diff --git a/content/contribution-guide.md b/content/contribution-guide.md index 950e5bc39d7..6219bbf47f3 100644 --- a/content/contribution-guide.md +++ b/content/contribution-guide.md @@ -114,7 +114,7 @@ and the concepts must explain any background information that is needed to know 1. To create service accounts, on each participating cluster: - 1. In your web browser, open the web UI of the cluster that you want to connect to in order to create the CRDB. + 1. In your web browser, open the admin console of the cluster that you want to connect to in order to create the CRDB. By default, the address is: `https://:8443` 1. Go to **settings > team** and click ![Add](/images/rs/icon_add.png#no-click "Add"). 1. Enter the name, email, and password for the user, select the **Admin** role, diff --git a/content/embeds/backup-locations.md b/content/embeds/backup-locations.md index cb7c0fb7a15..39ba9e62b7b 100644 --- a/content/embeds/backup-locations.md +++ b/content/embeds/backup-locations.md @@ -110,6 +110,6 @@ You can find the client and key details in your service account in the GCP conso - Make sure that the service account has the `Storage Legacy Bucket Writer` permission on the target bucket. - Make sure that the bucket doesn't use a retention policy because it can interfere with the process. - The format of the private key from the downloaded JSON is in a single string where new lines are marked with `\n` characters. - When you paste the key into the RS web UI, replace each `\n` character with a new line. + When you paste the key into the RS admin console, replace each `\n` character with a new line. {{< /note >}} diff --git a/content/embeds/create-db.md b/content/embeds/create-db.md index 9e670bb190f..8f6ed2e3bc8 100644 --- a/content/embeds/create-db.md +++ b/content/embeds/create-db.md @@ -1,4 +1,4 @@ -1. In your web browser, open the web UI of the cluster that you want to connect to in order to create the { { < field "db_type" > } }. +1. In your web browser, open the admin console of the cluster that you want to connect to in order to create the { { < field "db_type" > } }. diff --git a/content/modules/add-module-to-cluster.md b/content/modules/add-module-to-cluster.md index 96aa43b2891..61496ac77ab 100644 --- a/content/modules/add-module-to-cluster.md +++ b/content/modules/add-module-to-cluster.md @@ -77,7 +77,7 @@ You can also use the `/v1/modules` endpoint, but modules with dependencies are b To add a module package to the cluster using the admin console: -1. In the Redis Enterprise web UI, go to the: **settings** +1. In the Redis Enterprise admin console, go to the: **settings** 1. In **redis modules**, click **Add Module**. ![upgrade_module](/images/rs/upgrade_module.png) diff --git a/content/modules/packaging-modules.md b/content/modules/packaging-modules.md index 411708fb034..7046d6054c8 100644 --- a/content/modules/packaging-modules.md +++ b/content/modules/packaging-modules.md @@ -26,7 +26,7 @@ require six steps: 1. Compile the module 1. Install ramp-packer utility 1. Wrap the custom module using ramp utility -1. Deploy the custom module to the cluster using the web UI +1. Deploy the custom module to the cluster using the admin console 1. Create a database that utilizes the module ### Get the module from GitHub diff --git a/content/modules/redisearch/redisearch-2-upgrade.md b/content/modules/redisearch/redisearch-2-upgrade.md index 559246f08cb..5bce810773d 100644 --- a/content/modules/redisearch/redisearch-2-upgrade.md +++ b/content/modules/redisearch/redisearch-2-upgrade.md @@ -41,10 +41,10 @@ Make sure that you have Python 3 (`sudo apt install python3`) installed on the h To replicate a RediSearch 1.x database to a RediSearch 2.x database: -1. Log in to the web UI of the RS cluster that you want to host the new database with RediSearch 2.x. +1. Log in to the admin console of the RS cluster that you want to host the new database with RediSearch 2.x. 1. Add the RediSearch 2.x module to the cluster: 1. Go to the [Redis Labs Download Center](https://redislabs.com/download-center/modules/) and download the RediSearch 2.x module package. - 1. In the Redis Enterprise web UI, go to the: **settings** + 1. In the Redis Enterprise admin console, go to the: **settings** 1. In **redis modules**, click **Add Module**. ![upgrade_module](/images/rs/upgrade_module.png) @@ -69,8 +69,8 @@ To replicate a RediSearch 1.x database to a RediSearch 2.x database: Where: - - `destination url` - The replication URL of the RediSearch 2.x database that you see when you click on **Get Replica of source URL** in the database configuration in the web UI. - - `source url` - The replication URL of the RediSearch 1.x database that you see when you click on **Get Replica of source URL** in the database configuration in the web UI. + - `destination url` - The replication URL of the RediSearch 2.x database that you see when you click on **Get Replica of source URL** in the database configuration in the admin console. + - `source url` - The replication URL of the RediSearch 1.x database that you see when you click on **Get Replica of source URL** in the database configuration in the admin console. - `--add-prefix ` (optional) - Adds a prefix to all of the hashes that are replicated to the new database. {{< note >}} diff --git a/content/platforms/faqs/_index.md b/content/platforms/faqs/_index.md index 1c78f5e73cf..b5fb81ffb14 100644 --- a/content/platforms/faqs/_index.md +++ b/content/platforms/faqs/_index.md @@ -38,7 +38,7 @@ kubectl describe rec my-cluster-name The cluster admin user password is created by the Operator during the deployment of the Redis Enterprise cluster and is stored in a Kubernetes secret. {{< warning >}} -Do not change the default admin user password in the Redis Enterprise web UI. +Do not change the default admin user password in the Redis Enterprise admin console. Changing the admin password impacts the proper operation of the K8s deployment. {{< /warning >}} @@ -152,7 +152,7 @@ echo "Q2h5N1BBY28=" | base64 –-decode ``` {{< warning >}} -Do not change the default admin user password in the Redis Enterprise web UI. +Do not change the default admin user password in the Redis Enterprise admin console. Changing the admin password impacts the proper operation of the K8s deployment. {{< /warning >}} @@ -165,7 +165,7 @@ Retrieve your password by selecting “Reveal Secret.” ![openshift-password-retrieval]( /images/rs/openshift-password-retrieval.png ) {{< warning >}} -Do not change the default admin user password in the Redis Enterprise web UI. +Do not change the default admin user password in the Redis Enterprise admin console. Changing the admin password impacts the proper operation of the K8s deployment. {{< /warning >}} diff --git a/content/platforms/kubernetes/concepts/db-controller.md b/content/platforms/kubernetes/concepts/db-controller.md index f9b5da4013c..411041356f5 100644 --- a/content/platforms/kubernetes/concepts/db-controller.md +++ b/content/platforms/kubernetes/concepts/db-controller.md @@ -221,7 +221,7 @@ also updated with the generated database password. ### `enforceClientAuthentication` -A boolean that indicates whether [client authentication]({{< relref "/rs/administering/designing-production/security/client-connections.md">}}) should be enforced (default: `true`). +A boolean that indicates whether [client authentication]({{< relref "/rs/security/tls-ssl.md">}}) should be enforced (default: `true`). ### `evictionPolicy` @@ -275,7 +275,7 @@ The number of [database shards]({{< relref "/rs/concepts/high-availability/clust ### `tlsMode` -Controls SSL [authentication and encryption]({{< relref "/rs/administering/designing-production/security/tls-configuration.md">}}) for connections to the database. +Controls SSL [authentication and encryption]({{< relref "/rs/security/tls-ssl.md">}}) for connections to the database. | Value | Description | | ----- | ----------- | diff --git a/content/platforms/kubernetes/getting-started/openshift/_index.md b/content/platforms/kubernetes/getting-started/openshift/_index.md index 224d3377474..96a26720aa4 100644 --- a/content/platforms/kubernetes/getting-started/openshift/_index.md +++ b/content/platforms/kubernetes/getting-started/openshift/_index.md @@ -323,7 +323,7 @@ In order to create your database, we will log in to the Redis Enterprise UI. - Retrieve your password by selecting “Reveal Secret.” {{< warning >}} -Do not change the default admin user password in the Redis Enterprise web UI. +Do not change the default admin user password in the Redis Enterprise admin console. Changing the admin password impacts the proper operation of the K8s deployment. {{< /warning >}} diff --git a/content/platforms/kubernetes/getting-started/openshift/openshift-cli.md b/content/platforms/kubernetes/getting-started/openshift/openshift-cli.md index 66fb9386b66..379f7e43a90 100644 --- a/content/platforms/kubernetes/getting-started/openshift/openshift-cli.md +++ b/content/platforms/kubernetes/getting-started/openshift/openshift-cli.md @@ -311,14 +311,14 @@ To create your database: Next, create your database. -1. Open a browser window and navigate to the Redis Enterprise web UI at: `localhost:8443` +1. Open a browser window and navigate to the Redis Enterprise admin console at: `localhost:8443` ![getting-started-kubernetes-openshift-image5]( /images/rs/getting-started-kubernetes-openshift-image5.png ) 1. To get your password from the OpenShift management console, go `Resources > Secrets > your_cluster_name`, select your project name, and select **Reveal Secret**. {{< warning >}} -Do not change the default admin user password in the Redis Enterprise web UI. +Do not change the default admin user password in the Redis Enterprise admin console. Changing the admin password can cause unextpected results in your K8s deployment. {{< /warning >}} diff --git a/content/platforms/kubernetes/getting-started/openshift/openshift-operatorhub.md b/content/platforms/kubernetes/getting-started/openshift/openshift-operatorhub.md index 2b40d8fbb18..cbd9aced23c 100644 --- a/content/platforms/kubernetes/getting-started/openshift/openshift-operatorhub.md +++ b/content/platforms/kubernetes/getting-started/openshift/openshift-operatorhub.md @@ -243,7 +243,7 @@ the operator. The generated password is stored in a Kubernetes secret. - The Openshift UI provides tools for creating additional routing options, including external routes. These are covered in [RedHat Openshift documentation](https://docs.openshift.com/container-platform/4.3/dev_guide/routes.html). {{< /note >}} -1. In a browser, go to localhost:8443 to open the Redis Enterprise web UI: +1. In a browser, go to localhost:8443 to open the Redis Enterprise admin console: ![getting-started-kubernetes-openshift-image5]( /images/rs/getting-started-kubernetes-openshift-image5.png ) @@ -259,7 +259,7 @@ database. ### Step 3: Inspect your database services -After you create your database in the Redis Enterprise web UI, the operator +After you create your database in the Redis Enterprise admin console, the operator detects the change and creates Kubernetes services that expose the database. The databases are named according to the database name. For example, if you called your database "`test`", kubectl shows these services: diff --git a/content/platforms/kubernetes/getting-started/tanzu/_index.md b/content/platforms/kubernetes/getting-started/tanzu/_index.md index 7820a58d161..ebbc6f89c70 100644 --- a/content/platforms/kubernetes/getting-started/tanzu/_index.md +++ b/content/platforms/kubernetes/getting-started/tanzu/_index.md @@ -400,7 +400,7 @@ In order to create your database, you will log in to the Redis Enterprise UI. dgeil7 ``` -1. There are two primary options for accessing the Web UI: +1. There are two primary options for accessing the admin console: 1. If your PKS cluster has a load balancer service setup with a public IP you have access to or otherwise a routable IP address from your machine: - Determine that IP address: @@ -433,7 +433,7 @@ In order to create your database, you will log in to the Redis Enterprise UI. - Use `localhost` followed by port number 8443 in your browser address bar: `https://localhost:8443` -1. Log in to the Web UI with the username defined in your REC yaml and the password. +1. Log in to the admin console with the username defined in your REC yaml and the password. ![getting-started-kubernetes-openshift-image5]( /images/rs/getting-started-kubernetes-openshift-image5.png ) diff --git a/content/platforms/kubernetes/reference/db-options.md b/content/platforms/kubernetes/reference/db-options.md index 11e0d2653bb..9a737cd3634 100644 --- a/content/platforms/kubernetes/reference/db-options.md +++ b/content/platforms/kubernetes/reference/db-options.md @@ -41,7 +41,7 @@ also updated with the generated database password. ### `enforceClientAuthentication` -A boolean that indicates whether [client authentication]({{< relref "/rs/administering/designing-production/security/client-connections.md">}}) should be enforced (default: `true`). +A boolean that indicates whether [client authentication]({{< relref "/rs/security/tls-ssl.md">}}) should be enforced (default: `true`). ### `evictionPolicy` @@ -95,7 +95,7 @@ The number of [database shards]({{< relref "/rs/concepts/high-availability/clust ### `tlsMode` -Controls SSL [authentication and encryption]({{< relref "/rs/administering/designing-production/security/tls-configuration.md">}}) for connections to the database. +Controls SSL [authentication and encryption]({{< relref "/rs/security/tls-ssl.md">}}) for connections to the database. | Value | Description | | ----- | ----------- | diff --git a/content/platforms/pcf/using-pcf.md b/content/platforms/pcf/using-pcf.md index 49afafb6e6c..1ea1ad0346b 100644 --- a/content/platforms/pcf/using-pcf.md +++ b/content/platforms/pcf/using-pcf.md @@ -49,7 +49,7 @@ Available service plans are listed in either: ## Accessing the Redis Enterprise cluster UI -1. Connect to the Redis Enterprise Admin Console by placing the **Cluster Management Console Subdomain** in the host part of the following URL: `https://[Cluster Management Console Subdomain].[System Domain]`. +1. Connect to the Redis Enterprise admin console by placing the **Cluster Management Console Subdomain** in the host part of the following URL: `https://[Cluster Management Console Subdomain].[System Domain]`. For example: `https://console-redis.sys.my-domain.cf-app.com` @@ -57,7 +57,7 @@ Available service plans are listed in either: {{< note >}} Do not create or delete databases through the Redis Enterprise Cluster UI. -Use the cf creates/delete/update-service commands or use the Pivotal Apps Manager web UI to create and manage databases through available plans. +Use the cf creates/delete/update-service commands or use the Pivotal Apps Manager admin console to create and manage databases through available plans. {{< /note >}} ## Installing a license key in an existing cluster diff --git a/content/rc/administration/account-team-settings.md b/content/rc/administration/account-team-settings.md index 13ef93437e9..676101c56f4 100644 --- a/content/rc/administration/account-team-settings.md +++ b/content/rc/administration/account-team-settings.md @@ -13,3 +13,101 @@ You can also: - Change the account Time Zone - Add a new Relic license key - Configure Multi-Factor Authentication (MFA) + +When you set up [SSL/TLS]({{< relref "/rc/security/database-security/tls-ssl.md" >}}) for your account, +you must enter the downloadable Redis Labs CA Certificate from this page. + +![settings](/images/rc/settings.png) + +## Team management + +To manage the team of people who have access to the account, click on +the "Team" tab and you will be presented with the current list of team +members on this account. + +- To add more team members, click ![Add](/images/rs/icon_add.png#no-click "Add"). +- To edit an existing team member, click ![Edit](/images/rc/icon_edit.png#no-click "Edit"). + +Team members can have different roles to the account: + +- **Owner** - Can view, create, and edit any settings in the account +- **Member** - Can view, create, and edit databases +- **Viewer** - Can view all databases and their configurations (including database secrets) + +### Team management for GCP Marketplace customers + +If you subscribed to Redis Cloud using GCP Marketplace, you can manage your team from the IAM section of the GCP console. +To grant Redis Cloud access to a GCP user, assign one of these roles to the user: + +- **Viewer** - serviceusage.serviceUsageViewer and redisenterprisecloud.viewer +- **Owner** - serviceusage.serviceUsageViewer and redisenterprisecloud.admin + +Users must log in using SSO to Redis Cloud at least once for them to be added to the team. + +## Multi-Factor Authentication (MFA) + +To reduce the chances of unauthorized access to the Redis Cloud admin console, each user can enable MFA to require an authentication code at login. +The account owner can also enable MFA enforcement for all users in the account so that users cannot log in without MFA. + +When MFA is enabled it forces users to enter their username, password, and an authentication code sent to them by text message or generated by an app on their smartphone. MFA authentication requires a phone that can receive text messages. + +### Using MFA for a user account + +Each user can enable and configure MFA for their user account. +The default MFA configuration sends an authentication code by text message that you must enter when you log in. + +To configure MFA for your user account: + +1. Log into your account. +2. In the menu, click on your name. +3. In your user profile, click **Multi-Factor Authentication**. +4. Click **Activate Now** +5. Enter your mobile phone number and enter the confirmation code sent to you by text message. + +Your account is now configured for MFA. +When you log in to the Redis Cloud admin console, you are sent an authentication code by text message that you must enter. + +To change the mobile phone number, click **Configure** for the text message code and enter the new mobile phone number. + +{{< note >}} +We recommend that you also configure MFA for an Authenticator app as a second method of MFA. +If you cannot login to your account because of MFA, contact [Support](https://support.redislabs.com). + +If your mobile phone is lost or stolen, make sure that you update the MFA configuration to prevent unauthorized logins. +{{< /note >}} + +#### Configuring MFA for an authenticator app + +After you configure MFA for text messages, you can also configure MFA to work with a Time-based One-Time Password (TOTP) app such as Google Authenticator. +Then when you log in to the Redis Cloud admin console, you can select to use either an authentication code sent by text message or an authentication code shown in the Authenticator app for MFA. + +To configure MFA for the Authenticator app: + +1. Install the Google Authenticator app on your phone from the Apple Store or Google Play. +1. Add Redis Cloud to the app: + 1. In your profile in your Redis Cloud account, click **Multi-Factor Authentication**. + 1. Click **Configure** for the authenticator app. + 1. On your phone, open the Authenticator app. + 1. Press the plus sign and press **Scan a barcode**. + 1. Scan the Redis Cloud barcode. + +When you log in to the Redis Cloud admin console, you can do MFA either with a text message or the Authenticator app. +If you do MFA with the Authenticator app, you must open the Authenticator app and enter the Redis Labs code into the Redis Cloud login. + +#### Deactivating MFA + +You can deactivate MFA for your user account. To deactivate MFA, go to your profile, click **Multi-Factor Authentication**, and click **Deactivate**. + +### Enforcing MFA for all user accounts + +Account owner users can enable MFA enforcement for all users in their account. +After MFA is enforced for the account, all users that do not have MFA enabled are required to configure MFA the next time they log in to the Redis Cloud admin console. + +- When you enable MFA enforcement, users cannot disable MFA for their account. +- When you disable MFA enforcement, users can disable MFA for their account. + +{{< tip >}} +We recommend that you send an email to all the Redis Cloud admin console users to notify them of this change before you enable MFA enforcement. +{{< /tip >}} + +To enable MFA enforcement for all user accounts, the account owner must enable **MFA enforcement** in **Settings** > **Account**. diff --git a/content/rc/administration/setup/create-database.md b/content/rc/administration/setup/create-database.md index 3bdd77fabbe..37f591098af 100644 --- a/content/rc/administration/setup/create-database.md +++ b/content/rc/administration/setup/create-database.md @@ -42,7 +42,7 @@ You must configure [VPC Peering]({{< relref "/rc/administration/setup/edit-subsc between the VPC that this database is on and the VPC that the destination database is on. {{< /note >}} - - **Access Control & Security** + - [**Access Control & Security**]({{< relref "/rs/security/tls-ssl.md" >}}) - You can: - Enable the **Default User** for the database. We recommend that you use a complex password between 8 and 128 characters, and with at least one uppercase letter (A-Z), one lowercase letter (a-z), one number (0-9), and one special character. - Specify the **Source IP/Subnet** addresses that your database receives diff --git a/content/rc/api/concepts/metrics.md b/content/rc/api/concepts/metrics.md index 910f6513e46..f5c1ca1e949 100644 --- a/content/rc/api/concepts/metrics.md +++ b/content/rc/api/concepts/metrics.md @@ -7,7 +7,7 @@ categories: ["RC"] draft: true --- Metrics API provides programmatic access to database usage and performance data. -The metrics API shows data that similar to the data that the Redis Cloud Admin Console shows in the database metrics. +The metrics API shows data that similar to the data that the Redis Cloud admin console shows in the database metrics. ## Metric spans and intervals diff --git a/content/rc/api/how-to/create-api-keys-for-your-team.md b/content/rc/api/how-to/create-api-keys-for-your-team.md index edb6f5f2ea3..4479d85499e 100644 --- a/content/rc/api/how-to/create-api-keys-for-your-team.md +++ b/content/rc/api/how-to/create-api-keys-for-your-team.md @@ -1,6 +1,6 @@ --- Title: Creating API Keys -description: How to use the Redis Cloud Admin Console to create and manage API Keys for your Account's team owners +description: How to use the Redis Cloud admin console to create and manage API Keys for your Account's team owners weight: 20 alwaysopen: false categories: ["RC"] diff --git a/content/rc/api/how-to/manage-api-keys.md b/content/rc/api/how-to/manage-api-keys.md index 1f0702f4cf8..50bcf73c148 100644 --- a/content/rc/api/how-to/manage-api-keys.md +++ b/content/rc/api/how-to/manage-api-keys.md @@ -1,6 +1,6 @@ --- -Title: Managing API Keys -description: Managing API Keys using the Redis Cloud Admin Console +Title: Manage API Keys +description: Managing API Keys using the Redis Cloud admin console weight: 30 alwaysopen: false categories: ["RC"] diff --git a/content/rc/api/how-to/view-auditing-using-system-log.md b/content/rc/api/how-to/view-auditing-using-system-log.md index 0ab0189c3ec..6978bb26309 100644 --- a/content/rc/api/how-to/view-auditing-using-system-log.md +++ b/content/rc/api/how-to/view-auditing-using-system-log.md @@ -8,7 +8,7 @@ aliases: /rv/api/how-to/view-auditing-using-system-log/ --- The Redis Labs system log collects and reports on actions performed on various entities in the account. These entities include the account itself, users, API Keys, subscriptions, databases, accounts, payment methods and more. For each entity, various lifecycle events are logged in the system log. -You can view the system log in the Redis Cloud Admin Console by selecting `Menu` and then `System Log`. This will display the system log entries for the current account. +You can view the system log in the Redis Cloud admin console by selecting `Menu` and then `System Log`. This will display the system log entries for the current account. ![System Logs in the UI](/images/rc/system_log.png) @@ -40,7 +40,7 @@ An API System Log request results in data that includes an `entries` array. The - `originator` - The name of the user who performed the action described by the system log entry. - `apiKeyName` - The name of the API key used to perform the action described by the system log entry. This field only appears if the action was performed through the API. - If the operation was performed through the Redis Cloud Admin Console this property is omitted. + If the operation was performed through the Redis Cloud admin console this property is omitted. - `resource` - The name of the entity associated with the logged action (for example, database name). This property is omitted if it is not applicable to the specific log entry. - `type` - The category associated with the action log entry. diff --git a/content/rs/administering/_index.md b/content/rs/administering/_index.md index 64160ae1781..5c451da960e 100644 --- a/content/rs/administering/_index.md +++ b/content/rs/administering/_index.md @@ -8,7 +8,7 @@ categories: ["RS"] This section covers everything you need to know to run your Redis Enterprise Software (RS) deployment. {{< note >}} -In addition to using the RS web UI to manage the cluster, +In addition to using the RS admin console to manage the cluster, you can also do cluster operations with the cluster REST API. To access the cluster REST API documentation, either: diff --git a/content/rs/administering/access-control/_index.md b/content/rs/administering/access-control/_index.md deleted file mode 100644 index 08f953a7458..00000000000 --- a/content/rs/administering/access-control/_index.md +++ /dev/null @@ -1,138 +0,0 @@ ---- -Title: User Management -description: -weight: 40 -alwaysopen: false -categories: ["RS"] -aliases: /rs/administering/designing-production/security/account-management/ ---- -You can create Redis Enterprise Software (RS) users and assign them to [roles]({{< relref "user-roles.md" >}}) with permissions for: - -- **Cluster management** - The areas of the cluster web UI and API that a user can access and edit. -- **Database connections** - Commands and keys that an authenticated user can use in database connections. - -You can manage users and roles in **access control** or with the REST API. - -## Adding a user - -To add a user to the cluster: - -1. Go to: **access control** -1. Click ![Add](/images/rs/icon_add.png#no-click "Add"). -1. Enter the name, email and password of the new user and select the [role]({{< relref "user-roles.md" >}}) to assign to the user. -1. Select the type of user: - - internal - Authenticates with RS - - external - Authenticates with an external LDAP server - - {{% expand "How do I create an external user?" %}} -To have a user authenticate with LDAP, you must have [LDAP integration -enabled]({{< relref "/rs/administering/designing-production/security/ldap-integration.md" >}}). -Then, create a user with the user type **external**. - -{{% comment %}} -You can also create an external with the REST API with this syntax: - -```sh -curl -k -L -v -u ":" --location-trusted -H "Content-Type: application/json" -X POST https://:9443/v1/users -d "{"auth_method": "external", "name": "", "role": ""}" -``` - -For the user role, enter either: - -- `db_viewer` - DB viewer -- `db_member` - DB member -- `cluster_viewer` - Cluster viewer -- `cluster_member` - Cluster member -- `admin` - Admin -{{% /comment %}} - {{% /expand %}} - -1. For the email alerts, click **Edit** and select the alerts that the user receives. - You can select: - - Receive alerts for databases - The alerts that are enabled for the selected databases are sent to - the user. You can either select all databases, or you can select **Customize** and select the - individual databases to send alerts for. - All databases include existing and future databases. - - Receive cluster alerts - The alerts that are enabled for the cluster in **settings** > **alerts** are sent to the user. - - {{% expand "How do I select email alerts?" %}}{{< video "/images/rs/add-user-email-alerts.mp4" "Select email alerts" >}}{{% /expand %}} - - Then, click **Save**. -1. Click ![Save](/images/rs/icon_save.png#no-click "Save"). - -To edit the name, password, role or email alerts of a user, hover over the user and click ![Edit] -(/images/rs/icon_edit.png#no-click "Edit"). To change a user from internal to external, you must -delete the user and re-add it. - -## User account security - -To make sure your user accounts are secured and not misused, RS supports enforcement of: - -- Password complexity -- Password expiration -- Account lock on failed attempts -- Account inactivity timeout - -To enforce a more advanced password policy that meets your contractual and compliance requirements and your organizational policies, -we recommend that you use [LDAP integration]({{< relref "/rs/administering/designing-production/security/ldap-integration.md" >}}) with an external identity provider, such as Active Directory. - -### Resetting user passwords - -{{< embed-md "reset-password.md" >}} - -### Setting up local password complexity - -RS lets you enforce a password complexity profile that meets most organizational needs. -The password complexity profile is defined by: - -- At least 8 characters -- At least one uppercase character -- At least one lowercase character -- At least one number (not first or last character) -- At least one special character (not first or last character) -- Does not contain the User ID or reverse of the User ID -- No more than 3 repeating characters - -{{< note >}} -The password complexity profile applies to when a new user is added or an existing user changes their password. -{{< /note >}} - -To enforce the password complexity profile, run: - -```sh -curl -k -X PUT -v -H "cache-control: no-cache" -H "content-type: application/json" -u ":" -d '{"password_complexity":true}' https://:9443/v1/cluster -``` - -### Setting local user password expiration - -RS lets you enforce password expiration to meet your compliance and contractual requirements. -To enforce an expiration of a local user password after a specified number of days, run: - -```sh -curl -k -X PUT -v -H "cache-control: no-cache" -H "content-type: application/json" -u ":" -d '{"password_expiration_duration":}' https://:9443/v1/cluster -``` - -To disable password expiration, set the number of days to `0`. - -### Account lock on failed attempts - -To prevent unauthorized access to RS, you can [enforce account lockout]({{< relref "/rs/administering/designing-production/security/login-lockout.md" >}}) -after a specified number of failed login attempts. - -### Session timeout - -When you log in to the Web UI, your account is automatically logged out after 15 minutes of inactivity. - -If you want to change duration of inactivity that causes the timeout: - -- From rladmin, run: `rladmin cluster config cm_session_timeout_minutes ` - -- From the REST API, run: - -```sh -curl --request PUT \ - --url https://localhost:9443/v1/cluster \ - --header 'content-type: application/json' \ - --data '{ - "cm_session_timeout_minutes": -}' -``` diff --git a/content/rs/administering/access-control/user-roles.md b/content/rs/administering/access-control/user-roles.md deleted file mode 100644 index ef321ba38a8..00000000000 --- a/content/rs/administering/access-control/user-roles.md +++ /dev/null @@ -1,120 +0,0 @@ ---- -Title: Role-Based Access Control -description: -weight: $weight -alwaysopen: false -categories: ["RS"] ---- -Role-Based Access Control (RBAC) lets you scale your Redis deployments while simplifying the complexity of managing a cluster with many databases, users, and access control lists. -With RBAC, you can create a role and apply it to many users to define their access to multiple databases in the cluster. - -In **access control** > **roles**, you can configure Redis Enterprise Software (RS) user roles with: - -- **Management roles** that define user access to the RS web UI and API for the cluster -- **Data access control** with Redis ACLs that define the commands and keys that users can access in database connections - -## Cluster management roles - -Each user role is assigned a management role that defines the access the user with that role has in the RS web UI and API for the cluster. - -The management roles are: - -{{< embed-html "account-role-table.html" >}} - -### Assigning management roles to a user role - -To assign a management role to a user role: - -1. In **access control** > **roles**: - - Edit an existing role - Hover over a role and click ![Edit](/images/rc/icon_edit.png#no-click "Edit"). - - Create a new role - Click ![Add](/images/rs/icon_add.png#no-click "Add"). -1. Select the management role for the user role. -1. Click **Save**. - -### User roles for database connections only - -To create a user role for users that cannot connect to the RS web UI and API, assign the **None** management role to the user role. - -## Database access control - -To control user access to Redis database commands and keys, -you must define Redis ACLs that specify the commands that users can run and keys that the commands can apply to. -Then, in the user role, select the databases that the users can access and Redis ACL that controls user access to those databases. - -{{< note >}} - -- Redis ACLs can only be configured in the cluster web UI or API. - In Redis: - - These ACL subcommands are blocked: LOAD, SAVE, SETUSER, DELUSER, GENPASS, LOG - - These ACL subcommands are allowed: LIST, USER, GETUSER, CAT, WHOAMI, HELP -- The MULTI, EXEC, DISCARD commands are always allowed, but ACLs are enforced on MULTI subcommands. -- External users cannot authenticate with databases. -- When you run multi-key commands on multi-slot keys, the return value is `failure` but