Redis權限管理體系:終于等來了Redis權限控制體系ACL
作者:懂點IT的耿小廚
Redis在存儲系統界的使用排名一直遙遙領先,但Redis6版本之前,一直沒有一套較為全面的權限控制體系。而隨著Redis6版本被更多人使用后,權限控制系統也逐漸廣泛應用起來了,本文就探索一下Redis ACL的主要內容。
一、用戶管理
Redis用戶的創建、查看、修改、刪除等主要操作可以按照如下實例進行
1、創建用戶
只創建用戶,暫時不添加其他權限
127.0.0.1:6479> ACL SETUSER user1 on >pwd_u1
OK另外,上例中,設置的是明文密碼,也可以設置加密的hash密碼,例如:
#先獲取對于密碼的hash值
[redis@VM-4-14-centos ~]$ echo -n "pwd_u1" | shasum -a 256
21a1bbcd2c36cb07cd8779b3cba6ab183ecfd8b2a86e11f6dc1f674b90634544 -
#以密文的方式創建密碼
127.0.0.1:6479> ACL SETUSER u2 on #21a1bbcd2c36cb07cd8779b3cba6ab183ecfd8b2a86e11f6dc1f674b90634544
OK2、查看用戶
Redis中查看用戶時可以看到對應的用戶信息及權限;另外也可以選擇查看全部用戶信息、指定用戶信息及當前登錄的用戶是誰。具體示例如下:
列出所有用戶:
127.0.0.1:6479> ACL LIST
1) "user default on #515c217eb413b6aaf09de74bf42c85a6edc09ee7008c6ebedc2981b44bbc0fd3 ~* &* +@all"
2) "user testuser1 on #b6d18faf7ebcfdce9f8782a0aad13c14e2662fcc08072e2738bcb27d04b96188 &* -@all"
3) "user user1 on #21a1bbcd2c36cb07cd8779b3cba6ab183ecfd8b2a86e11f6dc1f674b90634544 &* -@all"
127.0.0.1:6479>
查看指定用戶:
查看單個用戶可以用 "ACL GETUSER 用戶名"的方式查看,例如:
127.0.0.1:6479> ACL GETUSER user1
1) "flags"
2) 1) "on"
2) "allchannels"
3) "passwords"
4) 1) "21a1bbcd2c36cb07cd8779b3cba6ab183ecfd8b2a86e11f6dc1f674b90634544"
5) "commands"
6) "-@all"
7) "keys"
8) (empty array)
9) "channels"
10) 1) "*"
查看當前登錄用戶:
127.0.0.1:6479> ACL WHOAMI
"default"3、創建多密碼
Redis中一個用戶可以有多個密碼,這是與其他數據庫有所不同的地方。示例如下:
127.0.0.1:6479> ACL SETUSER u3 on >pwd_u3
OK
127.0.0.1:6479> ACL SETUSER u3 on >pwd_u33
OK
127.0.0.1:6479> ACL GETUSER u3
1) "flags"
2) 1) "on"
2) "allchannels"
3) "passwords"
4) 1) "8064ac564c2512d07af567e7de8714bc194abe6afefef26370f44e33593d6179"
2) "d190fe553fa81919050af3f9c482bb70ea19619e64e5c26c9b95e3f61de557c1"
5) "commands"
6) "-@all"
7) "keys"
8) (empty array)
9) "channels"
10) 1) "*"
嘗試用2個不同的密碼登錄一下:
# 使用第一個密碼登錄
127.0.0.1:6479> AUTH u3 pwd_u3
OK
# 使用第二個密碼登錄
127.0.0.1:6479> AUTH u3 pwd_u33
OK
# 使用錯誤密碼登錄
127.0.0.1:6479> AUTH u3 pwd_u4444
(error) WRONGPASS invalid username-password pair or user is disabled.
