Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QUESTION] how to set sentinel-user acl in file for Redis v6.0 #9536

Closed
ptulpen opened this issue Sep 22, 2021 · 8 comments
Closed

[QUESTION] how to set sentinel-user acl in file for Redis v6.0 #9536

ptulpen opened this issue Sep 22, 2021 · 8 comments
Labels
class:question

Comments

@ptulpen
Copy link

ptulpen commented Sep 22, 2021

Hello
I want to set the acls of the sentinel-user and replication-user via the acl files
The documentation on https://redis.io/topics/acl writes about how to do it on command line, but when I transfer this to a users.acl file I get
"Unknown command or category name in ACL."
users.acl looks like

user default on XXX ~* &* +@all
user sentinel-user on XXX allchannels +multi +slaveof +ping +exec +subscribe +config|rewrite +role +publish +info +client|setname +client|kill +script|kill
user replica-user on XXX +psync +replconf +ping

Am I missing something or is something different when using the categories in files ?
@itamarhaber
Copy link
Member

Hello @ptulpen

You can generate an aclfile that loads correctly by:

  1. Create an empty file, e.g. touch myaclfile
  2. Start the server with the file, e.g. redis-server --aclfile myaclfile
  3. From the CLI, set up your ACL rules with ACL SETUSER
  4. Issue an ACL SAVE to persist the rules to the aclfile

It could be, in your case, that the XXX isn't a valid password directive. Note that password directives need to start with one of these (depending on type and action): >, <, # or !. So, your example should work if you prefix your passwords likeso: >XXX.

I hope this solves the issue for you, but please let us know if there's something amiss.

@ptulpen
Copy link
Author

ptulpen commented Sep 28, 2021

Hello,
first thanks for your answer.
The XXX in original had the >
I now tried your method, even with the password from the documentation, which gives me this line
user sentinel-user on #42a9798b99d4afcec9995e47a1d246b98ebc96be7a732323eee39d924006ee1d &* -@ALL +role +ping +client|setname +client|kill +script|kill +info +subscribe +slaveof +config|rewrite +multi +publish +exec
but I still get
Aborting Redis startup because of ACL errors: /etc/redis/users.acl:2: Unknown command or category name in ACL.

@itamarhaber
Copy link
Member

Alrighty, I believe I know the problem: you're using Redis v6.0, whereas the documentation is about v6.2 (yes, I know, there's a lot to be desired with the documentation).

In v6.2 we've introduced a breaking change to ACL, namely the support for Pub/Sub patterns. The break is the addition of the new "verb" &*, which isn't compatible w/ v6.0.

I recommend that you upgrade to the latest stable version (and not only because of this), but if you want to keep using the older version, just don't use that verb, i.e.:

user sentinel-user on #42a9798b99d4afcec9995e47a1d246b98ebc96be7a732323eee39d924006ee1d -@all +role +ping +client|setname +client|kill +script|kill +info +subscribe +slaveof +config|rewrite +multi +publish +exec

@itamarhaber itamarhaber changed the title [QUESTION] how to set sentinel-user acl in file [QUESTION] how to set sentinel-user acl in file for Redis v6.0 Sep 28, 2021
@ptulpen
Copy link
Author

ptulpen commented Sep 28, 2021

Hello,
I have installed 6.2.5 from remi repo
Nevertheless, I tried your line, but it still gives me
Aborting Redis startup because of ACL errors: /etc/redis/users.acl:2: Unknown command or category name

@itamarhaber
Copy link
Member

Then I'm sorry to say that I can't reproduce it - the aclfile you've posted literally "works on my laptop" with unstable and v6.2.5.

The error you're getting is very specific and the source code seems straightforward in that area. It means one (or more) of the + or - directives refers to a non-command/category. Could you, perhaps, find the offending command/category via trial and error? Sorry for the lame suggestion but I'm running out of ideas :)

@ptulpen
Copy link
Author

ptulpen commented Sep 28, 2021

So, via trial and error I found out that this works:
user sentinel-user on #42a9798b99d4afcec9995e47a1d246b98ebc96be7a732323eee39d924006ee1d -@ALL +role +ping +client|setname +client|kill +info +subscribe

and this commands dont
+slaveof
+script|kill
+config|rewrite
+multi
+exec

But would that work as a proper sentinel cluster?

@itamarhaber
Copy link
Member

Ok, I see what's happening here. You're attempting to use the Redis server's ACL rules on a Sentinel instance. The docs are about configuring the server to allow Sentinel's user to perform its operations. Sentinel also supports ACL, but only for its commands (15 or so). There are no formal recommendations on how to set up your Sentinel ACL rules as it depends on your deployment.

@ptulpen
Copy link
Author

ptulpen commented Oct 5, 2021

Hello, yes you are right.
I have had the aclfile parameter hinting to the same file in redis and sentinel
Thanks for your help

@ptulpen ptulpen closed this as completed Oct 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
class:question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@itamarhaber @ptulpen