the command runs on the keys that are allowed. - -{{< /note >}} - -### Redis ACL command syntax - -Redis ACLs are defined by a [Redis syntax](https://redis.io/topics/acl#acl-rules) where you specify the commands or command categories that are allowed for specific keys. -A command category is a predefined, named set of commands that perform a function, for example `read` commands or `dangerous` commands. -You can also define Redis ACLs with module commands for any modules that are loaded on the cluster. -If you run a command on multiple databases including databases where the command is not allowed by ACLs or the command does not exist, -the command succeeds where possible. - -A Redis ACL syntax lets you: - -- Include commands and categories with the `+` or exclude commands and categories with the `-` prefix -- Define categories with the `@` prefix -- Define keys or key patterns with the `~` prefix - -The predefined Redis ACLs are: - -- Full Access (`+@all ~*`) - All commands are allowed for all keys -- Not Dangerous (`+@all -@dangerous ~*`) - All commands except for the "dangerous" command category are allowed for all keys -- Read Only (`+@read ~*`) - Only the "read" command category is allowed for all keys - -To define database access control, you can either: - -- Use the predefined user roles and add to them Redis ACLs for specific databases. -- Create new user roles and select the management roles and Redis ACLs that apply to the user roles for specific databases. -- Assign roles and Redis ACLs to a database in the access control list section of the [database configuration]({{< relref "/rs/administering/creating-databases/_index.md" >}}). - -### Configuring Redis ACLs - -To configure a Redis ACL that you can assign to a user role: - -1. In **access control** > **redis acls**: - - Edit an existing Redis ACL - Hover over a Redis ACL and click ![Edit](/images/rc/icon_edit.png#no-click "Edit"). - - Create a new Redis ACL - Click ![Add](/images/rs/icon_add.png#no-click "Add"). -1. Enter a descriptive name for the Redis ACL. -1. Define the ACL command: - - Enter the [ACL syntax](https://redis.io/topics/acl#acl-rules) of the command. - - Click **Need Assistance** to use the form to build the command: - 1. For the commands, select to include or exclude the command or category. - 1. Enter the [ACL syntax](https://redis.io/topics/acl#acl-rules) that defines the commands. - - You can enter multiple definitions of commands or categories. - - All entries in the Commands/Categories column apply to the keys defined in the Keys column. - 1. Enter the [ACL syntax](https://redis.io/topics/acl#acl-rules) that defines the keys. - - You can enter multiple definitions of keys. - 1. Click **Submit**. -1. Click **Save**. - -### Assigning Redis ACLs to a user role - -To assign Redis ACLs to a user role: - -1. In **access control** > **roles**: - - Edit an existing role - Hover over a role and click ![Edit](/images/rc/icon_edit.png#no-click "Edit"). - - Create a new role - Click ![Add](/images/rs/icon_add.png#no-click "Add"). -1. In the Redis ACLs section: - - Edit a Redis ACL assignment - Hover over a Redis ACL assignment and click ![Edit](/images/rc/icon_edit.png#no-click "Edit"). - - Create a Redis ACL assignment - Click ![Add](/images/rs/icon_add.png#no-click "Add"). -1. Select the databases that the Redis ACL applies to. -1. Select the [Redis ACL](#configuring-redis-acls) that define the access to commands and keys. -1. Click ![Save](/images/rs/icon_save.png#no-click "Save"). - - You can click ![Add](/images/rs/icon_add.png#no-click "Add") to assign a Redis ACL to another database. - -1. Click **Update**. - -Users that are assigned to the user role can access the databases according to the Redis ACL definitions. diff --git a/content/rs/administering/cluster-operations/license-keys.md b/content/rs/administering/cluster-operations/license-keys.md index b4cdda082da..98b885c737e 100644 --- a/content/rs/administering/cluster-operations/license-keys.md +++ b/content/rs/administering/cluster-operations/license-keys.md @@ -21,7 +21,7 @@ during the trial period. You can see the cluster key either: -- Web UI - Go to: **settings** > **general** +- admin console - Go to: **settings** > **general** The cluster key string is shown. - REST API - GET `https://localhost:9443/v1/license` @@ -41,8 +41,8 @@ After you add a cluster key, you cannot remove the key to return the cluster to You can add a cluster key to the cluster either: -- During cluster setup using the web UI or CLI -- After cluster setup using the web UI - +- During cluster setup using the admin console or CLI +- After cluster setup using the admin console - Go to **settings** > **general**, paste your cluster key into the **cluster key** field, and click the **Save** button. An existing cluster key can be updated at any time provided the new @@ -63,7 +63,7 @@ When the license is expired: - You can do these actions: - - Login to the web UI and view settings and metrics at all resolutions + - Login to the admin console and view settings and metrics at all resolutions for the cluster, nodes and databases - Change cluster settings including license key, security for administrators, and cluster alerts - Failover when a node fails and explicitly migrate shard between nodes diff --git a/content/rs/administering/cluster-operations/removing-node.md b/content/rs/administering/cluster-operations/removing-node.md index b4db642ecdd..1f8f051d1bb 100644 --- a/content/rs/administering/cluster-operations/removing-node.md +++ b/content/rs/administering/cluster-operations/removing-node.md @@ -69,7 +69,7 @@ The [DNS records]({{< relref "/rs/installing-upgrading/configuring/cluster-dns/_ ## Removing a node -To remove a node using the web UI: +To remove a node using the admin console: 1. Click **Remove** at the top of the **Node** page for the node to be removed. diff --git a/content/rs/administering/cluster-operations/updating-certificates.md b/content/rs/administering/cluster-operations/updating-certificates.md index 7de281581d5..1b3c98d68cd 100644 --- a/content/rs/administering/cluster-operations/updating-certificates.md +++ b/content/rs/administering/cluster-operations/updating-certificates.md @@ -4,11 +4,12 @@ description: weight: $weight alwaysopen: false categories: ["RS"] +aliases: ["/rs/administering/cluster-operations/updating-certificates"] --- Redis Enterprise Software (RS) uses self-signed certificates out-of-the-box to make sure that the product is secure by default. The self-signed certificates are used to establish encryption-in-transit for the following traffic: -- Management Web UI (CM) - The certificate for connections to the management web UI +- Management admin console (CM) - The certificate for connections to the management admin console - REST API - The certificate for REST API calls - Proxy - The certificate for connections between clients and database endpoints - Syncer - The certificate for Active-Active and Replica Of synchronization between clusters @@ -16,8 +17,9 @@ The self-signed certificates are used to establish encryption-in-transit for the These self-signed certificates are generated on the first node of each RS installation and are copied to all other nodes added to the cluster. -When you use the default self-signed certificates, an untrusted connection notification is shown in the web UI. -Depending on the browser you use, you can allow the connection for each session or add an exception to make the site trusted in future sessions. +When you use the default self-signed certificates and you connect to the admin console over a web browser, you'll seen an untrusted connection notification. + +Depending on your browser, you can allow the connection for each session or add an exception to trust the certificate for all future sessions. {{< warning >}} When you update the certificates, the new certificate replaces the same certificates on all nodes in the cluster. @@ -87,7 +89,7 @@ TLS protocols and ciphers define the overall suite of algorithms that clients ar The communications for which you can modify TLS protocols and ciphers are: -- Management path - The TLS configuration for cluster administration using the web UI and API. +- Management path - The TLS configuration for cluster administration using the admin console and API. - Data path - The TLS configuration for the communication between the applications and the databases. - Discovery service (Sentinel) - The TLS configuration for the [discovery service]({{< relref "/rs/concepts/data-access/discovery-service.md" >}}). diff --git a/content/rs/administering/creating-databases/_index.md b/content/rs/administering/creating-databases/_index.md index e4b06e8c6bc..e058069ad9e 100644 --- a/content/rs/administering/creating-databases/_index.md +++ b/content/rs/administering/creating-databases/_index.md @@ -28,7 +28,7 @@ For databases with Active-Active replication for geo-distributed locations, To create a new database: -1. In your web browser, open the web UI of the cluster that you want to connect to in order to create the {{< field "db_type" >}}. +1. In your web browser, open the admin console of the cluster that you want to connect to in order to create the {{< field "db_type" >}}. By default, the address is: `https://:8443` @@ -107,14 +107,14 @@ If you are creating a Memcached database, enter a username and password for SASL 1. Configure the {{< field "db_type" >}} advanced options that you want for the database: - - **Access Control List** - You can specify the [user roles]({{< relref "/rs/administering/access-control/user-roles.md" >}}) that have access to the database - and the [Redis ACLs]({{< relref "/rs/administering/access-control/user-roles#database-access-control" >}}) that apply to those connections. + - **Access Control List** - You can specify the [user roles]({{< relref "/rs/security/passwords-users-roles.md" >}}) that have access to the database + and the [Redis ACLs]({{< relref "/rs/security/passwords-users-roles.md#database-access-control" >}}) that apply to those connections. To define an access control list: 1. In the Access control list section of the database configuration, click ![Add](/images/rs/icon_add.png#no-click "Add"). - 1. Select the [role]({{< relref "/rs/administering/access-control/user-roles.md" >}}) that you want to have access to the database. - 1. Select the [ACL]({{< relref "/rs/administering/access-control/user-roles#database-access-control" >}}) that you want the role to have in the database. + 1. Select the [role]({{ relref "/rs/security/passwords-users-roles.md" }}) that you want to have access to the database. + 1. Select the [ACL]({{ relref "/rs/security/passwords-users-roles.md#database-access-control" }}) that you want the role to have in the database. 1. Click **Save** to save the ACL. 1. Click **Update** to save the changes to the database. @@ -151,7 +151,7 @@ after the database is created. - [**Replica Of**]({{< relref "/rs/administering/creating-databases/create-active-passive.md" >}}) - You can make this database a repository for keys from other databases. - - [**TLS**]({{< relref "/rs/administering/designing-production/security/tls-configuration.md" >}}) - +- [**TLS**]({{< relref "/rs/security/tls-ssl.md" >}}) - You can require TLS encryption and authentication for all communications, TLS encryption and authentication for Replica Of communication only, and TLS authentication for clients. @@ -172,7 +172,7 @@ after the database is created. ## Simple connectivity test Once the database is created, you can find the endpoint and port for the -database in the web UI on the configuration page of each database. It is +database in the admin console on the configuration page of each database. It is listed under the "Endpoint" property There are a few simple ways to check connectivity to your database: diff --git a/content/rs/administering/creating-databases/create-active-active.md b/content/rs/administering/creating-databases/create-active-active.md index 67dcfa32694..f502705f5f8 100644 --- a/content/rs/administering/creating-databases/create-active-active.md +++ b/content/rs/administering/creating-databases/create-active-active.md @@ -32,7 +32,7 @@ Every instance of an Active-Active database can receive write operations, and al 1. To create service accounts, on each participating cluster: - 1. In your web browser, open the web UI of the cluster that you want to connect to in order to create the Active-Active database. + 1. In your web browser, open the admin console of the cluster that you want to connect to in order to create the Active-Active database. By default, the address is: `https://:8443` 1. Go to **settings > team** and click ![Add](/images/rs/icon_add.png#no-click "Add"). 1. Enter the name, email, and password for the user, select the **Admin** role, and click ![Save](/images/rs/icon_save.png#no-click "Save"). @@ -46,7 +46,7 @@ Every instance of an Active-Active database can receive write operations, and al telnet 9443 ``` -1. In your web browser, open the web UI of the cluster that you want to connect to in order to create the Active-Active database. +1. In your web browser, open the admin console of the cluster that you want to connect to in order to create the Active-Active database. By default, the address is: `https://:8443` 1. In **databases**, click ![Add](/images/rs/icon_add.png#no-click "Add"). @@ -86,15 +86,15 @@ Every instance of an Active-Active database can receive write operations, and al 1. Configure the {{< field "db_type" >}} advanced options that you want for the database: - - **Access Control List** - You can specify the [user roles]({{< relref "/rs/administering/access-control/user-roles.md" >}}) that have access to the database - and the [Redis ACLs]({{< relref "/rs/administering/access-control/user-roles#database-access-control" >}}) that apply to those connections. + - **Access Control List** - You can specify the [user roles]({{< relref "/rs/security/passwords-users-roles.md" >}}) that have access to the database + and the [Redis ACLs]({{< relref "/rs/security/passwords-users-roles.md#database-access-control" >}}) that apply to those connections. You can only configure access control after the Active-Active database is created. To define an access control list: 1. In the Access control list section of the database configuration, click ![Add](/images/rs/icon_add.png#no-click "Add"). - 1. Select the [roles]({{< relref "/rs/administering/access-control/user-roles.md" >}}) that you want to have access to the database. - 1. Select the [ACL]({{< relref "/rs/administering/access-control/user-roles#database-access-control" >}}) that you want the role to have in the database. + 1. Select the [role]({{ relref "/rs/security/passwords-users-roles.md" }}) that you want to have access to the database. + 1. Select the [ACL]({{ relref "/rs/security/passwords-users-roles.md#database-access-control" }}) that you want the role to have in the database. 1. Click **Save** to save the ACL. 1. Click **Update** to save the changes to the database. diff --git a/content/rs/administering/creating-databases/create-active-passive.md b/content/rs/administering/creating-databases/create-active-passive.md index 692d195bf2e..76aeb63726e 100644 --- a/content/rs/administering/creating-databases/create-active-passive.md +++ b/content/rs/administering/creating-databases/create-active-passive.md @@ -50,7 +50,7 @@ The order of the Replica Of sources has no impact on replication. You can select the database that you want to use as the source. - For a source database in a different RS cluster: - 1. Log in to the Web UI of the cluster that hosts the source database. + 1. Log in to the admin console of the cluster that hosts the source database. 1. In **databases**, click on the database and go to **configuration**. 1. Under **Endpoint**, click on **Get Replica Of source URL**. @@ -103,7 +103,7 @@ To enable TLS for Replica Of in the destination database: ![Encrypt Replica-of](/images/rs/replicaof-unencrypted.png) -1. From the Web UI of the cluster that hosts the source database, +1. From the admin console of the cluster that hosts the source database, go to **settings** > **general** and copy the proxy certificate. 1. Paste it as the **Source Cluster Certificate** for the destination database: diff --git a/content/rs/administering/database-operations/_index.md b/content/rs/administering/database-operations/_index.md index ef343572095..8a4d995a404 100644 --- a/content/rs/administering/database-operations/_index.md +++ b/content/rs/administering/database-operations/_index.md @@ -7,4 +7,9 @@ categories: ["RS"] --- This section contains all you need to know to maintain Redis Enterprise Software (RS) databases. +
    +

    Database Security

    +

    Your data is critical to your business and securing is one of your top priorities. This section shows how you can secure access to your data and secure your data in transit.

