skip to Main Content

I run redis image with docker-compose
I passed redis.conf (and redis says "configuration loaded")
In redis.conf i added user

user pytest ><password> ~pytest/* on @set @get

And yet I can communicate with redis as anonymous
even with uncommented string

requirepass <password>

Redis docs about topics: Security and ACL do not answer how to restrict access to everyone. Probably I do not understand something fundamentally.

my docker-compose.yaml:

version: '3'
services:
  redis:
    image: redis:latest
    ports:
      - 6379:6379
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 6000s
      timeout: 30s
      retries: 50
    restart: always
    volumes:
      - redis-db:/data
      - redis.conf:/usr/local/etc/redis/redis.conf
    command: ["redis-server", "/usr/local/etc/redis/redis.conf" ]


volumes:
  redis-db:
  redis.conf:

2

Answers


  1. And yet I can communicate with redis as anonymous even with uncommented string

    Because there’s a default user, and you didn’t disable it. If you want to totally disable anonymous access, you should add the following to your redis.conf:

    user default off
    

    Secondly, the configuration for user ‘pytest’ is incorrect. If you want to only allow user ‘pytest’ to have set and get command on the given key pattern, you should configure it as follows:

    user pytest ><password> ~pytest/* on +set +get
    
    Login or Signup to reply.
  2. You also need to ensure that the docker-compose is using your config file.
    Assuming you have the redis.conf in the same directory as your docker-compose.yml the ‘volumes’ section in the service declaration would be.

      - ./redis.conf:/usr/local/etc/redis/redis.conf
    

    and also remove the named volume declaration in the bottom

    redis.conf:
    

    The users would be able to connect to Redis but without AUTH they can’t perform any action if you enable

    requirepass <password>
    

    The right way to restrict GET, SET operations on the keys pytest/* would be

    user pytest ><password> ~pytest/* on +set +get
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search