHEL 7 clusters to RHEL 8 when they host databases using modules. Instead, you need to create a new cluster on RHEL 8 and then migrate existing data from your RHEL 7 cluster. This does not apply to clusters that do not use modules.

Security

Open source Redis security fixes compatibility

As part of Redis's commitment to security, Redis Enterprise Software implements the latest security fixes available with open source Redis. The following open source Redis CVEs do not affect Redis Enterprise:

  • CVE-2021-32625 — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis since Redis Enterprise does not implement LCS. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.4, Redis 6.0.14)

  • CVE-2021-32672 — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the LUA debugger is unsupported in Redis Enterprise. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.6, Redis 6.0.16)

  • CVE-2021-32675 — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the proxy in Redis Enterprise does not forward unauthenticated requests. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.6, Redis 6.0.16)

  • CVE-2021-32762 — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the memory allocator used in Redis Enterprise is not vulnerable. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.6, Redis 6.0.16)

  • CVE-2021-41099 — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the proto-max-bulk-len CONFIG is blocked in Redis Enterprise. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.6, Redis 6.0.16)

Redis Enterprise has already included the fixes for the relevant CVEs. Some CVEs announced for open source Redis do not affect Redis Enterprise due to different and additional functionality available in Redis Enterprise that is not available in open source Redis.

RATE THIS PAGE
Back to top ↑