skip to Main Content

I have installed a redis server, and i have multiple clients using Mysql for their WordPress sites. I have configured redis and its working fine. Now I want some type of security like one of my client can switch to other redis databases and can list all keys of all clients, i want to prevent it.

root@rest: redis-cli
x.x.x.x:6379> KEYS *

 1) "s-dev-ortizfurt.:terms:last_changed"
 2) "s-dev-mayerhaven.:terms:get_terms-8fe839c888a1f5dc584d66e75abe752b-0.12728000 1606912094"
 3) "s-dev-ortizfurt.:post_tag_relationships:1"
 4) "s-dev-mayerhaven.:post_meta:3"
 5) "s-dev-mayerhaven.:comment:last_changed"
 6) "s-dev-mayerhaven.:site-transient:theme_roots"
 7) "s-dev-ortizfurt.:posts:last_changed"
 8) "s-dev-mayerhaven.:redis-cache:metrics"
 9) "s-dev-ortizfurt.:comment:1"
10) "s-dev-mayerhaven.:site-transient:update_plugins"
11) "s-dev-mayerhaven.:options:alloptions"
12) "s-dev-ortizfurt.:posts:3"
13) "s-dev-ortizfurt.:user_meta:1"
14) "s-dev-ortizfurt.:post_meta:1"
15) "s-dev-ortizfurt.:users:1"
16) "s-dev-ortizfurt.:terms:1"
17) "s-dev-mayerhaven.:comment:1"
18) "s-dev-mayerhaven.:terms:1"
19) "s-dev-mayerhaven.:term_meta:1"
20) "s-dev-mayerhaven.:options:can_compress_scripts"
21) "s-dev-ortizfurt.:post_meta:3"
22) "s-dev-mayerhaven.:site-transient:update_core"
23) "s-dev-ortizfurt.:options:notoptions"
24) "s-dev-mayerhaven.:post_format_relationships:1"
25) "s-dev-ortizfurt.:terms:get_terms-6a7e5a5984989e684e977a4689029aeb-0.03989400 1606912075"
26) "s-dev-mayerhaven.:posts:1"
27) "s-dev-ortizfurt.:default:is_blog_installed"
28) "s-dev-ortizfurt.:comment:last_changed"
29) "s-dev-ortizfurt.:site-options:1-notoptions"
30) "s-dev-mayerhaven.:comment:get_comments-a83484ce4441a2d87a90609f886c4a28-0.14044500 1606912094"
31) "s-dev-ortizfurt.:comment_meta:1"
32) "s-dev-mayerhaven.:default:is_blog_installed"
33) "s-dev-ortizfurt.:posts:wp_get_archives-10425ab9cab74a55e05d28aee32fbd7a-0.05052900 1606912075"
34) "s-dev-ortizfurt.:terms:get_terms-fa6fef0e8f76461d0c23f81cca942240-0.03989400 1606912075"
35) "s-dev-mayerhaven.:posts:3"

I have already tried by creating separate DB and assigned to each client.

Is there a way to stop users from listing keys or creating users for each database like in mysql.

2

Answers


  1. As per to the documentation, here redis does provide basic authentication mechanism,

    Exact snippet from the documentation

    While Redis does not try to implement Access Control, it provides a
    tiny layer of authentication that is optionally turned on editing the
    redis.conf file.

    When the authorization layer is enabled, Redis will refuse any query
    by unauthenticated clients. A client can authenticate itself by
    sending the AUTH command followed by the password.

    Please note, the password will be in plain-text in redis.conf file and is subjected to be viewed by unauthorized parties if they have access to it.

    Additionally redis does provide a mechanism to rename or disable specific command, Exact snippet from the same document above ,

    it is possible to disable commands in Redis or to rename them into an
    unguessable name, so that normal clients are limited to a specified
    set of commands.

    Here are some high-level pointers on how to secure a redis deployment

    • Bind redis to localhost
    • Configure AUTH by enabling requirepass in redis.conf
    • Rename or disable dangerous commands
    Login or Signup to reply.
  2. Since Redis 6.0, it support ACL. In your case, you can create users for different clients, and limit the access control for each user.

    For example, you can create a user (with password: passwd) named ortizfurt, who only has access to keys starting with s-dev-ortizfurt.:

    ACL SETUSER ortizfurt on >passwd ~s-dev-ortizfurt.:* +@all
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search