127.0.0.1:6479>可見,2個正確的密碼都可以登錄,這個有個優點在于如果忘記之前的密碼,可以在新增一個密碼,而不影響原密碼的使用。
4、刪除用戶
如需刪除指定的用戶,可以使用ACL DELUSER命令操作,例如
127.0.0.1:6479> ACL LIST
1) "user default on #515c217eb413b6aaf09de74bf42c85a6edc09ee7008c6ebedc2981b44bbc0fd3 ~* &* +@all"
2) "user testuser1 on #b6d18faf7ebcfdce9f8782a0aad13c14e2662fcc08072e2738bcb27d04b96188 &* -@all"
3) "user u2 on #21a1bbcd2c36cb07cd8779b3cba6ab183ecfd8b2a86e11f6dc1f674b90634544 #47843fd456370690f6c7897a73c1e2f0d563981aa3cad13e475bc3e72ca14656 &* -@all"
4) "user u3 on #8064ac564c2512d07af567e7de8714bc194abe6afefef26370f44e33593d6179 #d190fe553fa81919050af3f9c482bb70ea19619e64e5c26c9b95e3f61de557c1 &* -@all"
5) "user user1 on #21a1bbcd2c36cb07cd8779b3cba6ab183ecfd8b2a86e11f6dc1f674b90634544 &* -@all"
127.0.0.1:6479> ACL DELUSER user1
(integer) 1
127.0.0.1:6479> ACL LIST
1) "user default on #515c217eb413b6aaf09de74bf42c85a6edc09ee7008c6ebedc2981b44bbc0fd3 ~* &* +@all"
2) "user testuser1 on #b6d18faf7ebcfdce9f8782a0aad13c14e2662fcc08072e2738bcb27d04b96188 &* -@all"
3) "user u2 on #21a1bbcd2c36cb07cd8779b3cba6ab183ecfd8b2a86e11f6dc1f674b90634544 #47843fd456370690f6c7897a73c1e2f0d563981aa3cad13e475bc3e72ca14656 &* -@all"
4) "user u3 on #8064ac564c2512d07af567e7de8714bc194abe6afefef26370f44e33593d6179 #d190fe553fa81919050af3f9c482bb70ea19619e64e5c26c9b95e3f61de557c1 &* -@all"
127.0.0.1:6479>
5、重置用戶
可以將用戶重置,重置后的用戶無法登錄,例如
127.0.0.1:6479> ACL SETUSER testuser1 reset
OK
127.0.0.1:6479> ACL GETUSER testuser1
1) "flags"
2) 1) "off"
2) "allchannels"
3) "sanitize-payload"
3) "passwords"
4) (empty array)
5) "commands"
6) "-@all"
7) "keys"
8) (empty array)
9) "channels"
10) 1) "*"
127.0.0.1:6479>
二、權限控制
1、查看權限
ACL中的操作權限可以通過ACL CAT命令查看。
127.0.0.1:6479> ACL CAT
1) "keyspace"
2) "read"
3) "write"
4) "set"
5) "sortedset"
6) "list"
7) "hash"
8) "string"
9) "bitmap"
10) "hyperloglog"
11) "geo"
12) "stream"
13) "pubsub"
14) "admin"
15) "fast"
16) "slow"
17) "blocking"
18) "dangerous"
19) "connection"
20) "transaction"
21) "scripting"其中每個類型的具體內容可以繼續查看,例如查看dangerous操作的具體內容:
127.0.0.1:6479> ACL CAT dangerous
1) "debug"
2) "config"
3) "restore"
4) "swapdb"
5) "failover"
6) "slaveof"
7) "client"
8) "migrate"
9) "latency"
10) "sync"
11) "psync"
12) "lastsave"
13) "acl"
14) "role"
15) "flushdb"
16) "replconf"
17) "info"
18) "keys"
19) "bgsave"
20) "replicaof"
21) "sort"
22) "cluster"
23) "save"
24) "restore-asking"
25) "module"
26) "monitor"
27) "bgrewriteaof"
28) "pfselftest"
29) "pfdebug"
30) "slowlog"
31) "shutdown"
32) "flushall"
127.0.0.1:6479>
2、添加權限
之前創建用戶u2,僅有登錄權限,現在對其添加權限。
127.0.0.1:6479> ACL SETUSER u2 allkeys +@read +@write
OK
以上是對所有key(allkeys,是 ~*的同義詞)添加讀寫權限。加權限就是使用+@對應權限。
下面驗證一下結果:
