Redis Enterprise Software release notes 6.4.2-30 (February 2023)

Pub/sub ACLs & default permissions. Validate client certificates by subject attributes.

​Redis Enterprise Software version 6.4.2 is now available!

This version offers:

  • Extended validation of client certificates via mTLS (mutual TLS) full subject support

  • Support for default restrictive permissions when using publish/subscribe commands and ACLs (access control lists)

  • Enhanced TLS performance when Redis returns large arrays in responses

  • Compatibility with open source Redis 6.2.7

  • Additional enhancements and bug fixes

The following table shows the MD5 checksums for the available packages:

Package MD5 checksum (6.4.2-30 February release)
Ubuntu 16 b0dbecaa974ca08245dda55d53b6fe9b
Ubuntu 18 a5192e8b0734db80d6b7c2b98a170c58
RedHat Enterprise Linux (RHEL) 7
Oracle Enterprise Linux (OL) 7		 c1537855dcfe7a7cedf9031ce01e2b9b
RedHat Enterprise Linux (RHEL) 8
Oracle Enterprise Linux (OL) 8
Rocky Enterprise Linux		 a24dc749d6dcb5df2162d7a41791c7aa

New features and enhancements

Validate client certificates by subject attributes

You can now validate client certificates by their Subject attributes. When a client attempts to connect to a database, Redis Enterprise Software compares the values of the client certificate subject attributes to the subject values allowed by the database. Clients can connect to the database only if the subject values match. This gives more flexibility in controlling which clients can access which databases.

See Enable TLS for more information.

Default pub/sub ACL permissions

Redis is continuously enhancing its ACL (access control list) functionality and coverage. Redis version 6.2 enhances ACLs to allow and disallow pub/sub channels.

Part of protecting pub/sub channels requires changing the default access from permissive to restrictive, which blocks all pub/sub channels unless specifically permitted by an ACL rule. To allow this transition across all databases in the cluster, Redis Enterprise Software 6.4.2 provides a new configuration option acl-pubsub-default that sets the cluster-wide default for all channels to either permitted or restricted.

The 6.4.2 installation-provided value of acl-pubsub-default is permissive (allchannels) to comply with earlier Redis versions. After you upgrade all databases in the cluster to Redis DB version 6.2 (or later in future versions), you can use rladmin or the REST API to change the value to restrictive (resetchannels).

To allow certain users to access specific pub/sub channels, define the appropriate ACL. Redis Enterprise Software 6.4.2 enhances the admin console (UI), CLI, and REST API to support pub/sub channel ACL definitions.

If you use ACLs and pub/sub channels, we recommend you review your databases and ACL settings and plan to change your cluster to restricted mode. This will help you prepare for future Redis Enterprise Software releases that use restrictive resetchannels as the new default for acl-pubsub-default.

Redis modules

Redis Enterprise Software v6.4.2 includes the following Redis modules:

See Upgrade modules to learn how to upgrade a module for a database.

Installations, upgrades, and troubleshooting

  • Added the ability for install.sh to run even if “upgrade mode” is already enabled to allow reruns in case of a previous run failure (RS77319)

  • Added log messages to the redis_mgr process (RS77891), the job_scheduler process (RS82673), and the install.sh script (RS82673)

  • Improved rladmin error messages for certificate validation (RS79933)

  • Added internode encryption ports to command-line utility rlcheck validation (RS68965)

  • Added an alert to notify when a node operation (such as maintenance mode) failed, aborted, or was canceled. The alert is enabled by default (RS76089)

Version changes

Breaking changes

  • REST API: the authorized_names field of the BDB object is deprecated. Use the new authorized_subjects field instead.

New default Redis DB version

Both Redis Enterprise Software versions 6.2.x and 6.4.x package two Redis DB versions: Redis DB 6.0 and Redis DB 6.2. Until now, the default Redis DB version for creating new databases and upgrading existing databases was 6.0 (enforced by the redis_upgrade_policy parameter).

To allow customers more flexibility in future upgrades, starting with Redis Enterprise Software 6.4.2, the default Redis DB version for new and upgraded databases is now 6.2 for all upgrade policies (redis_upgrade_policy=major and redis_upgrade_policy=latest).

Redis
Enterprise		 Bundled Redis
DB versions		 Default DB version
(upgraded/new databases)
6.2.x 6.0, 6.2 6.0
6.4.2 6.0, 6.2 6.2

You can override the default version with rladmin; however, we recommend that you don't change this setting.

Deprecations

Ubuntu 16.04

Ubuntu 16 support is considered deprecated and will be removed in a future release. Ubuntu 16.04 LTS (Xenial) has reached the end of its free initial five-year security maintenance period as of April 30, 2021.

