You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The requirepass setting in Redis serves as a compatibility layer for the new ACL system starting from Redis 6. Relying on requirepass alone may lead to insufficient security as it only sets a password for the default user, while clients still authenticate using AUTH commands.
Describe the solution you'd like
Recommend the use of ACLs for user authentication instead of solely relying on the requirepass setting.
Required changes
Emphasize the use of ACLs for managing user authentication and permissions, minimizing reliance on the requirepass setting.
Additional context
The new Redis documentation highlights that starting from version 6, users are initialized with restrictive permissions by default. Transitioning to an ACL-based approach allows for better management of user permissions and enhances overall security.
Additional information
redis.conf
# IMPORTANT NOTE: starting with Redis 6 "requirepass" is just a compatibility
# layer on top of the new ACL system. The option effect will be just setting
# the password for the default user. Clients will still authenticate using
# AUTH <password> as usually, or more explicitly with AUTH default <password>
# if they follow the new protocol: both will work.
#
# The requirepass is not compatible with aclfile option and the ACL LOAD
# command, these will cause requirepass to be ignored.
#
# requirepass foobared
# New users are initialized with restrictive permissions by default, via the
# equivalent of this ACL rule 'off resetkeys -@all'. Starting with Redis 6.2, it
# is possible to manage access to Pub/Sub channels with ACL rules as well. The
# default Pub/Sub channels permission if new users is controlled by the
# acl-pubsub-default configuration directive, which accepts one of these values:
#
# allchannels: grants access to all Pub/Sub channels
# resetchannels: revokes access to all Pub/Sub channels
#
# From Redis 7.0, acl-pubsub-default defaults to 'resetchannels' permission.
#
# acl-pubsub-default resetchannels
Thank you.
The text was updated successfully, but these errors were encountered:
The
requirepasssetting in Redis serves as a compatibility layer for the new ACL system starting from Redis 6. Relying on requirepass alone may lead to insufficient security as it only sets a password for the default user, while clients still authenticate using AUTH commands.Describe the solution you'd like
Recommend the use of ACLs for user authentication instead of solely relying on the
requirepasssetting.Required changes
Emphasize the use of ACLs for managing user authentication and permissions, minimizing reliance on the
requirepasssetting.Additional context
The new Redis documentation highlights that starting from version 6, users are initialized with restrictive permissions by default. Transitioning to an ACL-based approach allows for better management of user permissions and enhances overall security.
Additional information
redis.conf
Thank you.
The text was updated successfully, but these errors were encountered: