icinga2 icon indicating copy to clipboard operation
icinga2 copied to clipboard
verified publisher icon Icinga

Redis username support for icingadb feature

Open aval13 opened this issue 3 years ago • 2 comments

Is your feature request related to a problem? Please describe.

The icingadb feature allows password to be specified for Redis. However Redis since version 6 actually uses username/password/acls sets and (as stated here https://raw.githubusercontent.com/redis/redis/7.0/redis.conf ) the deprecated "requirepass" it is actually a compatibility layer which sets the password for the "default" user. Which means from Icinga2 icingadb feature I can only connect to Redis using the "default" user. icingadb-redis package is providing Redis 7 so if fully supports multiple users.

Describe the solution you'd like

I'd like to be able to specify a username in the icingadb feature configuration for Redis.

Describe alternatives you've considered

The alternative is to use only one user, the one called "default", with a password set by the deprecated "requirepass" configuration in Redis.

Additional context

Security wise, it would be good practice to setup in Redis a dedicated user for Icinga2 icingadb feature with write access, and a separate user for icingadb-web with only read access (which can also be used by icingadb for instance).

It is very possible I do not fully understand things about Icinga very well, so please correct me if I'm wrong.

aval13 avatar Oct 12 '22 11:10 aval13

Got mine to work with the following. Still testing:

add "user:" to redis in config.yml

index 38571e3..a3e4a31 100644
--- a/pkg/config/redis.go
+++ b/pkg/config/redis.go
@@ -22,6 +22,7 @@ type Redis struct {
        Host       string              `yaml:"host"`
        Port       int                 `yaml:"port" default:"6380"`
        Password   string              `yaml:"password"`
+       Username   string              `yaml:"user"`
        TlsOptions TLS                 `yaml:",inline"`
        Options    icingaredis.Options `yaml:"options"`
 }
@@ -47,6 +48,7 @@ func (r *Redis) NewClient(logger *logging.Logger) (*icingaredis.Client, error) {
 
        options := &redis.Options{
                Dialer:      dialWithLogging(dialer, logger),
+               Username:    r.Username,
                Password:    r.Password,
                DB:          0, // Use default DB,
                ReadTimeout: r.Options.Timeout,

lonelyadmin avatar Jul 25 '23 18:07 lonelyadmin

Thanks for your request and your prototype in Icinga DB. I have implemented this change in Icinga/icinga-go-library#52 and #10102.

oxzi avatar Jul 30 '24 15:07 oxzi