Active-Active database persistence

The snapshot option for Active-Active database persistence is deprecated. We advise customers running Active-Active databases, configured with snapshot data persistence, to reconfigure their data persistence mode to use the AOF (Append Only File) option with the following command:

crdb-cli crdb update --crdb-guid <CRDB_GUID> \
    --default-db-config '{"data_persistence": "aof", "aof_policy":"appendfsync-every-sec"}'

TLS 1.0 and TLS 1.1

TLS 1.0 and TLS 1.1 connections are considered deprecated in favor of TLS 1.2 or later. Please verify that all clients, apps, and connections support TLS 1.2. Support for the earlier protocols will be removed in a future release. Certain operating systems, such as RHEL 8, have already removed support for the earlier protocols. Redis Enterprise Software cannot support connection protocols that are not supported by the underlying operating system.

3DES encryption cipher

The 3DES encryption cipher is considered deprecated in favor of stronger ciphers like AES. Please verify that all clients, apps, and connections support the AES cipher. Support for 3DES will be removed in a future release. Certain operating systems, such as RHEL 8, have already removed support for 3DES. Redis Enterprise Software cannot support cipher suites that are not supported by the underlying operating system.

Resolved issues

  • RS72866 - Improved performance for client connections which use TLS

  • RS78241 - Fixed shard placement to always respect rack-zone restrictions and avoid a state where a primary (master) and replica are on the same rack, even if temporarily

  • RS78144 - Removed the dependency on system-wide ldconfig so non-interactive processes will use their own dynamic libraries without impacting external services

  • RS78028 - Fixed race condition during rolling upgrade that might result in shards repeatedly restarting

  • RS77964 - Fixed module deletion to remove the old directory with the module

  • RS75259 - Fixed node to prevent using plain text communication instead of TLS after losing connectivity

  • RS69616 - Fixed validation for internode communication ports

  • RS83535 - Fixed sentinel_service to start on RHEL 8 with DISA STIG profile

  • RS87191 - Fixed a cross slot error when using Auto Tiering with Replica Of, in case a key on the source database swapped from RAM to flash and expired while it was also part of Lua script execution

Known limitations

Feature limitations

  • RS101204 - High memory consumption caused by the persistence_mgr service when AOF persistence is configured for every second. Monitor RAM usage of the process. In case of high usage, the temporary workaround is to restart the service by running supervisorctl restart persistence_mgr. A permanent fix is to install or upgrade to the 6.4.2 June maintenance release.

Upgrade limitations

Before you upgrade a cluster that hosts Active-Active databases with modules to v6.4.2-30, perform the following steps:

  1. Use crdb-cli to verify that the modules (modules) and their versions (in module_list) are as they appear in the database configuration and in the default database configuration:

    crdb-cli crdb get --crdb-guid <crdb-guid>

  2. From the admin console's redis modules tab, validate that these modules with their specific versions are loaded to the cluster.

  3. If one or more of the modules/versions are missing or if you need help, contact Redis support before taking additional steps.

This limitation has been fixed and resolved as of v6.4.2-43.

Operating system limitations

RHEL 7 and RHEL 8

If you have a custom installation with a non-default $installdir and use Active-Active or Auto Tiering features, failures might occur when you upgrade. This issue will be fixed in a future maintenance release.

RHEL 8

Due to module binary differences between RHEL 7 and RHEL 8, you cannot upgrade RHEL 7 clusters to RHEL 8 when they host databases using modules. Instead, you need to create a new cluster on RHEL 8 and then migrate existing data from your RHEL 7 cluster. This does not apply to clusters that do not use modules.

Security

Open source Redis security fixes compatibility

As part of Redis's commitment to security, Redis Enterprise Software implements the latest security fixes available with open source Redis. The following open source Redis CVEs do not affect Redis Enterprise:

  • CVE-2021-32625 — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis since Redis Enterprise does not implement LCS. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.4, Redis 6.0.14)

  • CVE-2021-32672 — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the LUA debugger is unsupported in Redis Enterprise. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.6, Redis 6.0.16)

  • CVE-2021-32675 — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the proxy in Redis Enterprise does not forward unauthenticated requests. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.6, Redis 6.0.16)

  • CVE-2021-32762 — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the memory allocator used in Redis Enterprise is not vulnerable. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.6, Redis 6.0.16)

  • CVE-2021-41099 — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the proto-max-bulk-len CONFIG is blocked in Redis Enterprise. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.6, Redis 6.0.16)

Redis Enterprise has already included the fixes for the relevant CVEs. Some CVEs announced for open source Redis do not affect Redis Enterprise due to different and additional functionality available in Redis Enterprise that is not available in open source Redis.

RATE THIS PAGE
Back to top ↑