Redis ACL using Microsoft.Extensions.Caching.StackExchangeRedis

[chaadfh]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

This is probably not a bug with Microsoft.Extensions.Caching.StackExchangeRedis itself, but more a bug in the documentation.
I've setup a 3 Redis instances in a primary/replica setup. I'm trying to connect directly to the primary Redis instance.

Connecting to the primary Redis instance using ACL gives me a headache, and I haven't been able to find any documentation on the minimum ACL requirements for a user that want's to connect.

Before testing, I had the following ACL setup on my user: ~test:* &* -@all +@read +@pubsub +set +echo +info +ping

After testing and making small changes to my user, I keep running into one error after the other. My user ACL setup ended like this: ~* &* -@all +@read +@pubsub +set +get +echo +eval +info +ping.

Now I'm getting an error when API boots up, and I try to write anything to the cache:
ERR The user executing the script can't run this command or subcommand script: 3915ee22fda531a1d5661f2523d0443fd35ff0a4, on @user_script:2

Expected Behavior

I would expect that I could find the minimum ACL requirement somewhere, using distributed cache with Redis, without having to completely open up my Redis instance, and minimize the access of the user.

Steps To Reproduce

1. Create Redis user with the following ACL setup: ~* &* -@all +@read +@pubsub +set +get +echo +eval +info +ping
2. Setup Redis cache using AddStackExchangeRedisCache

builder.Services.AddStackExchangeRedisCache(options => 
{
    options.InstanceName = "Test";

    options.ConfigurationOptions = new ConfigurationOptions()
    {
        Endpoints = { "<some instance>:6379" },
        User = "<username>",
        Password = "<password>"
    }
});

3. Set some key using IDistributedCache service

app.Lifetime.ApplicationStarted.Register(() =>
{
    var currentTime = DateTime.Now.ToString();
    var encoded = System.Text.Encoding.UTF8.GetBytes(currentTime);
    var options = new DistributedCacheEntryOptions().SetSlidingExpiration(TimeSpan.FromSeconds(20));
    app.Services.GetService<IDistributedCache>().Set("test", encoded, options);
});

Exceptions (if any)

Exception message: ERR The user executing the script can't run this command or subcommand script: 3915ee22fda531a1d5661f2523d0443fd35ff0a4, on @user_script:2.

Stack trace:

at StackExchange.Redis.ConnectionMultiplexer.ExecuteSyncImpl[T](Message message, ResultProcessor`1 processor, ServerEndPoint server, T defaultValue)
at StackExchange.Redis.RedisBase.ExecuteSync[T](Message message, ResultProcessor`1 processor, ServerEndPoint server, T defaultValue)
at StackExchange.Redis.RedisDatabase.ScriptEvaluate(String script, RedisKey[] keys, RedisValue[] values, CommandFlags flags)
at Microsoft.Extensions.Caching.StackExchangeRedis.RedisCache.Set(String key, Byte[] value, DistributedCacheEntryOptions options)
at Program.<>c__DisplayClass0_0.<<Main>$>b__10() in <file path removed>\Program.cs:line 261
at System.Threading.CancellationTokenSource.Invoke(Delegate d, Object state, CancellationTokenSource source)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)

.NET Version

8.0.301

Anything else?

No response

[chaadfh]

Managed to find the issue.

My user needs +@write to be added to the ACL.