    +
+ {{< allchildren style="h2" description="true" />}} diff --git a/content/rs/administering/database-operations/causal-consistency-crdb.md b/content/rs/administering/database-operations/causal-consistency-crdb.md index 605e51cb3d4..cbf6665fa8b 100644 --- a/content/rs/administering/database-operations/causal-consistency-crdb.md +++ b/content/rs/administering/database-operations/causal-consistency-crdb.md @@ -6,7 +6,7 @@ alwaysopen: false categories: ["RS"] --- When you enable Causal Consistency in Active-Active databases, -the order of operations on a specific key are maintained across all Active-Active database instances. +the order of operations on a specific key are maintained across all Active-Active database instances. For instance, if operations A and B were applied on the same key and the effect of A was observed by the instance that initiated B before B was applied to the key, then all instances of an Active-Active databases would observe the effect of A before observing the effect of B. diff --git a/content/rs/administering/database-operations/deleting-database.md b/content/rs/administering/database-operations/deleting-database.md index 2e7442bc71d..3ce5a6bcedd 100644 --- a/content/rs/administering/database-operations/deleting-database.md +++ b/content/rs/administering/database-operations/deleting-database.md @@ -6,6 +6,8 @@ alwaysopen: false categories: ["RS"] aliases: /rs/administering/database-operations/delete-crdb/ --- +When you delete a database, the database configuration and data are deleted. + To delete a database in Redis Enterprise Software: 1. Click the relevant database row in the **Databases** page. The diff --git a/content/rs/administering/database-operations/eviction-policy.md b/content/rs/administering/database-operations/eviction-policy.md index 934bf0ecc26..70ee0e24640 100644 --- a/content/rs/administering/database-operations/eviction-policy.md +++ b/content/rs/administering/database-operations/eviction-policy.md @@ -5,7 +5,8 @@ weight: $weight alwaysopen: false categories: ["RS"] --- -The eviction policy defines the methodology that Redis Enterprise Software uses when the database exceeds the memory limit. +The eviction policy defines the methodology that Redis Enterprise Software uses when the database exceeds the memory limit. + The eviction policies are: | **Policy** | **Description** | diff --git a/content/rs/administering/database-operations/memory-limit.md b/content/rs/administering/database-operations/memory-limit.md index 06ba386a05d..e8f2d3d845c 100644 --- a/content/rs/administering/database-operations/memory-limit.md +++ b/content/rs/administering/database-operations/memory-limit.md @@ -10,7 +10,7 @@ database can reach in the cluster, across all database replicas and shards, including: - Slave shards (if database replication is enabled) -- Database shards (if database clustering is enabled) +- Database shards (if database clustering is enabled) If the total size of the database in the cluster reaches the memory limit, the data eviction policy that was defined for the database is diff --git a/content/rs/administering/database-operations/slave-ha.md b/content/rs/administering/database-operations/slave-ha.md index 36bedf64636..5029f4546b0 100644 --- a/content/rs/administering/database-operations/slave-ha.md +++ b/content/rs/administering/database-operations/slave-ha.md @@ -8,7 +8,7 @@ categories: ["RS"] When you enable [database replication]({{< relref "/rs/concepts/high-availability/replication.md" >}}) for your database, Redis Enterprise Software replicates your data to a slave node to make sure that your data is highly available. If the slave node fails or if the master node fails and the slave is promoted to master, -the remaining master node is a single point of failure. +the remaining master node is a single point of failure. You can configure high availability for slave shards (slave HA) so that the cluster automatically migrates the slave shards to an available node. An available node is a node that: diff --git a/content/rs/administering/database-operations/updating-configurations.md b/content/rs/administering/database-operations/updating-configurations.md index ef8faa3afc1..59104715978 100644 --- a/content/rs/administering/database-operations/updating-configurations.md +++ b/content/rs/administering/database-operations/updating-configurations.md @@ -5,7 +5,7 @@ weight: $weight alwaysopen: false categories: ["RS"] --- -You can change the configuration of a Redis Enterprise Software (RS) database at any time. +You can change the configuration of a Redis Enterprise Software (RS) database, for example the number of shards or evicton policy, at any time. To edit the configuration of a database: @@ -59,15 +59,3 @@ If you must remove offline participating clusters, you can do this with forced r If a participating cluster that was removed forcefully returns attempts to re-join the cluster, it will have an out of date on Active-Active database membership. The joined participating clusters reject updates sent from the removed participating cluster. - -## TLS authentication and encryption - -To prevent unauthorized access to your data, you can configure RS to secure communications with TLS protocol -(the more secure successor to SSL). -When you create Active-Active databases, you can specify TLS in two ways: - -1. [Require TLS for All Communications]({{< relref "/rs/administering/designing-production/security/tls-configuration#configuring-tls-for-replica-of-communication-only-on-the-source-database" >}}) - - This configures the Active-Active database to support TLS for both data access operations performed - on the database as well as inter-cluster Active-Active database communications. -1. [Require TLS for CRDB Communications Only]({{< relref "/rs/administering/designing-production/security/tls-configuration#configuring-tls-for-all-communication-on-the-source-database" >}}) - - This configures the Active-Active database to support TLS for only inter-cluster Active-Active database communications. diff --git a/content/rs/administering/designing-production/networking/using-oss-cluster-api.md b/content/rs/administering/designing-production/networking/using-oss-cluster-api.md index 7aa162abd0b..3965b205f77 100644 --- a/content/rs/administering/designing-production/networking/using-oss-cluster-api.md +++ b/content/rs/administering/designing-production/networking/using-oss-cluster-api.md @@ -19,9 +19,9 @@ When you enable the Redis OSS Cluster API from the command line or RS admin cons [multi-key commands]({{< relref "/rc/concepts/clustering#multikey-operations" >}}) are only allowed when all keys are mapped to the same slot. To verify that your database meets this requirement, make sure that the `CLUSTER KEYSLOT` reply is the same for all keys in the [multi-key command]({{< relref "/rs/concepts/high-availability/clustering#multikey-operations" >}}). -## Enabling OSS Cluster API support from the web UI +## Enabling OSS Cluster API support from the admin console -For a Redis Enterprise Software (RS) database, to enable the OSS Cluster API from the Web UI: +For a Redis Enterprise Software (RS) database, to enable the OSS Cluster API from the admin console: 1. Go to: **databases** 1. Either: diff --git a/content/rs/administering/designing-production/security/_index.md b/content/rs/administering/designing-production/security/_index.md deleted file mode 100644 index 92fab7762e8..00000000000 --- a/content/rs/administering/designing-production/security/_index.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -Title: Security -description: -weight: $weight -alwaysopen: false -categories: ["RS"] -aliases: /rs/administering/designing-production/security/ ---- -{{< allchildren style="h2" description="true" />}} diff --git a/content/rs/administering/designing-production/security/client-connections.md b/content/rs/administering/designing-production/security/client-connections.md deleted file mode 100644 index 3aa3a11846d..00000000000 --- a/content/rs/administering/designing-production/security/client-connections.md +++ /dev/null @@ -1,204 +0,0 @@ ---- -Title: Securing Redis Client Connections -description: -weight: $weight -alwaysopen: false -categories: ["RS"] -aliases: /rs/administering/security/client-connections/ ---- -If you configure it, Redis Enterprise Software (RS) can -use industry-standard encryption to protect your data in transit between -a Redis client and RS. For this purpose, RS uses transport layer -security (TLS) protocol, which is the more secure successor to SSL. - -To enable TLS you must configure the RS cluster nodes, the database, -and the client, as detailed below. - -### Configuration of the RS nodes - -By default, each cluster node has a different set of self-signed -certificates. These certificates can be [replaced with your own -certificate]({{< relref "/rs/administering/cluster-operations/updating-certificates.md" >}}), -preferably a certificate issued by an intermediate certificate authority (CA). - -### Configuration of the database - -To encrypt the connection to the database endpoint with TLS, enter the -contents the client certificate to the **TLS** field. - -{{< note >}} -Once TLS encryption is enabled for the database endpoint, -the database does not accept unsecured connections. TLS encryption can -significantly impact database throughput and latency. -{{< /note >}} - -### Adding TLS CA signed certificates to the proxy - -#### Background - -1. The proxy is responsible for terminating the TLS connection -1. Server certificate and key are located on - `/etc/opt/redislabs:proxy_cert.pem` - server certificate - `thatproxy_key.pem` - server certificate key\*any update on these - require a proxy restart -1. Enabling of TLS is done via "ssl authentication" field in the - UI. You are required to add a client-side certificate as a TLS - connection is done via client certificate authentication (not just - server side authentication). - -#### Installing CA signed certificates high-level steps - -1. [Replace the RS server certificates](https://docs.redislabs.com/latest/rs/administering/cluster-operations/updating-certificates/) and key - on all nodes with the CA signed certificate, and restart the proxy. - - {{< note >}} -A certificate for the database's endpoint should be assigned for the same domain as the cluster name. -For example, for a cluster with the name "redislabs.com" the certificate should be for "*.redislabs.com". - {{< /note >}} - -1. Add the TLS client certificates in the UI including CA - certificates and any intermediate certificates by chaining the - certificate into one file (you can use a cat command to chain the - certs). - -1. On the client side make sure to import and trust the CA and - intermediate certificates (you can chain the CA cert with - intermediate as one file to use and import) - -### Client configuration - -To connect to a database configured with TLS encryption, either use -one of the Redis clients that inherently support SSL encryption, or use -any Redis client and create a secured tunnel between the client machine -and the RS nodes. - -To learn which clients inherently support TLS, refer to this [blog -post](https://redislabs.com/blog/secure-redis-ssl-added-to-redsmin-and-clients). - -To create a secure tunnel between the client machine and the RS nodes, -use tools that enable this functionality, such as -[spiped](http://www.tarsnap.com/spiped.html) or -[stunnel](https://www.stunnel.org/index.html). An example of how to use -stunnel is detailed below. - -{{< note >}} -For security reasons, RS supports only the TLS protocol. -Therefore, make sure that the Redis client or secured tunnel solution you -use supports TLS, preferably TLS v1.2. -{{< /note >}} - -When using self-signed certificates on the cluster nodes, make sure to -copy these certificates to the client machines as well, thereby enabling -the client to validate the cluster nodes. - -When using a certificate issued by an intermediate certificate authority -(CA) on the cluster nodes, make sure that the CA root certificate is -installed on the client machines. - -#### Example how to secure client connection with TLS using stunnel - -The instructions below explain how to use stunnel for setting up a -secure tunnel between a client machine and the RS nodes when the client -is running on Ubuntu, using the default RS nodes' self-signed -certificates, and a self-signed certificate on the client machine. - -1. Install stunnel version 5 or higher on the client machine. Older - versions of stunnel do not support the TLS protocol. -1. Create a self-signed certificate on the client machine: - - 1. Generate a private key by running the following commands: - - ```sh - sudo su - openssl genrsa -out /etc/stunnel/keyclient.pem 4096 - ``` - - 1. Generate a client certificate by running the following commands: - - ```sh - openssl req -new -x509 -key /etc/stunnel/keyclient.pem - -out - /etc/stunnel/cert.pem -days 1826 - ``` - - When prompted, enter the appropriate configuration details for the - certificate. - -1. Copy the RS [node certificates]({{< relref "/rs/administering/cluster-operations/updating-certificates.md" >}}) - from all nodes to the client machine. - The certificates are saved in a file named proxy_cert.pem, which is - stored in /etc/opt/redislabs in each node. -1. Rename the certificate files fetched from the RS nodes as - `certsvr.pem`. For example: certsvr1.pem, certsvr2.pem. -1. Create a single file for all of the server certificates on the - client machine, by running the following command from the OS CLI. - For example:`cat /etc/stunnel/certsvr1.pem` - `/etc/stunnel/certsvr2.pem \> /etc/stunnel/servercerts.pem` -1. Configure stunnel for the connection to RS by using the steps below: - 1. Create a redislabs.conf file in `/etc/stunnel` folder. - 1. Make sure that the certificates that have been generated exist in - the following folder: `/etc/stunnel`. - 1. Edit the redislabs.conf content to look as follows: - - ```sh - cert = /etc/stunnel/cert.pem - key = /etc/stunnel/keyclient.pem - cafile = /etc/stunnel/servercerts.pem - verify = 2 - delay = yes - output = /tmp/stunnel.log - pid = /tmp/stunnel.pid - client = yes - accept = 127.0.0.1:6379 - connect = - ``` - - Where `database endpoint value` is the database endpoint as can be retrieved from RS. - - {{< note >}} -The value for the accept parameter is the local IP and port -that is used for redirecting the traffic through the secure tunnel -to the database endpoint configured in the connect parameter. - {{< /note >}} - -1. Copy the contents of the client certificate from cert.pem and enter - them in the **SSL Client Authentication** field, in the RS UI, of - the database you would like to secure. When done, be sure to save - the change. -1. Start the stunnel service by running the following command:service - stunnel restart - - {{< note >}} -Any change made to the stunnel configuration requires restarting the stunnel service. - -Check the stunnel log file to verify that the connection is working properly. -The log file is created under the root folder within the configuration mentioned above. - {{< /note >}} - -1. Test the connection to the Redis database from the client machine. - You can use redis-cli to run commands on the client machine, and the - commands are redirected from the local machine's port 6379 to - the RS database endpoint. Note that the connection to the Redis - database is done through the local port; do not try to connect - directly to the database endpoint. - -### TLS version information - -RS fully supports TLS v1.2, but the version of TLS used depends on the -connecting Redis client. If the client supports TLS v1.2, that version -is used. If the client does not support TLS v1.2, you may end up -using an older TLS version against RS. Therefore it is considered best -practice to stay current on your client libraries for the most up to -date security. - -To set the minimum TLS version that can be used for encrypting the data -in transit between a Redis client and a Redis Enterprise cluster, use -the REST API or the following rladmin -command: - -```sh -rladmin> cluster config min_data_TLS_version [version, e.g. 1.2] -``` - -Note that if a client supports an older TLS version, the communication -is not be allowed. diff --git a/content/rs/administering/designing-production/security/ldap-integration.md b/content/rs/administering/designing-production/security/ldap-integration.md deleted file mode 100644 index 0912c8e51bc..00000000000 --- a/content/rs/administering/designing-production/security/ldap-integration.