for the safety concern, we plan to change our redis passwd periodically(like every 4weeks). The question is how to change it without external downtime or just a very short period of time.
My plans are:
- clear the passwd on redis server and restart.
- seeing as there’s no passwd required, clients can still reconnect to redis server even with obsolete passwd
- clients reload new passwd from config center periodically, and soon after, all clients will have been updated to the new passwd.
- change the redis server to new passwd and restart.
- clients use new passwd to reconnect to redis server
But when I tried it(I’m using redigo), I got ERR Client sent AUTH, but no password is set
on step 2. Seems like we can’t connect to redis with extra passwd if it doesn’t require passwd. But when I use redis-cli, it can! I want to know how redis-cli achieve this, and how can I do that with redigo?
2
Answers
A common solution to password rotation is:
At the end of the rollover period, the server is restarted with the new password and the old password is deleted from the config.
Why not use Redis ACLs https://redis.io/topics/acl