eosswedenorg/thalos-docs
1
0
Fork 0
mirror of https://github.com/eosswedenorg/thalos-docs synced 2026-06-16 04:34:55 +02:00
Code Releases Activity
thalos-docs/docs/redis/security/acl.md

116 lines
4.2 KiB
Markdown
Raw Permalink Blame History

# ACL
By default, Redis does not impose any restrictions on the commands that clients can execute. This lack of
restrictions raises security concerns, especially when dealing with clients that may not be fully trusted.
However, there is no need to worry as Redis offers a solution in the form of [Access Control Lists (ACL)](https://en.wikipedia.org/wiki/Access-control_list).
ACL in Redis enables the establishment of limited access for connections to the server, specifying which
commands they are allowed to execute. In Thalos, this feature is crucial for maintaining security, ensuring
that clients can only access specific channels within Thalos.
The special account called `default` serves as the default account for unauthorized users, provided it is
configured with a password. Connections can authenticate against this account without specifying a username.
Thalos utilizes this account as the default user account.
Additionally, it is advisable to restrict the Thalos server account as an added precaution against any
unauthorized actions it may inadvertently perform, although such occurrences are highly unlikely.
The ACL in thalos is simple and uses 2 accounts:
* `default` account (user account, used by clients. only allowed to read from thalos specific channels)
* `thalos-server` account (is allowed to publish to channels and also write to it's cache)
there is also the `admin` account that is use for redis mangement. has access to everything.
::: danger IMPORTANT
Make sure you replace the passwords with a secure ones.
It is recommended to use [ACL GENPASS](https://redis.io/commands/acl-genpass) to generate strong passwords.
:::
`redis.conf`
```
user default on >client_password resetchannels &ship::* +@connection +subscribe
user admin on >admin_password ~* &* +@all
user thalos on >server_password resetchannels &ship::* ~thalos::* +@connection +@read +@write +publish
```
## External file
It is possible to use external config files to define users in redis.
Just place the configuration above in an external file for example: `/etc/redis/users.acl` and then add this in `/etc/redis/redis.conf`
```
aclfile /etc/redis/users.acl
```
## Thalos tools
There is also a tool to create the config lines for you.
```
$ thalos-tools redis-acl
Passwords
default: NgCseRB8QcxdHwcwmg43OOjxZW0YbngN
thalos: kmJIi1kP5bp2MHQeSj925otWnxTvfRe5
thalos-client: WBGP9mXuUIIv11KhLgbuaTcl1NnRmhWn
# Created by thalos-tools on Mon Feb 12 15:56:26 CET 2024
user default on #3c0745d926021292a521267d803b9c20f3570bee30697e401920151d2593d1e4 ~* &* +@all
user thalos on #cf2b3e36521b0e67cb50fcc1f931f577384bb84ad7d0492d00e07beb4660ff1d resetchannels ~ship::* &ship::* -@all +get +publish +set
user thalos-client on #06d88f1e91d8bc82a5074223fd380006395b80a7b41dcd1318be1dd288282e4a resetchannels &ship::* -@all +subscribe
```
## Test the accounts permissions
It is a good idea to test if the configuration works.
```sh
$ redis-cli --pass mypassword
127.0.0.1:6379> SUBSCRIBE some_channel
Reading messages... (press Ctrl-C to quit)
(error) NOPERM this user has no permissions to access one of the channels used as arguments
127.0.0.1:6379> SET random_key value
(error) NOPERM this user has no permissions to run the 'set' command or its subcommand
127.0.0.1:6379> SUBSCRIBE ship::1234
Reading messages... (press Ctrl-C to quit)
1) "subscribe"
2) "ship::1234"
3) (integer) 1
```
## Thalos config
After you have setup ACL, make sure to update your `config.yml` with the account and password.
```yaml
redis:
user: thalos
password: p4ssw0rd
```
## Other ACL Configurations
### No user password
While not recommended, it is possible to have the default (user) account without password. that way the user does not need to authenticate (but still has limited access). just remove the password from `user default` line:
```
user default on resetchannels &ship::* +@connection +subscribe
```
### Thalos users with a different account
It is also possible to provide a different account for users
```
user thalos-client on >client_password resetchannels &ship::* +@connection +subscribe
```
## Useful links
* [Config File Example](https://redis.io/docs/management/config-file)
* [Official ACL Documentation](https://redis.io/docs/management/security/acl)
View git blame Copy permalink