Question posted in
The official documentation can be found here.

Redis keys security for multiple users

I have installed a redis server, and i have multiple clients using Mysql for their WordPress sites. I have configured redis and its working fine. Now I want some type of security like one of my client can switch to other redis databases and can list all keys of all clients, i want to prevent it.

root@rest: redis-cli
x.x.x.x:6379> KEYS *

 1) "s-dev-ortizfurt.:terms:last_changed"
 2) "s-dev-mayerhaven.:terms:get_terms-8fe839c888a1f5dc584d66e75abe752b-0.12728000 1606912094"
 3) "s-dev-ortizfurt.:post_tag_relationships:1"
 4) "s-dev-mayerhaven.:post_meta:3"
 5) "s-dev-mayerhaven.:comment:last_changed"
 6) "s-dev-mayerhaven.:site-transient:theme_roots"
 7) "s-dev-ortizfurt.:posts:last_changed"
 8) "s-dev-mayerhaven.:redis-cache:metrics"
 9) "s-dev-ortizfurt.:comment:1"
10) "s-dev-mayerhaven.:site-transient:update_plugins"
11) "s-dev-mayerhaven.:options:alloptions"
12) "s-dev-ortizfurt.:posts:3"
13) "s-dev-ortizfurt.:user_meta:1"
14) "s-dev-ortizfurt.:post_meta:1"
15) "s-dev-ortizfurt.:users:1"
16) "s-dev-ortizfurt.:terms:1"
17) "s-dev-mayerhaven.:comment:1"
18) "s-dev-mayerhaven.:terms:1"
19) "s-dev-mayerhaven.:term_meta:1"
20) "s-dev-mayerhaven.:options:can_compress_scripts"
21) "s-dev-ortizfurt.:post_meta:3"
22) "s-dev-mayerhaven.:site-transient:update_core"
23) "s-dev-ortizfurt.:options:notoptions"
24) "s-dev-mayerhaven.:post_format_relationships:1"
25) "s-dev-ortizfurt.:terms:get_terms-6a7e5a5984989e684e977a4689029aeb-0.03989400 1606912075"
26) "s-dev-mayerhaven.:posts:1"
27) "s-dev-ortizfurt.:default:is_blog_installed"
28) "s-dev-ortizfurt.:comment:last_changed"
29) "s-dev-ortizfurt.:site-options:1-notoptions"
30) "s-dev-mayerhaven.:comment:get_comments-a83484ce4441a2d87a90609f886c4a28-0.14044500 1606912094"
31) "s-dev-ortizfurt.:comment_meta:1"
32) "s-dev-mayerhaven.:default:is_blog_installed"
33) "s-dev-ortizfurt.:posts:wp_get_archives-10425ab9cab74a55e05d28aee32fbd7a-0.05052900 1606912075"
34) "s-dev-ortizfurt.:terms:get_terms-fa6fef0e8f76461d0c23f81cca942240-0.03989400 1606912075"
35) "s-dev-mayerhaven.:posts:3"

I have already tried by creating separate DB and assigned to each client.

Is there a way to stop users from listing keys or creating users for each database like in mysql.

Tags:

2

Answers


  1. 0

    As per to the documentation, here redis does provide basic authentication mechanism,

    Exact snippet from the documentation

    While Redis does not try to implement Access Control, it provides a
    tiny layer of authentication that is optionally turned on editing the
    redis.conf file.

    When the authorization layer is enabled, Redis will refuse any query
    by unauthenticated clients. A client can authenticate itself by
    sending the AUTH command followed by the password.

    Please note, the password will be in plain-text in redis.conf file and is subjected to be viewed by unauthorized parties if they have access to it.

    Additionally redis does provide a mechanism to rename or disable specific command, Exact snippet from the same document above ,

    it is possible to disable commands in Redis or to rename them into an
    unguessable name, so that normal clients are limited to a specified
    set of commands.

    Here are some high-level pointers on how to secure a redis deployment

    • Bind redis to localhost
    • Configure AUTH by enabling requirepass in redis.conf
    • Rename or disable dangerous commands
    Login or Signup to reply.
  2. 0

    Since Redis 6.0, it support ACL. In your case, you can create users for different clients, and limit the access control for each user.

    For example, you can create a user (with password: passwd) named ortizfurt, who only has access to keys starting with s-dev-ortizfurt.:

    ACL SETUSER ortizfurt on >passwd ~s-dev-ortizfurt.:* +@all
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search