Role-based access control allows you to scale your Redis deployments while minimizing the overhead involved in managing a cluster with many databases, multiple users, and various access control lists. With RBAC, you can create a role once and then deploy it across multiple databases in the cluster with ease.

Roles may be configured using standard or custom templates for database permissions that are based on the Redis ACL syntax. Redis Enterprise allows you to restrict database operations by command, command category, and key pattern. Keys are typically restricted based on a namespace using a glob style wildcard.

The role CacheReader demonstrated below has been given the acl rule “+get ~cache:*”. Users in this role can access a key prefixed with “cached:” and the get command only. This would allow them to access the key cached:foo with the command get but not give them access to the set command. This role would not be able to access the key ‘foo’ because it is not prefixed with ‘cached:’ as you can see below.

role

To learn more on Redis command and key restrictions visit the Redis documentation

Redis ACL command syntax

Redis ACLs are defined by a Redis syntax where you specify the commands or command categories that are allowed for specific keys.

Note:
Redis Enterprise Modules are not currently assigned a command category.

Redis Enterprise allows you to:

  1. Include commands and categories with the “+” prefix for commands or “[email protected]” prefix for command categories
  2. Exclude commands and categories with the “-” prefix for commands or “[email protected]” prefix for command categories
  3. Include keys or key patterns with the “~” prefix

To define database access control, you can:

  1. Use the predefined user roles and add Redis ACLs for specific databases.
  2. Create new user roles and select the management roles and Redis ACLs that apply to the user roles for specific databases.
  3. Assign roles and Redis ACLs to a database in the access control list section of the database configuration.

The predefined Redis ACLs are:

  • Full Access - All commands are allowed on all keys.
  • Not Dangerous - All commands are allowed except those that are administrative, could affect availability, or could affect performance.
  • Read Only - Only read-only commands are allowed on keys.

Configuring Redis ACLs

To configure a Redis ACL rule that you can assign to a user role:

  1. In access control > redis acls:

    • Edit an existing Redis ACL - Hover over a Redis ACL and click Edit.
    • Create a new Redis ACL - Click Add.
  2. Enter a descriptive name for the Redis ACL. This will be used to reference the ACL rule to the role.

  3. Define the ACL rule.

  4. Click Save.

Note:
In Redis Enterprise:
- The following ACL commands are blocked: LOAD, SAVE, SETUSER, DELUSER, GENPASS, LOG
- The following ACL subcommands are allowed: LIST, USER, GETUSER, CAT, WHOAMI, HELP
- The MULTI, EXEC, DISCARD commands are always allowed, but ACLs are enforced on MULTI subcommands.
- External users are not currently supported for database authentication.
- Multi-key commands on multi-slot keys, the return value is `failure` but the command runs on the keys that are allowed.

Configuring roles and users

In access control > roles, you can configure user roles with:

  • Management roles - Management roles define user access to the UI and API of the cluster
  • Data access controls - Data access controls define the permissions each role has to each database in the cluster.

Defining roles for database access

To create a user role for users that cannot connect to the Redis Enterprise control plane, assign the “None” management role to the user role.

Note:
We recommend that you set the management role to None for any role used for database access.

To define a role for database access:

  1. In access control > roles:

    • Edit an existing Redis ACL - Hover over a Redis ACL and click Edit.
    • Create a new Redis ACL - Click Add.
  2. Enter a descriptive name for the role. This will be used to reference the role when configuring users.

  3. Select a Cluster management role by default this is set to “None

  4. Select Add under Redis ACLs Add

  5. Select the databases the role applies to

  6. Select the Redis ACL to apply to the role

  7. Select the save icon

  8. Select save

Adding Users

To add a user to the cluster:

  1. Go to the access control tab
  2. Click Add
  3. Enter the name, email and password of the new user and select the role to assign to the user.
  4. Select the internal user type
  5. For email alerts, click “Edit” and select the alerts that the user should receive. You can select:
    • Receive alerts for databases - The alerts that are enabled for the selected databases will be sent to the user. You can either select “All databases”, or you can select “Customize” and select the individual databases to send alerts for.
    • Receive cluster alerts - The alerts that are enabled for the cluster in settings > alerts are sent to the user.
  6. Select the save icon.

Disabling the default user

When you provision a database, default user will be enabled. This allows for backwards compatibility with versions of Redis before Redis 6.

To disable the default user:

  1. Select the configuration tab.
  2. Find the Default database access setting.
  3. Deselect the checkbox.
Note:
We recommend that you disable the default user when using ACLs with your database and backwards compatibility is not required.

default

Users, Roles and Redis ACLs on Active-Active databases

Users, Roles and Redis ACLs are cluster level entities. Therefore they are applied per a local participating cluster and Active-Active database instance and they are not replicated or propagated to the other participating clusters and instances. ACLs will be enforced according to the instance the client is connected to. The Active-Active replication mechanism will propagate all the effects of the operation.