Redis Access Control

Introduction

Redis, an in-memory data structure store, is widely used as a database, cache, message broker, and streaming engine. As your Redis deployment grows and becomes critical to your infrastructure, properly managing who can access your Redis instances and what they're allowed to do becomes essential.

Redis Access Control refers to the mechanisms that allow you to:

Control who can connect to your Redis servers
Define what commands and keys different users can access
Protect your data from unauthorized access

In this guide, we'll explore Redis's security features that help implement proper access control for your Redis instances.

Access Control Evolution in Redis

Redis's approach to access control has evolved significantly over time:

Early Redis (pre-6.0)

Simple password-based authentication with the requirepass directive
No built-in way to define different permission levels
Limited to either full access or no access

Modern Redis (6.0 and later)

Robust Access Control List (ACL) system
Fine-grained user management
Command filtering
Key pattern restrictions

Let's explore each aspect of Redis access control and see how to implement them effectively.

Basic Authentication

The simplest form of access control in Redis is password authentication, which prevents unauthorized access to your Redis server.

Setting a Password

You can set a password in two ways:

1. In the Redis configuration file:

requirepass YourStrongPassword123

2. At runtime using the CONFIG SET command:

CONFIG SET requirepass "YourStrongPassword123"

Authenticating with a Password

After setting a password, clients need to authenticate before executing commands:

AUTH YourStrongPassword123

Example:

> SET mykey "Hello"
(error) NOAUTH Authentication required.

> AUTH YourStrongPassword123
OK

> SET mykey "Hello"
OK

caution

Using only the requirepass directive is considered basic security and is insufficient for production environments with multiple applications or users.

Access Control Lists (Redis 6.0+)

Starting with Redis 6.0, a more sophisticated access control system was introduced through Access Control Lists (ACLs). This system allows you to:

Create multiple users with different passwords
Grant specific command permissions to each user
Restrict access to specific key patterns
Set user-specific connection limits

Understanding the ACL System

The ACL system in Redis is based on a set of rules that define what a user can and cannot do. Each user has:

A username
One or more passwords
A list of commands they can execute
Patterns of keys they can access
Additional flags (like the ability to publish to channels)

Creating and Managing Users

Creating a New User

To create a new user with specific permissions:

ACL SETUSER username on >password ~keys:* +@read

This creates a user with:

Username: username
Status: Enabled (on)
Password: password
Key access: Keys matching keys:*
Commands: All read commands (+@read)

Listing Users and Their Permissions

To see all configured users:

ACL LIST

Output example:

1) "user default on nopass ~* +@all"
2) "user username on #5dca2e384a7acef3c1e4284732d9b4..."

Managing User Permissions

Adding/removing command permissions:

ACL SETUSER username +set +get -del

This allows the user to use SET and GET commands but explicitly denies DEL.

Setting key pattern access:

ACL SETUSER username ~cache:* ~session:*

This allows the user to access keys matching cache:* and session:*.

ACL Categories

Redis groups commands into categories for easier permission management:

Example: Allow read and write but not admin commands

ACL SETUSER analytics +@read +@write -@admin

Practical ACL Examples

Creating a Read-Only User

ACL SETUSER reporter on >SecurePassword123 ~* +@read -@all

This creates a user named "reporter" who can only execute read commands on any key.

Creating an Application-Specific User

ACL SETUSER app1 on >AppPassword ~app1:* +set +get +hset +hget +lpush +lpop

This user can only access keys with the "app1:" prefix and can only use a specific set of commands.

Creating an Admin User with Full Access

ACL SETUSER admin on >AdminStrongPassword ~* +@all

This gives the user full access to all keys and commands.

Implementing Access Control in Applications

Here's how you might authenticate with various Redis clients:

Node.js (with redis client)

javascript
const redis = require('redis');
const client = redis.createClient({
  host: 'localhost',
  port: 6379,
  password: 'YourStrongPassword123',
  username: 'application_user' // For Redis 6.0+ with ACLs
});

client.on('error', (err) => {
  console.error('Redis Client Error:', err);
});

client.on('connect', () => {
  console.log('Connected to Redis');
});

// Connect to Redis
client.connect();

Python (with redis-py)

python
import redis

# For Redis with password authentication
r = redis.Redis(
    host='localhost',
    port=6379,
    password='YourStrongPassword123',
    username='application_user'  # For Redis 6.0+ with ACLs
)

# Test the connection
try:
    r.ping()
    print("Connected to Redis")
except redis.ConnectionError:
    print("Failed to connect to Redis")

Best Practices for Redis Access Control

1. Use Strong, Unique Passwords

ACL SETUSER app_user on >Complex-Password-With-Special-Ch@r$

2. Implement the Principle of Least Privilege

Give users only the permissions they need:

ACL SETUSER cache_manager on >password ~cache:* +@read +@write -@admin -@dangerous

3. Regularly Rotate Passwords

ACL SETUSER app_user #<oldpasswordhash> >NewPassword123

4. Use ACL Files for Persistence

Create an ACL file (e.g., users.acl) and configure Redis to load it:

aclfile /path/to/users.acl

The file should contain ACL commands:

user default on nopass ~* +@all
user app_user on #5ca2e384a7acef3... ~app:* +@read +@write -@admin

5. Monitor Access Events

Enable ACL logging:

CONFIG SET acllog-max-len 128

View recent access control events:

ACL LOG

Troubleshooting Access Control Issues

Common Error Messages

NOAUTH Authentication required
- Cause: Trying to execute commands without authentication
- Solution: Use the AUTH command with the correct password
WRONGPASS invalid username-password pair or user is disabled
- Cause: Wrong credentials or disabled user
- Solution: Check username/password and user status
NOPERM this user has no permissions to run the command
- Cause: User lacks permission for a specific command
- Solution: Grant the required command permission using ACL SETUSER

Debugging Steps

Check which user you're connected as:

ACL WHOAMI

List user permissions:

ACL LIST

Check if keys match your patterns:

ACL GETUSER username

Advanced Access Control Patterns

Role-Based Access Control

Although Redis doesn't have built-in roles, you can achieve role-based access by creating user templates:

# Create a read-only template user
ACL SETUSER reader_template on nopass ~* +@read -@write -@admin -@dangerous

# Create users based on the template
ACL SETUSER analyst1 on >password1 resetkeys resetchannels +@read ~analytics:*
ACL SETUSER analyst2 on >password2 resetkeys resetchannels +@read ~reports:*

Time-Limited Access

For temporary access, create a user and set a reminder to remove them later:

# Grant temporary admin access
ACL SETUSER temp_admin on >TempPass123 ~* +@all

# After the maintenance is done
ACL DELUSER temp_admin