127.0.0.1:6479> AUTH u2 pwd_u2
OK
127.0.0.1:6479> set k1 1
OK
127.0.0.1:6479> get k1
"1"
127.0.0.1:6479> info
NOPERM this user has no permissions to run the 'info' command or its subcommand
3、回收權限
再對u2用戶回收寫權限,回收權限使用-@權限即可。
ACL SETUSER u2 allkeys -@write
回收后再使用u2用戶登錄,則可以發現可以查看,但不能寫入了。
4、對指定類型的key進行權限管理
創建u1用戶,然后對其添加string及hash類型的key的操作權限。
127.0.0.1:6479> ACL SETUSER u1 on >pwd_u1
OK
127.0.0.1:6479> ACL GETUSER u1
1) "flags"
2) 1) "on"
2) "allchannels"
3) "passwords"
4) 1) "21a1bbcd2c36cb07cd8779b3cba6ab183ecfd8b2a86e11f6dc1f674b90634544"
5) "commands"
6) "-@all"
7) "keys"
8) (empty array)
9) "channels"
10) 1) "*"
127.0.0.1:6479> ACL SETUSER u1 allkeys +@string +@hash
OK
127.0.0.1:6479> ACL GETUSER u1
1) "flags"
2) 1) "on"
2) "allkeys"
3) "allchannels"
3) "passwords"
4) 1) "21a1bbcd2c36cb07cd8779b3cba6ab183ecfd8b2a86e11f6dc1f674b90634544"
5) "commands"
6) "-@all +@string +@hash"
7) "keys"
8) 1) "*"
9) "channels"
10) 1) "*"
127.0.0.1:6479>
驗證權限
127.0.0.1:6479> ACL GETUSER u1
1) "flags"
2) 1) "on"
2) "allkeys"
3) "allchannels"
3) "passwords"
4) 1) "21a1bbcd2c36cb07cd8779b3cba6ab183ecfd8b2a86e11f6dc1f674b90634544"
5) "commands"
6) "-@all +@string +@hash"
7) "keys"
8) 1) "*"
9) "channels"
10) 1) "*"
127.0.0.1:6479> AUTH u1 pwd_u1
OK
127.0.0.1:6479> set s1 1
OK
127.0.0.1:6479> get s1
"1"
127.0.0.1:6479> hset h1 f1 'a'
(integer) 1
127.0.0.1:6479> hgetall h1
1) "f1"
2) "a"
127.0.0.1:6479> info
NOPERM this user has no permissions to run the 'info' command or its subcommand
127.0.0.1:6479> SMEMBERS set1
(error) NOPERM this user has no permissions to run the 'smembers' command or its subcommand
5、對指定key進行授權
對指定開頭的key添加所有操作權限,例如:
127.0.0.1:6479> ACL GETUSER u3
1) "flags"
2) 1) "on"
2) "allchannels"
3) "passwords"
4) 1) "8064ac564c2512d07af567e7de8714bc194abe6afefef26370f44e33593d6179"
5) "commands"
6) "-@all"
7) "keys"
8) (empty array)
9) "channels"
10) 1) "*"
127.0.0.1:6479> ACL SETUSER u3 ~a* +@all
OK
127.0.0.1:6479> ACL GETUSER u3
1) "flags"
2) 1) "on"
2) "allchannels"
3) "allcommands"
3) "passwords"
4) 1) "8064ac564c2512d07af567e7de8714bc194abe6afefef26370f44e33593d6179"
5) "commands"
6) "+@all"
7) "keys"
8) 1) "a*"
9) "channels"
10) 1) "*"
127.0.0.1:6479>
驗證結果:
127.0.0.1:6479> set s2 222
(error) NOPERM this user has no permissions to access one of the keys used as arguments
127.0.0.1:6479> set a2 222
OK
127.0.0.1:6479> hset set2 f2 222
(error) NOPERM this user has no permissions to access one of the keys used as arguments
127.0.0.1:6479> hset aset2 f2 222
(integer) 1
127.0.0.1:6479> 5
三、結語
通過創建用戶及配置相應的權限,可以起到隔離用戶操作,避免風險操作等,從而降低Redis被誤操作或風險操作的概率,提升安全性及穩定性。大家也可以多多組合測試,配置適合自己使用的權限組合。
責任編輯:姜華
來源:
數據庫干貨鋪
