Skip to content

Instantly share code, notes, and snippets.

@itamarhaber

itamarhaber/acl-app-profile.md

Created January 14, 2020 17:38
Show Gist options
  • Save itamarhaber/9b5d7904dc1a4b798d03ebb25a7fde91 to your computer and use it in GitHub Desktop.
Save itamarhaber/9b5d7904dc1a4b798d03ebb25a7fde91 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
acl-app-profile.md

ACL v6RC1 default app profile

The purpose of this exercise is to define a "default" application ACL profile that can access the all the data without being able to cause too much harm.

Additive ("future-proof") profile

Required extra permissions:

  • All functional categories
  • CLIENT ID|GETNAME|REPLY|SETNAME|TRACKING|GETREDIR: must for modern clients
  • CLUSTER COUNTKEYSINSLOT|GETKEYSINSLOT|INFO|KEYSLOT|MYID|NODES|SLOTS: must for cluster-aware clients
  • ACL WHOAMI: may be needed by ACL-aware clients
  • ROLE: may be in use by some clients
  • INFO: there are clients that handshake with it
  • TIME: part of the API
  • POST, HOST:: security measures that should not be disabled
  • LOLWUT: can be included, no reason not to anyway
  • SORT: part of the API, use with caution but may be needed
redis> ACL SETUSER foo allkeys -@all +@string +@list +@set +@hash +@sortedset +@stream +@bitmap +@geo +@hyperloglog +@connection +@keyspace +@transaction +@scripting +@pubsub -@admin -@dangerous +client|id +client|getname +client|reply +client|setname +client|tracking +client|getredir +cluster|countkeysinslot +cluster|getkeysinslot +cluster|info +cluster|keyslot +cluster|myid +cluster|nodes +cluster|slots +acl|whoami +role +info +time +post +host: +lolwut +sort

redis> ACL GETUSER foo
...
-@all +@keyspace +@read +@write +@set +@sortedset +@list +@hash +@string +@bitmap +@hyperloglog +@geo +@stream +@pubsub +@fast +@slow +@blocking +@connection +@transaction +@scripting -flushall -lastsave -acl +acl|whoami -bgsave -bgrewriteaof -monitor -pfselftest -client +client|id +client|getname +client|reply +client|setname +client|tracking +client|getredir -psync -migrate -slaveof -flushdb -slowlog -save -replconf -sync -latency -memory -restore-asking -debug -module -shutdown -restore -cluster +cluster|countkeysinslot +cluster|getkeysinslot +cluster|info +cluster|keyslot +cluster|myid +cluster|nodes +cluster|slots -replicaof -keys -config -pfdebug -swapdb

Adding modules

Required extra permissions:

  • MODULE LIST: some module clients may rely on that
  • Any module commands
redis> ACL SETUSER foo +module|list +module.command1 [...]

Restrictive profile

Required extra restrictions:

  • MEMORY: can be a dangerous command
redis> ACL SETUSER foo allkeys +@all -@admin -@dangerous +client|id +client|getname +client|reply +client|setname +client|tracking +client|getredir +cluster|countkeysinslot +cluster|getkeysinslot +cluster|info +cluster|keyslot +cluster|myid +cluster|nodes +cluster|slots +acl|whoami +role +info +lolwut +sort +module|list -memory

redis> ACL GETUSER foo
...
+@all -@admin -@dangerous +acl|whoami +sort +client|id +client|getname +client|reply +client|setname +client|tracking +client|getredir +info -memory +role +module|list +cluster|countkeysinslot +cluster|getkeysinslot +cluster|info +cluster|keyslot +cluster|myid +cluster|nodes +cluster|slots +keys

Thoughts

  • KEYS is excluded, good, but will generate errors in some apps.
  • The following commands are only @fast/@slow && @read, so they fall through some cracks. This can possibly be addressed by assigning them to categories:
    • TIME: can be in the @connection/@keyspace category (or make a new one)
    • HOST:, POST: should belong to the @connection category
    • MEMORY: should be put in @dangerous
    • LOLWUT: probably like TIME
  • It is a lot of work (for a Redis DBA) to define a profile - this is WIP and may contain errors that result in security "flaws".
  • It may be good to provide sample .acl files with similar profiles
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment