Yum install Redis
The Redis installed directly using yum install redisthe command may not be the latest version. If you need to install a new version, you need to install the software source of Remi. The command is as follows:
yum install -y http://rpms.famillecollet.com/enterprise/remi-release-7.rpm
install and start
#安装
yum --enablerepo=remi install redis
#设置开机自启
systemctl enable redis
#启动服务
systemctl start redis
查看服务状态
systemctl status redis
查看Redis版本
redis-cli --version
Configure remote connection
vim /etc/redis.conf
bind 0.0.0.0
ACL security policy
In the version before Redis6, we can only use the requirepass parameter to configure the login password for the default user. All the development of the same redis cluster shares the default user. The version introduces the ACL (Access Controller List) access control permission function. Based on this function, we can set up multiple users, and set command permissions and data permissions for each user individually. In order to ensure backward compatibility, Redis6 retains the default user and uses requirepass to set a password for the default user. By default, the default user has the maximum authority of Redis. If we use redis-cli to connect, if no user name is specified, the user is also default .
There are two ways to configure ACL, one is to configure directly in the config file, and the other is to configure in an external aclfile. The configuration commands are the same, but only one of the two methods can be selected. We used requirepass to set a password for the default user before. The default is to use the config method. After executing config rewrite to rewrite the configuration, it will automatically be added at the bottom of the config file. A line records the password and permissions for configuring default
redis password setting
Before Redis 6.0, there was only one default user in Redis, which was also the super administrator user in Redis. If you want to set a password for it, you need to modify the
Redis configuration file. The specific modification is as follows
requirepass 123456
After the modification, when I entered Redis again, I found that there was no permission to operate.
[root@localhost ~]# redis-cli --raw
127.0.0.1:6379> set a b
NOAUTH Authentication required
At this time, we need to use the password to enter
[root@openstack ~]# redis-cli
127.0.0.1:6379> auth 123456
OK
127.0.0.1:6379> set a b
OK
或者
[root@openstack ~]# redis-cli -a 123456 --raw
Warning: Using a password with '-a' or '-u' option on the command line interface may
not be safe.
127.0.0.1:6379> set a b
OK
We can directly use the above default user ACL DSL command in the config configuration file to set user permissions, or we can also configure external aclfile configuration permissions. To configure aclfile, you need to comment or delete the DSL configured in config first, because Redis does not allow two ACL management methods to be used at the same time, otherwise the following error will be reported when starting redis
Configuring Redis with users defined in redis.conf and at the same setting an ACL file path is invalid. This setup is very likely to lead to configuration errors and security holes, please define either an ACL file or declare users directly in your redis.conf, but not both
EXTERNAL ACLFILE MODE
Comment out all authorized ACL commands in redis.conf like:
# user default on #8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92 ~* +@all
Comment the password of the default user in the config file, because the password of requirepass will be invalid after opening aclfile:
vim /etc/redis.conf
# requirepass 123456
Configure the path of aclfile in the config file, and then create the file, otherwise restarting the redis service will report an error that the file cannot be found
# 配置 aclfile 路径
vim /etc/redis.conf
aclfile /usr/local/redis/etc/users.acl
# 创建 users.acl 文件
touch /usr/local/redis/etc/users.acl
# 重启redis服务
systemctl restart redis
#或者在 redis 命令行中执行
aclfile load
After opening aclfile, it is no longer recommended to configure the default password through requirepass in the redis.conf file, because it is no longer valid.
At the same time, opening aclfile, you cannot use redis-cli -a xxx to log in, you must use redis-cli --user xxx --pass yyy to login. You can also log in without a password when no password is set
At this time, it shows no password status
127.0.0.1:6379> acl list
1) "user default on nopass ~* +@all"
Configuring DSL in redis.conf and aclfile mode The official recommendation is to use aclfile, because if you configure permissions in redis.conf, you need to
restart the redis service to load the configured permissions into the redis service, but if you use aclfile mode, you can Call the acl load command
to hot load the ACL privileges configured in the aclfile into the environment, similar to flush privileges in Mysql. But at the same time, we can also use the command:
config rewriteinitialize the acl permission to redis.conf; execute at the same time acl saveto persist the acl configuration to the aclfile.
ACL rules
ACLs are defined using a DSL (Domain specific language), which describes the operations a user can perform. The rules are always applied top-to-bottom, left-to-right, because the order of the rules is important for understanding the actual permissions of the user. ACL rules can configure DSL in the redis.conf file and users.acl file, or through the ACL command on the command line
ACL enable and disable
on: Enable user: can authenticate as this user.
off: disable user: this user can no longer be used for authentication, but already authenticated connections can still be used
# 创建一个用户, 默认情况下是非活跃状态
127.0.0.1:6379> ACL SETUSER xiaozhang
OK
# 查看用户
127.0.0.1:6379> acl list
user alvin off #6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d2392593af6a84118090
-@all
user default on nopass ~* +@all
user xiaozhang off -@all
# 将用户设置成活跃状态
127.0.0.1:6379> ACL SETUSER xiaozhang on
OK
# 再次查看用户列表,发现小张已经变成了活跃状态
127.0.0.1:6379> acl list
user alvin off #6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d2392593af6a84118090
-@all
user default on nopass ~* +@all
user xiaozhang on -@all
Allow and disallow calling commands
| Order | illustrate |
|---|---|
| +command | Adds the command to the list of commands the user can invoke. |
| -command | Removes a command from the list of commands the user can invoke. |
| +@category | Allow users to call all commands in the category, valid categories are @admin, @set, @sortedset, etc. You can view the complete list by calling the ACL CAT command. The special class @all represents all commands, including all commands that exist in current and future releases. |
| -@ | Disables the user from invoking all commands in the category. |
| + | subcommand |
| allcommands | An alias for +@all. Includes currently existing commands as well as all future commands loaded via modules. |
| nocommands | - an alias for @all, which suppresses calling all commands. |
# 将 xiaozhang 用户增加密码、设置访问以 name 开头的 key 的权限和 set 权限
127.0.0.1:6379> ACL SETUSER xiaozhang on >abc123 ~name* +set
OK
# 我们可以看到 xiaozhang 目前只具有 set 权限
127.0.0.1:6379> acl list
user xiaozhang on #6ca13d52ca70c883e0...392593af6a84118090 ~name* -@all +set
# 切换用户
127.0.0.1:6379> AUTH xiaozhang abc123
OK
# 设置键值对
127.0.0.1:6379> set name xiaozhang
OK
# 没有获取权限
127.0.0.1:6379> get name
NOPERM this user has no permissions to run the 'get' command or its subcommand
Allow and disallow access to certain keys
| Order | explain |
|---|---|
| ~ | Add key patterns that can be mentioned in commands. For example ~ and allkeys allow all keys. |
| *resetkeys | Override all allowed patterns with the current pattern. For example: ~foo:* ~bar:* resetkeys ~objects:* , the client can only access KEYs that match the object:* pattern. |
# 将 xiaozhang 用户增加密码、设置访问以 name 开头的 key 的权限和 set 权限
127.0.0.1:6379> ACL SETUSER xiaozhang on >abc123 ~name* +set
OK
password configuration
| Order | explain |
|---|---|
| > | Add this passcode to the user's valid passcode list. For example, smypass will add -mypass to the valid passcode list. This command will clear the user's nopass flag. Each user can have any number of valid passwords. |
| < | Remove this cipher from the list of valid ciphers. If there is no such password in the valid password column of the user, an error message will be returned. |
| # | Add this SHA-256 hash to the user's valid passwords list. This hash is compared to the hash of the password entered for the ACL user. Allow users to store hashes in the users.acl file instead of plaintext passwords. Only SHA-256 hashes are accepted, since password hashes must be 64 characters in lowercase hexadecimal characters. |
| ! | "Remove the hash from the list of valid passwords, useful when you don't know what the plaintext for the hash is. |
| nopass | Remove all passwords that the user has set, and mark the user as nopass No password: any password can log in. The resetpass command can clear the status of nopass |
| resetpass | A list of all passwords that the situation should use. And remove the nopass state. After resetpass, the user has no associated password and cannot log in without a password. Therefore, after resetpass, you must add a password or change it to nopass to log in normally. |
| reset | Reset user state to initial state. Do the following resetpass, resetkeys, off, -@all. |
# 查看用户列表
127.0.0.1:6379> acl list
user alvin off -@all
user default on nopass ~* +@all
# 将 alvin 用户设置密码
127.0.0.1:6379> ACL SETUSER alvin on >abc123
OK
127.0.0.1:6379> acl list
user alvin on #6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d2392593af6a84118090
-@all
user default on nopass ~* +@all
# 切换用户
127.0.0.1:6379> auth alvin abc123
OK
# alvin 没有 set 权限
127.0.0.1:6379> set aaa bbb
NOPERM this user has no permissions to run the 'set' command or its subcommand
Common ACL Operations
View currently active ACLs
127.0.0.1:6379> ACL list
1) "user default on nopass ~* +@all"
127.0.0.1:6379>
Among them, user is a keyword, default is a user name, and the following content is ACL rule description, on means active, nopass means no password, ~* means all keys, +@all means all commands. So the above command means that the active user default has no password and can access all commands and all data.
return all usernames
127.0.0.1:6379> acl users
1) "default"
127.0.0.1:6379>
Returns the current username
127.0.0.1:6379> ACL WHOAMI
"default"
View command type for authorization
127.0.0.1:6379> acl cat
1) "keyspace"
2) "read"
3) "write"
4) "set"
5) "sortedset"
6) "list"
7) "hash"
8) "string"
9) "bitmap"
10) "hyperloglog"
11) "geo"
12) "stream"
13) "pubsub"
14) "admin"
15) "fast"
16) "slow"
17) "blocking"
18) "dangerous"
19) "connection"
20) "transaction"
21) "scripting
create user
127.0.0.1:6379> ACL SETUSER alvin
OK
127.0.0.1:6379> acl list
1) "user alvin off -@all"
2) "user default on nopass ~* +@all"
View user's ACL permissions
127.0.0.1:6379> ACL GETUSER xiaozhang
flags
on
passwords
6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d2392593af6a84118090
commands
-@all +set
keys
name*
127.0.0.1:6379>
delete specified user
127.0.0.1:6379> ACL DELUSER alvin
1
Persist ACL permissions to aclfile
# 查看 users.acl
[root@alvin-test-os redis]# cat etc/users.acl
# 查看 acl 用户
[root@alvin-test-os redis]# redis-cli --raw
127.0.0.1:6379> acl list
user default on nopass ~* +@all
user xiaozhang on
#6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d2392593af6a84118090 ~name* -@all
+set
# 保存 acl 权限配置
127.0.0.1:6379> acl save
OK
127.0.0.1:6379> exit
# 查看 acl 配置文件已经被写入
[root@alvin-test-os redis]# cat etc/users.acl
user default on nopass ~* +@all
user xiaozhang on
#6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d2392593af6a84118090 ~name* -@all
+set
reload ACL
# 查看 acl 用户列表
127.0.0.1:6379> acl list
user default on nopass ~* +@all
user xiaozhang on
#6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d2392593af6a84118090 ~name* -@all
+set
# 重载
127.0.0.1:6379> ACL LOAD
OK
# 查看新用户已经加入
127.0.0.1:6379> acl list
user alvin on #6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d2392593af6a84118090
~name* -@all +set
user default on nopass ~* +@all
user xiaozhang on
#6ca13d52ca70c883e0f0bb101e425a89e8624de51db2d2392593af6a84118090 ~name* -@all
+set
switch user
AUTH <username> <password>