top of page

Redis ACL

Redis ACL(Access Control List) is the feature that allows one to control & restrict user access.

The restriction includes commands that are executed and the keys that can be accessed.

When connecting to Redis, the default user gains full access without requiring a password, which is not the best approach when it comes to security. Redis ACL feature is only available for Redis 6.0 & Above.


  • View Redis ACL

To view existing Redis ACL we use the command ACL LIST. This shows a list of users available under Redis ACL.

[root@siddhesh ~]# redis-cli 
127.0.0.1:6379> ACL LIST
1) "user default on nopass ~* &* +@all"
127.0.0.1:6379> 

Here, user: user flag. default: Name of the user. on: Auth status of the user. nopass : There is no password associated with this default user & the user can connect to Redis without a password.

~* : Allow access to all keys.

&* : Allow access to Pub/Sub channels. +@all: Allow access to all commands.


  • Create Redis ACL User

Let's create a test user with various types of restrictions to better understand this.

[root@siddhesh ~]# redis-cli 
127.0.0.1:6379> ACL SETUSER devops
OK
127.0.0.1:6379>
127.0.0.1:6379> ACL LIST
1) "user default on nopass ~* &* +@all"
2) "user devops off resetchannels -@all"
127.0.0.1:6379> 

Redis by default disabled the newly created user. As you can see here in the output above the status of this user is off.


  • Enable & Set the Password

Let's enable the user and set the password.

[root@siddhesh ~]# redis-cli 
127.0.0.1:6379> ACL SETUSER devops on >pass@123#
OK
127.0.0.1:6379> ACL LIST
1) "user default on nopass ~* &* +@all"
2) "user devops on #f125095428f05d209add63aa22a89676934e0372784d45b22b921a63defdedf6 resetchannels -@all"
127.0.0.1:6379> 

Here, ACL SETUSER: Modify or create the rules for a specific ACL user devops: Name of the user on: Enable user >pass@123#: New password of user devops


  • Redis Authentication & Access Validation

Now we'll try to connect Redis using this newly created user.

[root@siddhesh ~]# redis-cli 
127.0.0.1:6379> auth devops pass@123#
OK
127.0.0.1:6379>

Let me try to create a string using the SET command to see if restrictions are really working.

127.0.0.1:6379> set teststr "this is test string"
(error) NOPERM this user has no permissions to run the 'set' command
127.0.0.1:6379> 

So this is working as expected as user devops doesn't have access to any command.


  • Allow Command Access to Redis User

Now we'll allow SET & GET commands to user devops from default (full user) login.

[root@siddhesh ~]# redis-cli 
127.0.0.1:6379> ACL SETUSER devops ~teststr:* +set +get
OK
127.0.0.1:6379> ACL LIST
1) "user default on nopass ~* &* +@all"
2) "user devops on #f125095428f05d209add63aa22a89676934e0372784d45b22b921a63defdedf6  ~teststr* resetchannels -@all +get +set"127.0.0.1:6379> 

Here,

ACL SETUSER: Modify or create the rules for a specific ACL user devops: Name of the user ~teststr* : Name of key to allow access +set +get : Commands to allow execution


Let's replicate the same testing again of creating a string from devops user login.

[root@siddhesh ~]# redis-cli 
127.0.0.1:6379> auth devops pass@123#
OK
127.0.0.1:6379> set teststr "this is test string"
OK
127.0.0.1:6379> get teststr
"this is test string"
127.0.0.1:6379> 

  • Delete User and ACL Rules

Let us now attempt to remove the SET permission from user devops and completely delete the user.

[root@siddhesh ~]# redis-cli 
127.0.0.1:6379> ACL SETUSER devops -set
OK
127.0.0.1:6379> ACL LIST
1) "user default on nopass ~* &* +@all"
2) "user devops on #f125095428f05d209add63aa22a89676934e0372784d45b22b921a63defdedf6 ~teststr:* ~teststr* resetchannels -@all +get"
127.0.0.1:6379> 

To remove the ACL rules, we used the minus (-) sign followed by the command name.

[root@siddhesh ~]# redis-cli 
127.0.0.1:6379> ACL DELUSER devops
(integer) 1
127.0.0.1:6379> ACL LIST
1) "user default on nopass ~* &* +@all"
127.0.0.1:6379> 

We used ACL DELUSER to completely remove the ACL user from a Redis.




bottom of page