StackExchange.Redis icon indicating copy to clipboard operation
StackExchange.Redis copied to clipboard
verified publisher icon StackExchange

Unable to connect to Redis with "limited" user

Open lasso opened this issue 3 years ago • 1 comments

When trying to use the ACL feature in Redis I'm unable to connect using the dev user below. The admin user works fine, and if I change the dev user to have the +@all flag it works too:

users.acl

user admin on >asecretpassword ~* &* +@all
user dev on >anothersecretpassword ~* &* -@all +@read +@write

I've tested the connection using redis-cli and it works fine with both users, however, using the following connection string does not allow me to connect to Redis using Stackexchange.Redis (yes, I'm deliberately using port 7000)

myserver:7000,user=dev,password=anothersecretpassword

Is there some other permission needed when connecting?

Error message when connecting (using StackExchange.Redis version 2.5.61)

StackExchange.Redis.RedisConnectionException
  HResult=0x80131500
  Message=It was not possible to connect to the redis server(s). Error connecting right now. To allow this multiplexer to continue retrying until it's able to connect, use abortConnect=false in your connection string or AbortOnConnectFail=false; in your code.
  Source=StackExchange.Redis
  StackTrace:
   at StackExchange.Redis.ConnectionMultiplexer.ConnectImpl(ConfigurationOptions configuration, TextWriter log, Nullable`1 serverType)
   at StackExchange.Redis.ConnectionMultiplexer.Connect(ConfigurationOptions configuration, TextWriter log)
   at StackExchange.Redis.ConnectionMultiplexer.Connect(String configuration, TextWriter log)
  ...my internal code

Redis is running inside Kubernetes, the output from the the Redis info server command reads:

# Server
redis_version:6.2.6
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:5b326c4b337eb561
redis_mode:standalone
os:Linux 4.15.0-173-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:c11-builtin
gcc_version:8.3.0
process_id:1
process_supervised:no
run_id:0d8aaca6d744f505baeaa1981a57614906f74f89
tcp_port:7000
server_time_usec:1650368852664123
uptime_in_seconds:548
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:6201684
executable:/redis-server
config_file:/opt/bitnami/redis/etc/redis.conf
io_threads_active:0

lasso avatar Apr 19 '22 09:04 lasso

Alright, checked using MONITOR what commands that were sent to the server.

1650378734.447932 [0 10.209.118.11:54998] "AUTH" "(redacted)" "(redacted)"
1650378734.447966 [0 10.209.118.11:54996] "AUTH" "(redacted)" "(redacted)"
1650378734.475334 [0 10.209.118.11:54998] "ECHO" "7R\xcf\x98 b3E\x82O\x02\xab\x18\x04\xcf\xab"
1650378734.475365 [0 10.209.118.11:54998] "SUBSCRIBE" "__Booksleeve_MasterChanged"
1650378734.475539 [0 10.209.118.11:54996] "INFO" "replication"
1650378734.475556 [0 10.209.118.11:54996] "INFO" "server"
1650378734.475575 [0 10.209.118.11:54996] "ECHO" "7R\xcf\x98 b3E\x82O\x02\xab\x18\x04\xcf\xab"
1650378734.528086 [0 10.209.118.11:54996] "INFO" "replication"

So changing permissions to

user dev on >anothersecretpassword ~* &* -@all +@pubsub +@read +@write +echo +info solved it. I guess the issue could be closed now, but maybe it should be documented somewhere what the miniumum permissions needed for connecting using StackExchange.Redis are.

lasso avatar Apr 19 '22 15:04 lasso

@lasso Thanks for the follow-up here. I'm adding some docs in #2225 for others hitting this scenario :)

NickCraver avatar Aug 21 '22 14:08 NickCraver