Configure ACLs to define database permissions
Redis ACLs allow you to define named permissions for specific Redis commands, keys, and pub/sub channels. You can use defined Redis ACLs for multiple databases and roles.
Predefined Redis ACLs
The predefined Redis ACLs are:
-
Full Access - All commands are allowed on all keys.
-
Not Dangerous - All commands are allowed except those that are administrative, could affect availability, or could affect performance.
-
Read Only - Only read-only commands are allowed on keys.
Redis ACL command syntax
Redis ACLs are defined by a Redis syntax where you specify the commands or command categories that are allowed for specific keys.
Redis Enterprise lets you:
-
Include commands and categories with the “+” prefix for commands or “[email protected]” prefix for command categories.
-
Exclude commands and categories with the “-” prefix for commands or “[email protected]” prefix for command categories.
-
Include keys or key patterns with the “~” prefix.
-
Allow access to pub/sub channels with the “&” prefix (only supported for databases with Redis version 6.2 and later).
Module commands have several ACL limitations:
-
Redis modules do not have command categories.
-
Other command category ACLs, such as
[email protected]and[email protected], do not include Redis module commands.[email protected]is the only exception because it allows all Redis commands. -
You have to include individual module commands in a Redis ACL rule to allow them.
For example, the following Redis ACL rule allows read-only commands and the RediSearch commands
FT.INFOandFT.SEARCH:[email protected] +FT.INFO +FT.SEARCH
Configure Redis ACLs
To configure a Redis ACL rule that you can assign to a user role:
-
From access control > redis acls, you can either:
-
Point to a Redis ACL and select
to edit an existing Redis ACL. -
Select
to create a new Redis ACL.
-
-
Enter a descriptive name for the Redis ACL. This will be used to reference the ACL rule to the role.
-
Define the ACL rule.
-
Select Save.
In Redis Enterprise:
- External users are not currently supported for database authentication.
- For multi-key commands on multi-slot keys, the return value is
failurebut the command runs on the keys that are allowed.
Change default pub/sub permissions
Pub/sub ACL rules determine which pub/sub channels a user can access.
As of Redis Enterprise version 6.4.2, you can configure acl_pubsub_default, which determines the default pub/sub permissions for all databases in the cluster. You can set acl_pubsub_default to the following values:
-
resetchannelsis restrictive and blocks access to all channels by default. -
allchannelsis permissive and allows access to all channels by default.
Redis Enterprise version 6.4.2 defaults to permissive pub/sub channels for backward compatibility. We recommend you change your cluster’s default pub/sub ACLs to be restrictive.
To make default pub/sub permissions restrictive:
-
Upgrade all databases in the cluster to Redis version 6.2 or later.
-
Set the default to
resetchannelswithrladminor the REST API.-
Method 1 -
rladmin tune cluster:rladmin tune cluster acl_pubsub_default resetchannels -
Method 2 - Update cluster policy REST API request:
PUT /v1/cluster/policy { "acl_pubsub_default": "resetchannels" }
-
ACL command support
Redis Enterprise Software does not support certain open source Redis ACL commands. Instead, you can manage access controls from the admin console.
| Command | Supported |
|---|---|
| ACL CAT | ✅ Supported |
| ACL DELUSER | ❌ Not supported |
| ACL GENPASS | ❌ Not supported |
| ACL GETUSER | ✅ Supported |
| ACL HELP | ✅ Supported |
| ACL LIST | ✅ Supported |
| ACL LOAD | ❌ Not supported |
| ACL LOG | ❌ Not supported |
| ACL SAVE | ❌ Not supported |
| ACL SETUSER | ❌ Not supported |
| ACL USERS | ✅ Supported |
| ACL WHOAMI | ✅ Supported |
MULTI, EXEC, DISCARD commands are always allowed, but ACLs are enforced on MULTI subcommands.Next steps
- Create or edit a role and add Redis ACLs to it.