Redis Documentation > Redis Enterprise Cloud > Security > Cloud database security > Passwords, users, and roles

Passwords, users, and roles

All Redis Cloud databases require either password-based authentication or role-based access control. Role-based access control lets you define multiple users with fine-grained authorization features.

Prerequisites

To use role-based access control, your Redis Cloud database needs to support Redis version 6.0.0 or later.

The Redis version of a database is displayed in the General section of the Configuration tab of the database detail screen.

The Redis version appears in the General section of the Configuration tab on the database details screen.

Password-based authentication

Password-based authentication is a basic but essential Redis security feature. When you create a Redis Cloud database, your database is given a randomly generated password called the Default user password.

This appears in the Security section of the Configuration tab of the database details screen.

The Default user password appears in the Security section of the Configuration tab on the database details screen.

Use the copy button to copy the password to the clipboard:

Use the Copy button to copy the default user password.

You’ll need to use this password whenever you connect to your database using a Redis client. For example, in the Redis CLI, you use the AUTH command to provide this password:

AUTH 4kTtH2ddXfN2sFmXE6sowOLukxiaJhN8n

See your Redis client’s documentation to learn how to provide your password when connecting.

Change password

To change the default user password for your database:

From the database Configuration tab, select Edit database:
Under the Security section, enter the new password in the Default user password field.
Select Save database to update the password:

Role-based access control

Role-based access control (RBAC) lets you define roles with specific sets of permissions. You can then assign users to these roles to provide appropriate levels of access.

RBAC effectively lets you implement the principle of least privilege. For example, you can provide read-only access to an application whose only job is to display Redis data. Similarly, you can prevent new developers from running dangerous administrative commands.

Set up RBAC

To set up RBAC, first navigate to the Data Access Control screen.

There are three tabs on this screen: Users, Roles, and Redis ACLs.

In the Redis ACLs tab, you define named permissions for specific Redis commands and keys.

In the Roles tab, you create roles. Each role consists of a set of permissions for one or more Redis Cloud databases.

Finally, in the Users tab, you create users and assign each user a role.

OSS Redis ACLs vs. Redis Enterprise Cloud RBAC

In open source Redis, you can create users and assign ACLs to them using the ACL command. However, open source Redis does not support generic roles.

In Redis Enterprise Cloud, you configure RBAC using the admin console. As a result, certain open source Redis ACL subcommands are not available in Redis Cloud.

Specifically, Redis Cloud databases block the following ACL subcommands: LOAD, SAVE, SETUSER, DELUSER, GENPASS, and LOG.

Redis Cloud databases allow these ACL subcommands: LIST, USERS, GETUSER, CAT, WHOAMI, and HELP.

In open source Redis, you must explicitly provide access to the MULTI, EXEC, and DISCARD commands. In Redis Cloud, these commands, which are used in transactions, are always permitted. However, the commands run within the transaction block are subject to RBAC permissions.

When you run multi-key commands on multi-slot keys, the return value is failure but the command runs on the keys that are allowed.

Define permissions

To define permissions, go to the Redis ACLs tab of the Data Access Control screen.

You define these named permissions using the Redis ACL syntax. This syntax lets you concisely specify which commands, command categories, and keys to allow.

The Redis ACL syntax emphasizes brevity:

+ includes commands or command categories
- excludes commands or command categories
@ indicates a command category
~ defines a permitted key pattern

Command ACL rules

A command can be any Redis command.

For example, this Redis ACL rule indicates that the SET command is permitted:

+set

Command category ACL rules

A command category is a predefined, named set of commands.

For example, the Redis commands that read data are available in the read command category. This Redis ACL rule permits access to all read commands:

[email protected]

To find out which commands are included in the read command category, run the following command with redis-cli:

ACL CAT read

Key ACL rules

There’s also a syntax for specifying which keys are accessible.

The following ACL rule allows access to all keys:

~*

Whereas, this ACL rule only allows access to keys prefixed with cache:

~cache:*

Predefined permissions

Redis Cloud includes three, predefined permissions:

Full-Access ([email protected] ~*) - All commands are allowed for all keys
Read-Write ([email protected] [email protected] ~*) - All commands except for the “dangerous” command category are allowed for all keys
Read-Only ([email protected] ~*) - Only the “read” command category is allowed for all keys

Module command permissions

Note that you can define permissions for the Redis module commands of any modules that are loaded on the subscription; however, these permissions can only be used for databases that support those modules.

To define database access control, you can either:

Use the predefined data access roles and add Redis ACLs to them for specific databases.
Create new data access roles and select the management roles and Redis ACLs that apply to the roles for specific databases.
Assign roles and Redis ACLs to a database in the access control list section of the database configuration.

Configure permissions with Redis ACLs

To configure a Redis ACL that you can assign to a data access role:

Go to Data Access Control > ACLs and either:
- Create a new Redis ACL:
- Point to an existing ACL and select Edit:
Provide a descriptive name for the Redis ACL.
Enter ACL syntax to define the ACL rule or select Rule Builder for help building the ACL rule with correct syntax.
To create a Redis ACL rule with the Rule Builder:
1. For Redis commands / categories, enter a command or command category.
2. Select whether to include or exclude the command or category.
3. For Keys, enter the pattern for permitted keys.
4. To add more commands, categories, or keys to the ACL rule, select Add:
5. When you finish building the ACL rule, select Save rule:
Select the check mark to save your changes:

Assign permissions to roles

To assign Redis ACLs to a data access role:

Go to Data Access Control > Roles and either:
- Point to an existing role and select the Edit button:
- Select the Add button to create a new role:
In the Associations section of the Edit role or Create new role screen, you can:
- Point to an existing association and select the Edit button:
- Select the Add button to create a new association:
Select one or more databases from the Databases list.
To set the role’s level of access to the selected databases, select a Redis ACL from the list.
Select the check mark to confirm the association:
Select Save role:

Users assigned the role can access the databases according to the role’s associated Redis ACLs.

Assign roles to users

To assign a role to a user:

Go to Data Access Control > Users.
Point to the user and select the Edit button when it appears:
Select a Role from the list.
Select the check mark to assign the role to the user:

Edit on GitHub

Updated: November 28, 2022

Download PDF

Top