Read-only access

1,099 views
Skip to first unread message

Valery Vishnyakov

unread,
Feb 23, 2012, 11:14:12 AM2/23/12
to Redis DB
I've applications, that need to read data from redis and I want to
make sure, that this application won't have rights to write anything
or flush data. This is a third-party application. So I'm wondering if
there is a way to specify redis client to run in read-only mode.

Thanks in advance.

Josiah Carlson

unread,
Feb 23, 2012, 12:58:11 PM2/23/12
to redi...@googlegroups.com
If you can't trust your client, then they shouldn't have access to
Redis. You should build a layer that restricts client commands to only
what you want them to use.

You can rename commands, which would let you rename any commands you
don't want clients to use, but then no other clients could use that
server.

Regards,
- Josiah

> --
> You received this message because you are subscribed to the Google Groups "Redis DB" group.
> To post to this group, send email to redi...@googlegroups.com.
> To unsubscribe from this group, send email to redis-db+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/redis-db?hl=en.
>

Daniel Schnell

unread,
Feb 23, 2012, 3:37:13 PM2/23/12
to redi...@googlegroups.com
Hi,

(shameless plug on)

I implemented something in this way and tweaked redis in its interpretation of the auth command. Basically you create a set with the key name as the password and the values of allowed commands you get access to if you authenticate with this password. Redis then always checks the command of the authenticated client against this set and if it does not match, returns an Error "operation not permitted".  In choosing this approach I am able to provide session passwords with timeouts, because you can easily expire these sets with the EXPIRE command.

Naturally you should be very conservative in which commands you allow with this method, because the whole thing stands and falls if you can list all possible keys of redis and therefore passwords. So the KEYS command is a no go.
Look here: https://github.com/lumpidu/redis/wiki . It has not been updated for a while, but it should be straightforward to merge it in any newer redis version.

(shameless plug off)


Regards,

Daniel.

Salvatore Sanfilippo

unread,
Feb 24, 2012, 5:27:51 AM2/24/12
to redi...@googlegroups.com
Hello Valery,

there is no plan to support ACLs, but there is definitely a plan to
support read-only slaves, so what you could do once this feature will
be implemented is to setup a slave that is reachable by the client.

I had this feature in my TODO list for 2.6, it's trivial code (because
of the internals of 2.6) but I'm not sure It will make it for 2.6.0
RC1. Probably will be a backport at some time in the early releases of
Redis 2.6.

For now as Josiah suggested, to create an intermediate layer is the only way.

Salvatore

> --
> You received this message because you are subscribed to the Google Groups "Redis DB" group.
> To post to this group, send email to redi...@googlegroups.com.
> To unsubscribe from this group, send email to redis-db+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/redis-db?hl=en.
>

--
Salvatore 'antirez' Sanfilippo
open source developer - VMware

http://invece.org
"We are what we repeatedly do. Excellence, therefore, is not an act,
but a habit." -- Aristotele

Reply all
Reply to author
Forward
0 new messages