Cannot set password for redis sentinel 3.2 #3279
Comments
|
I could not find any parameter like requirepass in sentinel.conf file. Did you configure redis.conf with password. |
|
It looks like you can use If I don't set a password then protected mode kicks in. If I explicitly set How should I be setting a password for sentinel? |
|
+1 hitesh@BLR1000009988:~/redis-3.2$ redis-cli -h 10.18.220.224 -a foobared -p 26379 INFO After that i tried to login with CLI and gave auth with password. hitesh@BLR1000009988:~/redis-3.2$ From above behavior we can find that first info messages was understood by sentinel and forwarded to Redis Server. So we got the NOAUTH Reply. But once we tried to give the Auth password as we give in case of redis client or server Auth. Sentinel itself could not understand and throwing the Error message. |
Sentinel itself do not have any configs by default to support authentication. Since sentinel is built kind of wrapper over the redis-server and so all configs are accessible, the authentication feature can be enabled manually adding the configuration requirepass in sentinel.conf And then we need to add the AUTH command to the sentinel's supported command list for it to work properly. Committing same here to fix redis#3279
|
@srhitesh, Thanks for you analysis. Hope the above PR solves this issue. |
|
+1.. just spent couple hours to arrive at same conclusion :/ |
|
Thanks a lot! You guys rock! |
|
Another option could be to set sentinels to 'protected-mode no' as default if they have no path to getting or setting data in the actual redis nodes.. |
|
Hello, updating Sentinel to accept AUTH is not currently the right solution because there is no way then in order to instruct the other Sentinels to access it via authentication. All the Sentinels should at least share the same password, because we use auto discovery between Sentinels, so is a currently unsolved problem. AFAIK the real issue here is that the protected mode message is misleading in the case of Redis Sentinel. It is not clear at all that Sentinel does not support AUTH. So perhaps it may be better to just change the message AND at the same time to throw an error when |
|
But the problem is the sentinels can not talk to each other and determine On Jul 5, 2016 9:57 AM, "Salvatore Sanfilippo" notifications@github.com
|
|
I think better to support AUTH in sentinel and also add the |
|
As @skyscooby points out above if you bring up a sentinel group they each enter protected mode under the rules set out for protected mode. You can't then set a password because sentinel doesn't understand auth. In short, protected mode appears to have broken sentinels. The only fix I've been able to implement is configuring my sentinels with |
|
@cooperaj may I ask you why it is not possible to just use |
|
@antirez Our organisations servers sit on an open network. Can't be having the students stumbling across servers and playing with things. Ideally we could firewall it all off but we have no idea what legitimate user of the service could be. |
|
Is there any advance on this? The redis 3.2 protected mode is useless to protect the sentinels, it is based on binding to a specific interface, if loopback is set there is no way for sentinels in different hosts to work, if it is the main interface, anyone with access to that interface can kill your redis cluster. Is as easy as Supporting the AUTH command seems like a simple change and there is a PR open for that #3329 what is preventing you to go ahead? |
|
@jijojv AFAIK such patch is broken, I'm checking better how we could resolve this issue. |
|
Sentinel password authentication added in fa67525. |
So far it was not possible to setup Sentinel with authentication enabled. This commit introduces this feature: every Sentinel will try to authenticate with other sentinels using the same password it is configured to accept clients with. So for instance if a Sentinel has a "requirepass" configuration statemnet set to "foo", it will use the "foo" password to authenticate with every other Sentinel it connects to. So basically to add the "requirepass" to all the Sentinels configurations is enough in order to make sure that: 1) Clients will require the password to access the Sentinels instances. 2) Each Sentinel will use the same password to connect and authenticate with every other Sentinel in the group. Related to #3279 and #3329.
|
@antirez Thanks |
So far it was not possible to setup Sentinel with authentication enabled. This commit introduces this feature: every Sentinel will try to authenticate with other sentinels using the same password it is configured to accept clients with. So for instance if a Sentinel has a "requirepass" configuration statemnet set to "foo", it will use the "foo" password to authenticate with every other Sentinel it connects to. So basically to add the "requirepass" to all the Sentinels configurations is enough in order to make sure that: 1) Clients will require the password to access the Sentinels instances. 2) Each Sentinel will use the same password to connect and authenticate with every other Sentinel in the group. Related to #3279 and #3329.
Sentinel must be exposed, so protected mode is just an issue for users in case Redis was started in Sentinel mode. Related to redis#3279 and redis#3329.
So far it was not possible to setup Sentinel with authentication enabled. This commit introduces this feature: every Sentinel will try to authenticate with other sentinels using the same password it is configured to accept clients with. So for instance if a Sentinel has a "requirepass" configuration statemnet set to "foo", it will use the "foo" password to authenticate with every other Sentinel it connects to. So basically to add the "requirepass" to all the Sentinels configurations is enough in order to make sure that: 1) Clients will require the password to access the Sentinels instances. 2) Each Sentinel will use the same password to connect and authenticate with every other Sentinel in the group. Related to redis#3279 and redis#3329.
Add a new redis_major_version parameter, and send AUTH commands to Sentinels if a password configured and redis_major_version >= 5. redis_major_version arbitrarily defaults to 3, which maintains the existing behavior of not sending AUTH to Sentinels ever. Update README with new parameter/usage and bump rock version. In Redis 3.x and 4.x, Sentinels did not support authentication per redis/redis#3279 redis/redis@fa67525 added authentication support to Sentinel, and this was released to stable in 5.0.1: https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES Because Redis releases <5.0.1 will reject AUTH attempts to Sentinel and clients cannot send INFO without first sending AUTH if required, some mechanism of differentiating client behavior is necessary.
Sentinel must be exposed, so protected mode is just an issue for users in case Redis was started in Sentinel mode. Related to redis#3279 and redis#3329.
So far it was not possible to setup Sentinel with authentication enabled. This commit introduces this feature: every Sentinel will try to authenticate with other sentinels using the same password it is configured to accept clients with. So for instance if a Sentinel has a "requirepass" configuration statemnet set to "foo", it will use the "foo" password to authenticate with every other Sentinel it connects to. So basically to add the "requirepass" to all the Sentinels configurations is enough in order to make sure that: 1) Clients will require the password to access the Sentinels instances. 2) Each Sentinel will use the same password to connect and authenticate with every other Sentinel in the group. Related to redis#3279 and redis#3329.
I tried to set up redis sentinel to make it has high availability and support fail over.
I begin by setup the redis replication (1 master and 2 slaves in 3 ec2-instances)
And after that, i install redis-sentinel service for each instance.
However, when i tried to access redis-sentinal remotely (from my local machine)
It shows following message
So, i tried to set
requirepassinsentinel.conf.But after i run
redis-cli -h REDIS-IP -a PASSWORD -p SENTINEL_PORT INFOIt shows following
Is there anyway i could connect to redis-sentinel remotely?
Please advise.
The text was updated successfully, but these errors were encountered: