Restrict Users to a specific keys using ACL.
753 views
Skip to first unread message
wajahat siddiqui
Dec 7, 2020, 2:27:43 PM12/7/20
to Redis DB
Hi i have created an acl user with specific permission to view only certain specific keys but its getting all the keys in the database.
MY ACL
ACL SETUSER alex on >123 ~apple:* +@all
OUTPUT OF KEYS *
MY ACL
ACL SETUSER alex on >123 ~apple:* +@all
OUTPUT OF KEYS *
127.0.0.1:6379[190]> auth alex 123
OK
127.0.0.1:6379[190]> KEYS *
1) "grape:green"
2) "apple:red"
127.0.0.1:6379[190]> ACL WHOAMI
"alex"
Itamar Haber
Dec 8, 2020, 4:13:55 AM12/8/20
to Redis DB
Hello Wajahat,
This is expected, even if somewhat confusing initially. The `KEYS` command only returns the names of keys, it does not really access the keys (or values) themselves nor does it filter the keys according to the user's ACL. By the way,. `SCAN` is also like that. However, any command that actually accesses a key (or value) does respect the ACL rule for the user, so even if key names can be listed it doesn't mean that they are accessible. Put differently, key-level permissions are checked when trying to access it to read/write.
I hope this helps :)
Cheers,
Itamar
wajahat siddiqui
Dec 8, 2020, 10:20:01 AM12/8/20
to redi...@googlegroups.com, 247....@gmail.com
Hi Itamar Haber,
thanks for your clear explanation of the key command. so by your explanation i have given alex permission of get, info ,ping ,set ,setex ,get ,auth, info, select to a specific key which is ~apple:*
so user alex will not be able to get the values of other prefix keys right? Furthermore, is there a way to give permissions on a more granular level like giving alex permission to get, info ping set setex get auth info select on a specific redis database so the user can use all the permissible commands on that DB only.
Best regards,
wajahat
thanks for your clear explanation of the key command. so by your explanation i have given alex permission of get, info ,ping ,set ,setex ,get ,auth, info, select to a specific key which is ~apple:*
so user alex will not be able to get the values of other prefix keys right? Furthermore, is there a way to give permissions on a more granular level like giving alex permission to get, info ping set setex get auth info select on a specific redis database so the user can use all the permissible commands on that DB only.
Best regards,
wajahat
--Disclaimer
The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
You received this message because you are subscribed to a topic in the Google Groups "Redis DB" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/redis-db/h6lg3qgBy7s/unsubscribe.
To unsubscribe from this group and all its topics, send an email to redis-db+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/redis-db/356bb1a6-5e7c-4e95-8b56-57ed07eac4ddn%40googlegroups.com.
Itamar Haber
Dec 9, 2020, 11:04:10 AM12/9/20
to Redis DB
> so by your explanation ... of other prefix keys right?
Exactly.
Exactly.
> Furthermore, is there a way to give permissions ... on a specific redis database
No, and there isn't likely to be - please refer to https://github.com/redis/redis/issues/8099#issuecomment-741868975
Cheers,
Itamar
Reply all
Reply to author
Forward
0 new messages