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -Title: Integrating LDAP Authentication -description: -weight: $weight -alwaysopen: false -categories: ["RS"] -aliases: /rs/administering/designing-production/security/ldap-integration/ ---- -Redis Enterprise Software (RS) can integrate with your identity provider using LDAP authentication. -After you configure the LDAP connection, you can give LDAP users access to the RS web UI according to the permissions that you assign. - -`saslauthd` is the process that handles LDAP authentication requests to RS. - -{{< note >}} -LDAP authentication is not yet supported for Redis ACL Users. -{{< /note >}} - -To configure LDAP authentication for RS web UI users on a running cluster: - -1. Configure `saslauthd` to use LDAP Authentication: - 1. On each node, edit `/etc/default/saslauthd` to change the `MECHANISMS` variable to `MECHANISMS="ldap"`. - 1. On one node, edit the `saslauthd.conf` configuration file in the installation directory (default: `/etc/opt/redislabs/saslauthd.conf`) and enter the values for these fields: - - - `ldap_servers`: the LDAP servers that you authenticate against and the port to use. Port 389 is standard for unencrypted LDAP connections, while port 636 is standard for encrypted LDAP connections (strongly recommended). - - `ldap_tls_cacert_file` (optional): The path to your CA Certificates. This is required for encrypted LDAP connections only. - - `ldap_filter`: The filter used to search for users - - `ldap_bind_dn`: The distinguished name for the user that will be used to authenticate to the LDAP server - - `ldap_password`: The password used for the user specified in `ldap_bind_dn` - - For example: - - ```sh - ldap_servers: ldaps://ldap1.mydomain.com:636 ldaps://ldap2.mydomain.com:636 - ldap_tls_cacert_file: /path/to/your/CARootCert.crt - ldap_search_base: ou=coolUsers,dc=company,dc=com - ldap_filter: (sAMAccountName=%u) - ldap_bind_dn: cn=admin,dc=company,dc=com - ldap_password: secretSquirrel - ``` - -1. Import the `saslauthd` configuration into RS with the command: - - ```sh - rladmin cluster config saslauthd_ldap_conf /etc/opt/redislabs/saslauthd.conf - ``` - -1. Restart the `saslauthd` service on each node in the cluster for the changes to take effect: - - ```sh - sudo supervisorctl restart saslauthd - ``` - -1. [Create LDAP users]({{< relref "/rs/administering/access-control#adding-a-user" >}}) as `external` users in the RS web UI. diff --git a/content/rs/administering/designing-production/security/login-lockout.md b/content/rs/administering/designing-production/security/login-lockout.md deleted file mode 100644 index ba1c4e90f2b..00000000000 --- a/content/rs/administering/designing-production/security/login-lockout.md +++ /dev/null @@ -1,92 +0,0 @@ ---- -Title: User Login Lockout for Security Compliance -description: -weight: $weight -alwaysopen: false -categories: ["RS"] -aliases: /rs/administering/designing-production/security/rate-limiting/ ---- -To help reduce the risk of a brute force attacks on Redis Enterprise Software (RS), -RS includes user login restrictions. -You can customize the restrictions to align with the security policy of your organization. -Every failed login is shown in the logs. - -{{< note >}} -Customers, such as large organizations, that use LDAP to manage external authentication -must set these restrictions in the LDAP service. -{{< /note >}} - -## User login lockout - -The parameters for the user login lockout are: - -- **Login Lockout Threshold** - The number of failed login attempts allowed before the user account is locked. (Default: 5) -- **Login Lockout Counter Reset** - The amount of time during which failed login attempts are counted. (Default: 15 minutes) -- **Login Lockout Duration** - The amount of time that the user account is locked after excessive failed login attempts. (Default: 30 minutes) - -By default, after 5 failed login attempts within 15 minutes, the user account is locked for 30 minutes. - -You can view the user login restrictions for your cluster with: - -```sh -rladmin info cluster | grep login_lockout -``` - -## Customizing the user lockout parameters - -You can customize the user lockout parameters with from rladmin. - -### Changing the login lockout threshold - -You can set the login lockout threshold with the command: - -```sh -rladmin tune cluster login_lockout_threshold -``` - -If you set the lockout threshold to `0`, -the account is not locked out after failed login attempts, and the cluster settings show: `login_lockout_threshold: disabled` - -For example, to set the lockout threshold to 10 failed login attempts. - -```sh -rladmin tune cluster login_lockout_threshold 10 -``` - -### Changing the login lockout counter reset - -You can set the login lockout reset in seconds with the command: - -```sh -rladmin tune cluster login_lockout_counter_reset_after -``` - -For example, to set the lockout reset to 1 hour: - -```sh -rladmin tune cluster login_lockout_counter_reset_after 3600 -``` - -### Changing the login lockout duration - -You can set the login lockout duration in seconds with the command: - -```sh -rladmin tune cluster login_lockout_duration -``` - -If you set the lockout duration to `0`, -the account must be manually unlocked by an administrator, and the cluster settings show: `login_lockout_duration: admin-release` - -For example, to set the lockout duration to 1 hour: - -```sh -rladmin tune cluster login_lockout_duration 3600 -``` - -## Unlocking locked user accounts - -Before the lockout duration ends, -an administrator can change the user password in order to manually unlock the user account. - -{{< embed-md "reset-password.md" >}} diff --git a/content/rs/administering/designing-production/security/tls-configuration.md b/content/rs/administering/designing-production/security/tls-configuration.md deleted file mode 100644 index e126e6213bc..00000000000 --- a/content/rs/administering/designing-production/security/tls-configuration.md +++ /dev/null @@ -1,100 +0,0 @@ ---- -Title: Configuring TLS Authentication and Encryption -description: -weight: $weight -alwaysopen: false -categories: ["RS"] ---- -To prevent unauthorized access to your data, Redis Enterprise Software (RS) databases support the TLS protocol -(the more secure successor to SSL) that includes: - -- Encryption - Makes sure that the traffic can only be read by the sender and - recipient. -- Authentication - The server or client makes sure that it communicates with an - authorized entity. - -When you enable TLS for a database or Active-Active database, encryption is enforced on either all -communications or only communications between clusters, and RS sends its certificate -to clusters and clients for authentication to the database or Active-Active database. You can also -configure a database or Active-Active database to require authentication with a certificate for traffic -received from clusters or clients. - -Related topics: - -- You can use the REST API to [update the server TLS certificates and TLS protocol version]({{< relref "/rs/administering/cluster-operations/updating-certificates.md" >}}). -- To encrypt Replica Of synchronization traffic, you must also [configure encryption for the destination database]({{< relref "/rs/administering/creating-databases/create-active-passive#configuring-tls-for-replica-of-traffic-on-the-destination-database" >}}). - -## Authentication for databases - -When you configure Replica Of for a database, synchronization traffic flows between the -source and destination databases. You can -configure authentication for Replica Of synchronization traffic only, or for all -communications including Replica Of synchronization traffic and data traffic between -the database and the clients. - -You can also specify that authentication is not enforced for traffic received from -clusters or clients. - -{{< embed-md "tls-configuration-procedure.md" >}} - -## Authentication for Active-Active databases - -When you create a new Active-Active database, you can configure authentication for Active-Active synchronization -traffic only or for all communications, including Active-Active synchronization traffic and -data traffic between the database and the clients. - -You can also specify that authentication is not enforced for traffic received from -clusters and clients. - -{{< note >}} -You cannot enable or disable TLS after the Active-Active database is created, -but you can change the TLS configuration. -{{< /note >}} - -### Configuring TLS for Active-Active communication only - -To enable TLS for Active-Active communication only for an Active-Active database: - -1. In **databases**, click ![icon_add](/images/rs/icon_add.png#no-click "Add") - to create a new Active-Active database. -1. In **configuration**, at the bottom of the page click **edit**. -1. Enable **TLS**. - -![crdb-tls-config-enable](/images/rs/crdb-tls-config-enable.png "crdb-tls-config-enable") - -Client authentication is enforced and the certificates for the participating clusters -are used automatically. - -### Configuring TLS for Active-Active and client communication - -To enable TLS for Active-Active and client communication for an Active-Active database: - -1. In **databases**, click ![icon_add](/images/rs/icon_add.png#no-click "Add") - to create a new Active-Active database. -1. In **configuration**, at the bottom of the page click **edit**. -1. Enable **TLS**. - - ![crdb-tls-config-enable](/images/rs/crdb-tls-config-enable.png "crdb-tls-config-enable") - -1. After you create the Active-Active database on all participating clusters, on the participating clusters - for which you want to require TLS for all communications, edit the Active-Active database instance and - select **Require TLS for all communications**. - - ![crdb-tls-all](/images/rs/crdb-tls-all.png "crdb-tls-all") - - By default, client authentication is enforced so you must enter the certificates - of the clients that connect to the database. The certificates for the participating - clusters are used automatically. - -1. To enter the client certificates: - 1. Copy the entire text of the client certificates. - 1. Click ![icon_add](/images/rs/icon_add.png#no-click "Add") - to open the certificate box. - 1. Paste the text of the certificates in the box. - 1. Click ![icon_save](/images/rs/icon_save.png#no-click "Save") - to save the certificates. - - ![crdb-tls-all-certs](/images/rs/crdb-tls-all-certs.png "crdb-tls-all-certs") - - You can also clear **Enforce client authentication** so that all clusters or clients - can connect to your database without authentication. diff --git a/content/rs/administering/import-export/flush-db-crdb.md b/content/rs/administering/import-export/flush-db-crdb.md index 1d9229a5b6f..2a272dd4bed 100644 --- a/content/rs/administering/import-export/flush-db-crdb.md +++ b/content/rs/administering/import-export/flush-db-crdb.md @@ -36,7 +36,7 @@ When you flush an Active-Active database (formerly known as CRDB), all of the re To flush data from an Active-Active database: -- Web UI +- admin console 1. Go to **database** and select the Active-Active database that you want to flush. 1. Go to **configuration** and click **Flush** at the bottom of the page. diff --git a/content/rs/administering/import-export/importing-data.md b/content/rs/administering/import-export/importing-data.md index a7ba484981a..6266086ccf3 100644 --- a/content/rs/administering/import-export/importing-data.md +++ b/content/rs/administering/import-export/importing-data.md @@ -151,9 +151,9 @@ When importing data into an Active-Active database, there are two options: Because Active-Active databases have a numeric counter data type, when you merge the imported data into the existing data RS increments counters by the value that is in the imported data. -The import through the Redis Enterprise web UI handles these data types for you. +The import through the Redis Enterprise admin console handles these data types for you. -You can import data into an Active-Active database [from the web UI]({{< relref "/rs/administering/import-export/importing-data.md" >}}). +You can import data into an Active-Active database [from the admin console]({{< relref "/rs/administering/import-export/importing-data.md" >}}). When you import data into an Active-Active database, there is a special prompt. ![Import into an Active-Active database](/images/rs/import-to-active-active-warning.png) diff --git a/content/rs/administering/logging/_index.md b/content/rs/administering/logging/_index.md index 9b9b82e7db8..9c0bee0e5f3 100644 --- a/content/rs/administering/logging/_index.md +++ b/content/rs/administering/logging/_index.md @@ -34,3 +34,26 @@ done, e.g. edited a DB configuration, this is where you could look. - [Redis slow log]({{< relref "/rs/administering/logging/redis-slow-log.md" >}}) - [rsyslog logging]({{< relref "/rs/administering/logging/rsyslog-logging.md" >}}) + +## Viewing logs in the admin console + +Redis Enterprise provides log files for auditing and troubleshooting. You can see these logs in the admin console and on the host operating system. + +To view the audit logs: + +1. Log in to the Redis Enterprise Software admin console. +1. Go to the **Log** tab. +1. Review logs directly in the UI, or export them to CSV using the export button. + +## Viewing logs on the server + +Server logs can be found by default in the directory `/var/opt/redislabs/log/`. + +These log files are used by the Redis Labs support team to troubleshoot issues. The logs you will most frequently interact with is 'event_log.log'. This log file is where logs of configuration actions within Redis are stored and is useful to determine events that occur within Redis Enterprise. + +## Setting log timestamps + +Redis Enterprise allows you to configure log timestamps. To configure log timestamps: + +1. In **Settings** > **General** navigate to the timezone section. +1. Select the timezone for the logs based on your location. diff --git a/content/rs/administering/logging/rsyslog-logging.md b/content/rs/administering/logging/rsyslog-logging.md index 214ed51972b..ba19ac0e0c1 100644 --- a/content/rs/administering/logging/rsyslog-logging.md +++ b/content/rs/administering/logging/rsyslog-logging.md @@ -5,9 +5,9 @@ weight: $weight alwaysopen: false categories: ["RS"] --- -This document explains the structure of Redis Enterprise Software (RS) -log entries that go into rsyslog and how to use these log entries to -identify events. +This document explains the structure of Redis Enterprise Software (RS) log entries that go into rsyslog +and how to use these log entries to identify events. +Also, we recommend that you [secure your logs]({{< relref "/rs/security/logging.md" >}}) with a remote logging server and log rotation. ## Logging concepts diff --git a/content/rs/administering/troubleshooting/cluster-recovery.md b/content/rs/administering/troubleshooting/cluster-recovery.md index dbe079d3a66..827539074af 100644 --- a/content/rs/administering/troubleshooting/cluster-recovery.md +++ b/content/rs/administering/troubleshooting/cluster-recovery.md @@ -48,7 +48,7 @@ The cluster recovery process includes: 1. Install [RS]({{< relref "/rs/installing-upgrading/_index.md" >}}) on the new cluster nodes. - Do not configure the cluster nodes (`rladmin cluster create` in the CLI or **Setup** in the Web UI). + Do not configure the cluster nodes (`rladmin cluster create` in the CLI or **Setup** in the admin console). The new servers must have the same basic hardware and software configuration as the original servers, including: diff --git a/content/rs/administering/troubleshooting/disabling-services.md b/content/rs/administering/troubleshooting/disabling-services.md index d8dda55bd5e..88fb953e044 100644 --- a/content/rs/administering/troubleshooting/disabling-services.md +++ b/content/rs/administering/troubleshooting/disabling-services.md @@ -18,7 +18,7 @@ The services that you can disable are: - RS Admin Console - `cm_server` - Logs in CSV format - `stats_archiver` - [LDAP -Integration]({{< relref "/rs/administering/designing-production/security/ldap-integration.md" >}}) - `saslauthd` +Integration]({{< relref "/rs/security/admin-console-security/ldap.md" >}}) - `saslauthd` - [Discovery service]({{< relref "/rs/concepts/data-access/discovery-service.md" >}})- `mdns_server`, `pdns_server` - [Active-Active databases]({{< relref "/rs/administering/designing-production/active-active.md" >}}) - `crdb_coordinator`, `crdb_worker` diff --git a/content/rs/concepts/data-access/persistence.md b/content/rs/concepts/data-access/persistence.md index 1ac2dede5af..b9a6bc0af3f 100644 --- a/content/rs/concepts/data-access/persistence.md +++ b/content/rs/concepts/data-access/persistence.md @@ -5,48 +5,13 @@ weight: $weight alwaysopen: false categories: ["RS"] --- -All data is stored and managed exclusively in either RAM or RAM + Flash -Memory ([Redis on -Flash]({{< relref "/rs/concepts/memory-architecture/redis-flash.md" >}})) -and therefore, is at risk of being lost upon a process or server -failure. As Redis Enterprise Software is not -just a caching solution, but also a full-fledged database, -[persistence](https://redislabs.com/redis-enterprise/technology/durable-redis-2/) to disk -is critical. Therefore, Redis Enterprise Software supports persisting -data to disk on a per-database basis and in multiple ways. - -There are two options for persistence: - -1. Append Only File (AOF) - A continuous writing of data to disk -1. Snapshot (RDB) - An automatic periodic snapshot writing to disk - -Data persistence, via either mechanism, is used solely to rehydrate the -database if the database process fails for any reason. It is not a -replacement for backups, but something you do in addition to backups. -To disable data persistence, select **None**. - -AOF writes the latest 'write' commands into a file every second, it -resembles a traditional RDBMS's redo log, if you are familiar with that. -This file can later be 'replayed' in order to recover from a crash. - -A snapshot (RDB) on the other hand, is performed every one, six, or twelve -hours. The snapshot is a dump of the data and while there is a potential -of losing up to one hour of data, it is dramatically faster to recover -from a snapshot compared to AOF recovery. - -[Persistence](https://redislabs.com/redis-enterprise/technology/durable-redis-2/) can be -configured either at time of database creation or by editing an existing -database's configuration. While the persistence model can be changed -dynamically, just know that it can take time for your database to switch -from one persistence model to the other. It depends on what you are -switching from and to, but also on the size of your database. +All data is stored and managed exclusively in either RAM or RAM + Flash Memory ([Redis on +Flash]({{< relref "/rs/concepts/memory-architecture/redis-flash.md" >}})) and therefore, is at risk of being lost upon a process or server +failure. As Redis Enterprise Software is not just a caching solution, but also a full-fledged database, [persistence](https://redislabs.com/redis-enterprise/technology/durable-redis-2/) to disk +is critical. Therefore, Redis Enterprise Software supports persisting data to disk on a per-database basis and in multiple ways. -{{< note >}} -For performance reasons, if you are going to be using AOF, -it is highly recommended to make sure replication is enabled for that database as well. -When these two features are enabled, persistence is performed on the database slave -and does not impact performance on the master. -{{< /note >}} +[Persistence](https://redislabs.com/redis-enterprise/technology/durable-redis-2/) can be configured either at time of database creation or by editing an existing +database's configuration. While the persistence model can be changed dynamically, just know that it can take time for your database to switch from one persistence model to the other. It depends on what you are switching from and to, but also on the size of your database. ## Options for configuring data persistence @@ -61,12 +26,35 @@ There are six options for persistence in Redis Enterprise Software: | Snapshot every 6 hours | A snapshot of the database is created every 6 hours. | | Snapshot every 12 hours | A snapshot of the database is created every 12 hours. | -The first thing you need to do is determine if you even need -persistence. Persistence is used to recover from a catastrophic failure, -so make sure that you need to incur the overhead of persistence before -you select it. If the database is being used as a cache, then you may -not need persistence. If you do need persistence, then you need to -identify which is the best type for your use case. +## Selecting a persistence strategy + +When selecting your persistence strategy, you should take into account your tolerance for data loss and performance needs. There will always be tradeoffs between the two. +The fsync() system call syncs data from file buffers to disk. You can configure how often Redis performs an fsync() to most effectively make tradeoffs between performance and durability for your use case. +Redis supports three fsync policies: every write, every second, and disabled. + +Redis also allows snapshots through RDB files for persistence. Within Redis Enterprise, you can configure both snapshots and fsync policies. + +For any high availibility needs, replication may also be used to further reduce any risk of data loss and is highly reccomended. + +**For use cases where data loss has a high cost:** + +1. Append only file (AOF) - Fsync every everywrite - Redis Enterprise sets the open-source Redis directive appendfsync always. With this policy, Redis will wait for the write and the fsync to complete prior to sending an acknowledgement to the client that the data has written. This introduces the performance overhead of the fsync in addition to the execution of the command. The fsync policy always favors durability over performance and should be used when there is a high cost for data loss. + +**For use cases where data loss is tolerable only limitedly:** + +1. Append only file (AOF) - Fsync every 1 sec - Redis will fsync any newly written data every second. This policy balances performance and durability and should be used when minimal data loss is acceptable in the event of a failure. This is the default Redis policy. This policy could result in between 1 and 2 seconds worth of data loss but on average this will be closer to one second. + +{{< note >}} +For performance reasons, if you are going to be using AOF, it is highly recommended to make sure replication is enabled for that database as well. When these two features are enabled, persistence is +performed on the database slave and does not impact performance on the master. +{{< /note >}} + +**For use cases where data loss is tolerable or recoverable for extended periods of time:** + +1. Snapshot, every 1 hour - Sets a full backup every 1 hour. +1. Snapshot, every 6 hour - Sets a full backup every 6 hours. +1. Snapshot, every 12 hour - Sets a full backup every 12 hours. +1. None - Does not backup or persist data at all. ## Append only file (AOF) vs snapshot (RDB) @@ -81,7 +69,18 @@ two: | Slower time to recover (Larger files) | Faster recovery time | | More disk space required (files tend to grow large and require compaction) | Requires less resource (I/O once every several hours and no compaction required) | -## Data persistence and Redis on Flash +## Configuring persistence for your database + +1. In **databases**, either: + - Click **Add** (+) to create a new database. + - Click on the database that you want to configure and at the bottom of the page click edit. +1. Navigate to Persistence +1. Select your database persistence option +1. Select save or update + +{{< video "/images/rs/persistence.mp4" "Persistence" >}} + +## Data Persistence and Redis on Flash If you are enabling data persistence for databases running on Redis Enterprise Flash, by default both master and slave shards are diff --git a/content/rs/concepts/memory-architecture/memory-management.md b/content/rs/concepts/memory-architecture/memory-management.md index 235e6dc5e39..6c18ad1f2ce 100644 --- a/content/rs/concepts/memory-architecture/memory-management.md +++ b/content/rs/concepts/memory-architecture/memory-management.md @@ -41,7 +41,7 @@ You can see the status of the cluster memory with these statistics: This statistic is shown: - rladmin status - Cluster - - web UI metrics - Cluster + - admin console metrics - Cluster - Provisional_RAM - The amount of RAM that is available for provisioning to databases out of the total RAM allocated for databases. Used Provisional_RAM can include memory allocated for replication or other database features. @@ -50,10 +50,10 @@ You can see the status of the cluster memory with these statistics: This statistic is shown in: - rladmin status - Shards - - web UI metrics - Database + - admin console metrics - Database - Memory limit - The maximum amount of memory that the database can use for data. - This statistic is shown in: web UI metrics - Database + This statistic is shown in: admin console metrics - Database - Memory usage - The percent of used memory out of memory limit. - This statistic is shown in: web UI metrics - Database + This statistic is shown in: admin console metrics - Database diff --git a/content/rs/getting-started/getting-started-active-active.md b/content/rs/getting-started/getting-started-active-active.md index a8029f8b151..7a2fc6c1541 100644 --- a/content/rs/getting-started/getting-started-active-active.md +++ b/content/rs/getting-started/getting-started-active-active.md @@ -37,7 +37,7 @@ docker run -d --cap-add sys_resource -h rp1_node1 --name rp1_node1 -p 8443:8443 docker run -d --cap-add sys_resource -h rp2_node1 --name rp2_node1 -p 8445:8443 -p 9445:9443 -p 12002:12000 redislabs/redis ``` -The **-p** options map the web UI port (8443), REST API port (9443), and +The **-p** options map the admin console port (8443), REST API port (9443), and database access port differently for each container to make sure that all containers can be accessed from the host OS that is running the containers. diff --git a/content/rs/installing-upgrading/_index.md b/content/rs/installing-upgrading/_index.md index c539c5805ee..5b70dba8e4d 100644 --- a/content/rs/installing-upgrading/_index.md +++ b/content/rs/installing-upgrading/_index.md @@ -65,6 +65,7 @@ Here we walk you through the process for installing the RS installation package Before you install RS, review these notes: +- Make sure that you review the [security considerations]({{< relref "/rs/security/" >}}) for your deployment. - If you want to use Redis on Flash (RoF) for your databases, review the [prerequisites, storage requirements, and other considerations]({{< relref "/rs/concepts/memory-architecture/redis-flash.md" >}}) for RoF databases and prepare and format the flash memory. {{% expand "To prepare and format the flash memory:" %}} Run: diff --git a/content/rs/new-features-redis-enterprise.md b/content/rs/new-features-redis-enterprise.md index 2a1c542ae61..11605dd4d62 100644 --- a/content/rs/new-features-redis-enterprise.md +++ b/content/rs/new-features-redis-enterprise.md @@ -74,7 +74,7 @@ As part of our continued emphasis on security, administrative user accounts in Redis Enterprise Software can now use either built-in authentication or authenticate externally via LDAP with saslauthd. The accounts can be used for administering resources on the cluster via -command line, Rest API, or Web UI. +command line, Rest API, or admin console. For more information see [LDAP -Integration]({{< relref "/rs/administering/designing-production/security/ldap-integration.md" >}}). +Integration]({{< relref "/rs/security/passwords-users-roles.md#setting-up-ldap" >}}). diff --git a/content/rs/references/memtier-benchmark.md b/content/rs/references/memtier-benchmark.md index d2eab60a197..841c2c3646b 100644 --- a/content/rs/references/memtier-benchmark.md +++ b/content/rs/references/memtier-benchmark.md @@ -82,7 +82,7 @@ For these tests, the load generation host uses a c4.8xlarge instance type. ### Create a Redis on Flash test database -You can use the RS web UI to create a test database. +You can use the RS admin console to create a test database. We recommend that you use a separate database for each test case with these requirements: | **Parameter** | **With replication** | **Without replication** | **Description** | @@ -129,7 +129,7 @@ $ memtier_benchmark -s $DB_HOST -p $DB_PORT --hide-histogram --key-pattern=P:P --ratio=0:1 ``` -You can see the **Values in RAM** metric on the **metrics** page of your database in the RS web UI to validate the test. +You can see the **Values in RAM** metric on the **metrics** page of your database in the RS admin console to validate the test. ### Without replication @@ -147,7 +147,7 @@ $ memtier_benchmark -s $DB_HOST -p $DB_PORT --hide-histogram #### With replication -We recommend that you do a dry run and double check the RAM Hit Ratio on the **metrics** screen in the RS web UI before you write down the test results. +We recommend that you do a dry run and double check the RAM Hit Ratio on the **metrics** screen in the RS admin console before you write down the test results. To test RoF with an 85% RAM Hit Ratio, run: @@ -182,9 +182,9 @@ Where: ### Monitor the test results -You can either monitor the results in the **metrics** tab of the RS Web UI or with the memtier_benchmark output. +You can either monitor the results in the **metrics** tab of the RS admin console or with the memtier_benchmark output. The memtier_benchmark results include the network latency between the load generator instance and the cluster instances. -The metrics shown in the RS web UI do not include network latency. +The metrics shown in the RS admin console do not include network latency. ### Expected results diff --git a/content/rs/references/rladmin.md b/content/rs/references/rladmin.md index b196289f467..2c81597c5d3 100644 --- a/content/rs/references/rladmin.md +++ b/content/rs/references/rladmin.md @@ -132,7 +132,7 @@ rladmin bind | min_data_TLS_version | The minimum version of TLS protocol which is supported at the data path | | min_sentinel_TLS_version | | | s3_url | The URL of S3 export and import | -| saslauthd_ldap_conf | Updates LDAP authentication configuration for the cluster (see [Integrating LDAP Authentication]({{< relref "/rs/administering/designing-production/security/ldap-integration.md" >}}) or [Kubernetes LDAP configuration]({{< relref "/content/platforms/kubernetes/tasks/ldap-on-k8s.md" >}})) | +| saslauthd_ldap_conf | Updates LDAP authentication configuration for the cluster (see [Integrating LDAP Authentication]({{< relref "/rs/security/admin-console-security/ldap.md" >}}) or [Kubernetes LDAP configuration]({{< relref "/content/platforms/kubernetes/tasks/ldap-on-k8s.md" >}})) | | sentinel_cipher_suites | Cipher suites used by the sentinel service | | sentinel_ssl_policy | Define SSL policy for the Discovery Service: required/disabled/allowed | | upgrade_mode | | diff --git a/content/rs/release-notes/legacy-release-notes/redis-enterprise-5.md b/content/rs/release-notes/legacy-release-notes/redis-enterprise-5.md index acd159e7425..382c11e33f7 100644 --- a/content/rs/release-notes/legacy-release-notes/redis-enterprise-5.md +++ b/content/rs/release-notes/legacy-release-notes/redis-enterprise-5.md @@ -95,10 +95,10 @@ As part of our continued emphasis on security, administrative user accounts in Redis Enterprise Pack can now use either built-in authentication or authenticate externally via LDAP with saslauthd. The accounts can be used for administering resources on the cluster via -command line, Rest API, or Web UI. +command line, Rest API, or admin console. For more information see [LDAP -Integration]({{< relref "/rs/administering/designing-production/security/ldap-integration.md" >}}). +Integration]({{< relref "/rs/security/passwords-users-roles.md#setting-up-ldap" >}}). ## Additional capabilities diff --git a/content/rs/release-notes/legacy-release-notes/release-notes-redis-enterprise-software-v5-0-2.md b/content/rs/release-notes/legacy-release-notes/release-notes-redis-enterprise-software-v5-0-2.md index 49608035d2a..950a260c42d 100644 --- a/content/rs/release-notes/legacy-release-notes/release-notes-redis-enterprise-software-v5-0-2.md +++ b/content/rs/release-notes/legacy-release-notes/release-notes-redis-enterprise-software-v5-0-2.md @@ -79,13 +79,13 @@ page - Since Redis Enterprise CRDBs have counters, unlike traditional Redis databases, they must be handled differently when importing. There is a special type of import because of importing counter data types. - When performing the import through the web UI, you will be prompted + When performing the import through the admin console, you will be prompted to confirm you want to add the data to the CRDB or stop and go flush the database. - This version of RS comes with a pre-bundled python which might over-ride your default installed python version, this can be solved by changing your PATH environment variable. -- Uploading a Redis Module through the Web UI, can be performed only - when the Web UI is connected to the master node. +- Uploading a Redis Module through the admin console, can be performed only + when the admin console is connected to the master node. - Write operations are not allowed for database which was created with password of exactly 50-characters. diff --git a/content/rs/release-notes/legacy-release-notes/rlec-4-3-aug-2016.md b/content/rs/release-notes/legacy-release-notes/rlec-4-3-aug-2016.md index ab6eb95f230..d9b55a202a4 100644 --- a/content/rs/release-notes/legacy-release-notes/rlec-4-3-aug-2016.md +++ b/content/rs/release-notes/legacy-release-notes/rlec-4-3-aug-2016.md @@ -51,7 +51,7 @@ upgrade to this version. cluster.]({{< relref "/rs/administering/new-cluster-setup.md" >}}) - Connection to database endpoint can now be encrypted with SSL. For additional details, refer to [Securing client connection with - SSL]({{< relref "/rs/administering/designing-production/security/client-connections.md" >}}). + SSL]({{< relref "/rs/security/tls-ssl.md" >}}). - Added support for running the cluster on the following operating systems and versions: RHEL/CentOS 6.6, 7.1, 7.2, RHEL 6.7, Oracle Linux 6.5. diff --git a/content/rs/release-notes/legacy-release-notes/rs-5-4-10-december-2019.md b/content/rs/release-notes/legacy-release-notes/rs-5-4-10-december-2019.md index 4974811c114..15802cf3496 100644 --- a/content/rs/release-notes/legacy-release-notes/rs-5-4-10-december-2019.md +++ b/content/rs/release-notes/legacy-release-notes/rs-5-4-10-december-2019.md @@ -52,7 +52,7 @@ If you see this error, upgrade to OpenSSL 1.0.2 or higher before you install RS. ## Information - End of Life (EOL) for Redis Enterprise Software 5.4, as well as for Redis Modules and previous RS versions, can be found [here](https://docs.redislabs.com/latest/rs/administering/product-lifecycle/). -- Google Chrome browser on macOS Catalina requires self-signed certificate generated after June 2019 to include the extendedKeyUsage field in order to connect to the RS web UI. +- Google Chrome browser on macOS Catalina requires self-signed certificate generated after June 2019 to include the extendedKeyUsage field in order to connect to the RS admin console. If you use a self-signed certificate that does not include this field, [update the self-signed certificate]({{< relref "/rs/administering/cluster-operations/updating-certificates.md" >}}). - When you upgrade an Active-Active Redis with active AOF from version RS 5.4.2 or lower to version RS 5.4.4 or higher: - If replication is enabled, you must run the BGREWRITEAOF command on all slave shards after the upgrade. diff --git a/content/rs/release-notes/legacy-release-notes/rs-5-4-14-february-2020.md b/content/rs/release-notes/legacy-release-notes/rs-5-4-14-february-2020.md index 7aeb35970c1..87cb09a6e2e 100644 --- a/content/rs/release-notes/legacy-release-notes/rs-5-4-14-february-2020.md +++ b/content/rs/release-notes/legacy-release-notes/rs-5-4-14-february-2020.md @@ -25,7 +25,7 @@ Follow these [instructions]({{< relref "/rs/installing-upgrading/upgrading.md" > ## Additional capabilities - Added the ability to retrieve license details with a REST API command. - Now you can get your license details from the web UI (settings > general) or from the REST API command: + Now you can get your license details from the admin console (settings > general) or from the REST API command: `GET https://localhost:9443/v1/license` @@ -61,7 +61,7 @@ Follow these [instructions]({{< relref "/rs/installing-upgrading/upgrading.md" > ## Information - End of Life (EOL) for Redis Enterprise Software 5.4, as well as for Redis Modules and previous RS versions, can be found [here](https://docs.redislabs.com/latest/rs/administering/product-lifecycle). -- Google Chrome browser on macOS Catalina requires self-signed certificate generated after June 2019 to include the extendedKeyUsage field in order to connect to the RS web UI. +- Google Chrome browser on macOS Catalina requires self-signed certificate generated after June 2019 to include the extendedKeyUsage field in order to connect to the RS admin console. If you use a self-signed certificate that does not include this field, [update the self-signed certificate]({{< relref "/rs/administering/cluster-operations/updating-certificates.md" >}}). - When you upgrade an Active-Active Redis with active AOF from version RS 5.4.2 or lower to version RS 5.4.4 or higher: - If replication is enabled, you must run the BGREWRITEAOF command on all slave shards after the upgrade. diff --git a/content/rs/release-notes/legacy-release-notes/rs-5-4-2-april-2019.md b/content/rs/release-notes/legacy-release-notes/rs-5-4-2-april-2019.md index 29e1b26e8f7..f9cd7e87acb 100644 --- a/content/rs/release-notes/legacy-release-notes/rs-5-4-2-april-2019.md +++ b/content/rs/release-notes/legacy-release-notes/rs-5-4-2-april-2019.md @@ -42,7 +42,7 @@ The cluster administrator can define, for each team member, the specific databas ### Optional client authentication (TLS) -You can now fine tune the [TLS configuration]({{< relref "/rs/administering/designing-production/security/tls-configuration.md" >}}), and ease certificates management by excluding client authentication enforcement, +You can now fine tune the [TLS configuration]({{< relref "/rs/security/tls-ssl.md" >}}), and ease certificates management by excluding client authentication enforcement, so that the database clients, such as applications or other clusters, can connect to your database without authentication. ### Node maintenance mode @@ -62,7 +62,7 @@ If you use the relevant API requests with a DB Viewer or Cluster Viewer role, ma {{< /note >}} - External user credentials for periodic backup destinations are now hidden. - In REST API responses the password is hashed and in the web UI the password is displayed as asterisks. + In REST API responses the password is hashed and in the admin console the password is displayed as asterisks. ## Information diff --git a/content/rs/release-notes/legacy-release-notes/rs-5-4-4-june-2019.md b/content/rs/release-notes/legacy-release-notes/rs-5-4-4-june-2019.md index 38bda9cc75a..b4270ba5061 100644 --- a/content/rs/release-notes/legacy-release-notes/rs-5-4-4-june-2019.md +++ b/content/rs/release-notes/legacy-release-notes/rs-5-4-4-june-2019.md @@ -83,7 +83,7 @@ You can also upgrade the modules with the REST API. - RS29097 - Fixed a misconfiguration when using SFTP backup and encounter a node failure. - RS28286 - Updated `SETEX` and `PSETEX` commands output of CRDB to match Redis outputs. - RS26984 - Fixed metrics_exporter reports for node and shard level metrics. -- RS19854 - Fixed uploading a Redis Module so you can upload a Redis Module when the Web UI is connected to any node. +- RS19854 - Fixed uploading a Redis Module so you can upload a Redis Module when the admin console is connected to any node. - RS29238 - Improved the compression performance in CRDB. ## Known limitations diff --git a/content/rs/release-notes/legacy-release-notes/rs-5-4-december-2018.md b/content/rs/release-notes/legacy-release-notes/rs-5-4-december-2018.md index 8bbed399a86..f05915cf192 100644 --- a/content/rs/release-notes/legacy-release-notes/rs-5-4-december-2018.md +++ b/content/rs/release-notes/legacy-release-notes/rs-5-4-december-2018.md @@ -50,13 +50,13 @@ RS 5.4 expands the high availability capabilities by adding the ability to autom - RS23616 - Fixed a failure when updating the memory limit of RoF database. - RS22871 - Fixed a certificate verify failure after nodes upgrade. -- RS2862 - Improved web UI performance in case multiple browsers or windows are directed to the web UI. +- RS2862 - Improved admin console performance in case multiple browsers or windows are directed to the admin console. - RS22751 - Fixed an issue in the backup process which caused temporary service outage. - RS22636 - Fixed Redis process failure when a ReJSON Module's command is executed. - RS22601 - Fixed a failure during shard migration procedure. - RS22478 - Fixed a failure in replica-of process between two databases with ReBloom Module. - RS21974 - SMTP username and password are not mandatory in the email server settings when there is no need for authentication. -- RS21801 - Fixed web UI issues when cluster is configured with FIPS compliance. +- RS21801 - Fixed admin console issues when cluster is configured with FIPS compliance. - RS21772 - Fixed a failure when trying to update a database's endpoint policy to all-master-shards. - RS19842 - Updated permissions of some internal files. - RS19433 - Improved RAM eviction process for RoF databases. diff --git a/content/rs/release-notes/rs-5-6-0-april-2020.md b/content/rs/release-notes/rs-5-6-0-april-2020.md index 1a349932963..cf4939b122a 100644 --- a/content/rs/release-notes/rs-5-6-0-april-2020.md +++ b/content/rs/release-notes/rs-5-6-0-april-2020.md @@ -64,14 +64,14 @@ For more information, check out the [OSS Cluster API documentation]({{< relref " **Support for Active-Active and Replica Of databases** -You can configure [Active-Active]({{< relref "/rs/administering/designing-production/active-active.md" >}}) and [Replica Of]({{< relref "/rs/administering/designing-production/active-passive.md" >}}) databases to use the [OSS Cluster API]({{< relref "/rs/concepts/data-access/oss-cluster-api.md" >}}) using the web UI. +You can configure [Active-Active]({{< relref "/rs/administering/designing-production/active-active.md" >}}) and [Replica Of]({{< relref "/rs/administering/designing-production/active-passive.md" >}}) databases to use the [OSS Cluster API]({{< relref "/rs/concepts/data-access/oss-cluster-api.md" >}}) using the admin console. The OSS Cluster API improves the performance of user operations against your database. You can also create or modify an Active-Active Redis database in OSS Cluster mode using the `crdb-cli` tool with the `--oss-cluster` option to apply the changes to all of the instances. -**Create and edit database using the web UI** +**Create and edit database using the admin console** -You can configure OSS Cluster API for databases using the web UI. +You can configure OSS Cluster API for databases using the admin console. For Active-Active databases, you can create the database with OSS Cluster API enabled for all of its instances. When you enable OSS Cluster after the Active-Active database is created, the change applies only to the local instance. @@ -142,9 +142,9 @@ With build 5.6.0-39: - If replication is enabled, you must run the BGREWRITEAOF command on all slave shards after the upgrade. - If replication is not enabled, you must run the BGREWRITEAOF command on all shards after the upgrade. - Node upgrade fails if the SSL certificates were configured in version 5.0.2 or above by manually updating the certificates on the disk instead of [updating them through the API]({{< relref "/rs/administering/cluster-operations/updating-certificates.md" >}}). - For assistance with this issue, [contact Redis Labs support](https://redislabs.com/company/support/). -- Starting from [RS 5.4.2]({{< relref "rs/release-notes/legacy-release-notes/rs-5-4-2-april-2019.md" >}}), to preserve the current Redis major.minor version during database upgrade you must use the keep_redis_version option instead of keep_current_version. -- Google Chrome browser on macOS Catalina requires a self-signed certificate generated after June 2019 to include the extendedKeyUsage field in order to connect to the RS web UI. If you use a self-signed certificate that does not include this field, [update the self-signed certificate]({{< relref "/rs/administering/cluster-operations/updating-certificates.md" >}}). + For assistance with this issue, contact Support. +- Starting from [RS 5.4.2]({{< relref "/rs/release-notes/legacy-release-notes/rs-5-4-2-april-2019.md" >}}), to preserve the current Redis major.minor version during database upgrade you must use the keep_redis_version option instead of keep_current_version. +- Google Chrome browser on macOS Catalina requires a self-signed certificate generated after June 2019 to include the extendedKeyUsage field in order to connect to the RS admin console. If you use a self-signed certificate that does not include this field, [update the self-signed certificate]({{< relref "/rs/administering/cluster-operations/updating-certificates.md" >}}). ### Modules upgrade diff --git a/content/rs/release-notes/rs-6-0-may-2020.md b/content/rs/release-notes/rs-6-0-may-2020.md index 32ba6546d2d..45c08f114f4 100644 --- a/content/rs/release-notes/rs-6-0-may-2020.md +++ b/content/rs/release-notes/rs-6-0-may-2020.md @@ -35,12 +35,12 @@ For more information, check out the [Diving into Redis 6](https://redislabs.com/ Based on OSS Redis 6, RS 6.0 offers the ability to manage and control connections to your databases using users and their data access permissions in terms of commands they can execute and keys they can access. In OSS Redis, the ACLs are managed separately per user for each database. In Redis Enterprise Software, Redis ACLs are managed for the databases at the cluster. -For more information, check out the [Redis Enterprise Software user management documentation]({{< relref "/rs/administering/access-control/user-roles.md" >}}). +For more information, check out the [Redis Enterprise Software user management documentation]({{< relref "/rs/security/passwords-users-roles.md" >}}). ### Role-based access control (RBAC) RS 6.0 leverages Redis ACLs to implement role-based access control that easily scale and manage data access permissions. Using roles minimizes the overhead involved in managing a cluster with many databases, multiple users, and various access control lists. -For more information, check out the [Redis Enterprise Software user management documentation]({{< relref "/rs/administering/access-control/user-roles.md" >}}). +For more information, check out the [Redis Enterprise Software user management documentation]({{< relref "/rs/security/passwords-users-roles.md" >}}). ### Active-Active support for Redis Streams @@ -72,7 +72,7 @@ To use the updated modules with a database, you must [upgrade the module on the 969122be-... loremipsum1 2 0 0 bdb:1 cluster2.local ``` -- Added REST API and rladmin commands to modify the timeout for [automatically disconnecting an inactive web UI session]({{< relref "/rs/administering/access-control#session-timeout" >}}). +- Added REST API and rladmin commands to modify the timeout for [automatically disconnecting an inactive admin console session]({{< relref "/rs/security/passwords-users-roles.md" >}}). - Using the rladmin run: `rladmin cluster config cm_session_timeout_minutes ` - Using the REST API: @@ -89,7 +89,7 @@ To use the updated modules with a database, you must [upgrade the module on the - `no_of_expires` shows the current number of volatile keys in the database. - `expired_objects` shows the rate of keys expired in DB (expirations/sec). -- Added the ability to customize the welcome message on the login page in the web UI console. +- Added the ability to customize the welcome message on the login page in the admin console console. ## Important fixes diff --git a/content/rs/security/_index.md b/content/rs/security/_index.md new file mode 100644 index 00000000000..28f8bbe357b --- /dev/null +++ b/content/rs/security/_index.md @@ -0,0 +1,62 @@ +--- +Title: Security +description: +weight: 60 +alwaysopen: false +categories: ["RS"] +aliases: ["/rs/administering/designing-production/security/"] +--- +Security is an important part of any production system. This section describes the security features and settings available in Redis Enterprise. + +## Architecture security + +When deploying Redis Enterprise Software to production, we recommend the following practices: + +- **Deploy Redis Enterprise inside a trusted network** - Redis Enterprise is database software and should be deployed on a trusted network not accessible to the public internet. Deploying Redis Enterprise in a trusted network reduces the liklihood that someone can obtain unauthroized access to your data or the ability to manage your database configuration. + +- **Implement anti-virus exclusions** - To ensure that anti-virus solutions that scan files or intercept processes to protect memory do not interfere with Redis Enterprise software, customers should ensure that anti-virus exclusions are implemented across all nodes in their Redis Enterprise cluster in a consistent policy. This helps ensure that anti-virus software does not impact the availibility of your Redis Enterprise cluster. + + If you are replacing your existing antivirus solution or installing/supporting Redis Enterprise, make sure that the below paths are excluded: + + {{< note >}} +For antivirus solutions that intercept processes, binary files may have to be excluded directly depending on the requirements of your anti-virus vendor. + {{< /note >}} + + | **Path** | **Description** | + |------------|-----------------| + | /opt/redislabs | Main installation directory for all Redis Enterprise Software binaries | + | /opt/redislabs/bin | Binaries for all the utilities for command line access and managements such as "rladmin" or "redis-cli" | + | /opt/redislabs/config | System configuration files | + | /opt/redislabs/lib | System library files | + | /opt/redislabs/sbin | System binaries for tweaking provisioning | + +- **Send logs to a remote logging server** - Redis Enterprise is configured to send logs by default to syslog. To send these logs to a remote logging server you must [configure syslog]({{< relref "/rs/security/logging.md" >}}) based the requirements of the remote logging server vendor. Remote logging helps ensure that the logs are not deleted so that you can rotate the logs so that your server disk does not fill up. + +- **Deploy clusters with an odd number of 3 or more nodes** - Redis is an available and partition tolerant database. We recommend that Redis Enterprise be deployed in a cluster of an odd number of 3 or more nodes so that you are able to successfully failover in the event of a failure. + +- **Reboot nodes in a sequence rather that all at once** - Customers will frequently maintain reboot schedules. There are cases, however, where our customers have rebooted too many servers at once, causing a quorum failure and resulting in loss of availability of the database. We recommend that rebooting be done in a phased manner so that quorum is not lost. For example, to maintain quorum in a 3 node cluster, at least 2 nodes must be up at all times. Only one server should be rebooted at any given time to maintain quorum. + +- **Implement client-side encryption** - Client-side encryption, or the practice of encrypting data within an application before storing it in a database, such as Redis, is the most widely adopted method to achieve encryption in memory. Redis is an in-memory database and stores data in-memory. If you require encryption in memory, better known as encryption in use, then client side encryption may be the right solution for you. Please be aware that when implementing solutions using client-side encryption database functions that need to operate on data — such as simple searching functions, comparisons, and incremental operations — don’t work with client-side encryption. + +## Control Plane Security + + +## Database Security + +Redis Enterprise offers several database security controls to help protect your data against unauthroized access and to improve the operational security of your databse. The following section details configurable security controls availible for implementation. + +- **Implement role-based access for users** - With [role-based access control (RBAC)]({{< relref "/rs/security/passwords-users-roles.md" >}}), you can manage ACLs for the entire cluster. You can reuse ACL templates across users, accounts, and multiple databases to precisely scale complex security configurations with a few simple clicks. RBAC lets you set permissions for your databases and for the Redis Enterprise management console itself, providing a complete security-management solution for your cluster. + +- **Prevent database users from logging into the admin console** - Redis Enterprise allows users to be provisioned with both control plane access and access to the database. In some senarios this may be helpful for administrative users, but for applications we recommend that you [disable their access to the control plane]({{< relref "/rs/security/passwords-users-roles.md#configuring-roles-and-users" >}}). + +- **Use strong Redis passwords** - A frequent recommendation in the security industry is to use strong passwords to authenticate users. This helps to prevent brute force password guessing attacks against your database. Its important to check that your password aligns with your organizations security policy. + +- **Disable the default user** - Redis Enterprise comes with a "default" user for backwards compatibility with applications designed with versions of Redis prior to Redis Enterprise 6. The default user is turned on by default. This allows you to access the database without specifying a username and only using a shared secret. For applications designed to use access control lists, we recommend that you [disable the default user]({{< relref "/rs/security/passwords-users-roles.md#disabling-the-default-user" >}}). + +- **Enable client certificate authentication** - To prevent unauthorized access to your data, Redis Enterprise databases support the [TLS protocol]({{< relref "/rs/security/tls-ssl.md#client-certificate-authentication" >}}), which includes authentication and encryption. Client certificate authentication can be used to ensure only authorized hosts can access the database. + +- **Install trusted certificates** - Redis Implements self-signed certificates for the database proxy and replication service, but many organizations prefer to [use their own certificates]({{< relref "/rs/security/tls-ssl.md#installing-your-own-certificates" >}}). + +- **Configure Transport Layer Security (TLS)** - Similar to the control plane, you can also [configure TLS protocols]({{< relref "/rs/security/tls-ssl.md#configuring-tls-protocols" >}}) to help support your security and compliane needs. + +- **Configure and verify database backups** - Implementing a disaster recovery strategy is an important part of data security. Redis Enterprise supports [database backups to many destinations]({{< relref "/rs/administering/import-export/database-backup.md" >}}). diff --git a/content/rs/security/admin-console-security/_index.md b/content/rs/security/admin-console-security/_index.md new file mode 100644 index 00000000000..0e9c888c13e --- /dev/null +++ b/content/rs/security/admin-console-security/_index.md @@ -0,0 +1,27 @@ +--- +Title: Admin console security +description: +weight: 20 +alwaysopen: false +categories: ["RS"] +--- + +Redis Enterprise comes with a web-based user interface known as the **admin console**. The admin console provides the following security features: + +* Encryption-in-transit using TLS/SSL +* User authentication using LDAP +* Role-based access control + +We recommend that you use the features to implement the following best practices: + +- **Integrate with an external identity provider**: Redis Enterprise supports integrations with an external identity provider, such as Active Directory, through an [LDAP integration]({{< relref "/rs/security/admin-console-security/user-security.md#setting-up-ldap" >}}). + +- **Implement standard authenticaion practices**: If your organization does not support LDAP, you can stull use Redis Enterprise's [user account security]({{< relref "/rs/security/admin-console-security/user-security.md#user-account-security" >}}). Features include basic password complexity requirements, password expiration, and user login lockouts. + +- **Limit session timeouts**: Session timeouts, or automatic logout, help to prevent inadvertent unauthorized access. You can configure the [A session will only be available for a set amount of time]({{< relref "/rs/security/passwords-users-roles.md#session-timeout" >}}) before the user is required to re-authenticate. By default, Redis Enterprise logs user out of the admin console after 15 minutes of inactivity. + +- **Require HTTPS for API endpoints** - Redis Enterprise comes with an API that users are able to use to automate frequent manual tasks. This API is availible in both an encrypted and unencrypted endpoint for backwards compatibility. You can [disable the unencrypted endpoint]({{< relref "/rs/security/admin-console-security/encryption.md#requiring-https-for-api-endpoints" >}}) if its not in use without any impact. + +- **Configure Transport Layer Security (TLS)** - A common compliance requirement is to [set a minimum version of TLS]({{< relref "rs/security/admin-console-security/encryption.md#tls-configuration" >}}). This helps to make sure that only secure versions of TLS are allowed when accessing the cluster. + +- **Install your own certificates** - Redis Enterprise comes with self-signed certificates by default, however, many organizations require that you [use specific CA signed certificates]({{< relref "/rs/security/admin-console-security/encryption.md#requiring-https-for-api-endpoints" >}}). diff --git a/content/rs/security/admin-console-security/encryption.md b/content/rs/security/admin-console-security/encryption.md new file mode 100644 index 00000000000..e30328a6c04 --- /dev/null +++ b/content/rs/security/admin-console-security/encryption.md @@ -0,0 +1,120 @@ +--- +Title: Manage TLS Certificates +description: +weight: 30 +alwaysopen: false +categories: ["RS"] +--- +Redis Enterprise Software uses self-signed certificates by default ensure that the product is secure. + +The self-signed certificates establish encryption-in-transit for the following cluster components: + +- The admin console +- The REST API +- The Proxy, which manages connections between clients and database endpoints +- The Syncer, which synchronizes data between clusters (using either Active-Active or Active-Passive replication) +- The metrics exporter, which sends metrics to Prometheus + +These self-signed certificates are generated on the first node of each RS installation and are copied to all other nodes added to the cluster. + +When you use the default self-signed certificates and you connect to the admin console over a web browser, you'll seen an untrusted connection notification. + +Depending on your browser, you can allow the connection for each session or add an exception to trust the certificate for all future sessions. + +{{< warning >}} +When you update the certificates, the new certificate replaces the same certificates on all nodes in the cluster. +{{< /warning >}} + + +This section details how you can configure certificates and encryption for Redis Enterprise Software. This includes setting up your own certificate, configuring TLS, and enforcing HTTPS. + +## Installing your own certificates + +Follow these instructions to install your own certificates. Note that you can install a separate certificate per cluster component. + +**Step 1:** Create a private key + +```sh +openssl genrsa -out .pem 2048 +``` + +**Step 2:** Create a certificate signing request +```sh +openssl req -new -key .pem -out .csr +``` + +{{< note >}} +You will be prompted for a Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit and Common Name. You will need to check with your security team or certificate authority for the right values for your organization. The database's fully qualified domain name (FQDN) is typically used as the common name for the certificate. +{{< /note >}} + +**Step 3:** Sign the private key using your certificate authority +- How to obtain a CA signed certificate is different for each organization and CA vendor. Consult your security team or certificate authority for the appropriate way to sign a certificate. + +**Step 4:** Upload the certificate to the cluster + +Use the `rladmin` command line utility to replace the current certificate. You'll run the `cluster certificate set` command, followed by the name of the certificate to set, the certificate filename, and the key filename. + +The certificate names are as follows: + - For the admin console: `cm` + - For the REST API: `api` + - For the Proxy: `proxy` + - For the Syncer: `syncer` + - For the metrics exporter: `metrics_exporter` + +For example, to replace the certificate for the admin console, run the following `rladmin` command: + +```sh + rladmin cluster certificate set cm certificate_file .pem key_file .pem +``` +To replace the rest api certificate use the rladmin command line utility: + +```sh + rladmin cluster certificate set api certificate_file .pem key_file .pem +``` +To replace the metrics exporter certificate use the rladmin command line utility: + +```sh + rladmin cluster certificate set metrics_exporter certificate_file .pem key_file .pem +``` + +## TLS Configuration + +To set the minimum TLS protocols for the control plane use the following command: + +- Default TLS Protocols: TLSv1.0 +- Syntax: `rladmin cluster config cluster config min_control_TLS_version ` +- TLS versions available: + - For TLSv1 - 1 + - For TLSv1.1 - 1.1 + - For TLSv1.2 - 1.2 + +For example: + +```sh +rladmin cluster config min_control_TLS_version 1.2 +``` + +To set the TLS ciphers for the control plane use the following command: + +- Default TLS Protocols: HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH +- Syntax: `rladmin cluster config cipher_suites ''` + - Redis Enterprise Software uses openssl to implement TLS ([List of available configurations](https://www.openssl.org/docs/man1.0.2/man1/ciphers.html)) + +The below example uses the Mozilla intermediate compatibility cipher list + +```sh +rladmin cluster config cipher_suites 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384' +``` + +{{< note >}} +Its generally reccomended to use TLS 1.2 or higher. Ensure you check with your security team for the TLS protocols and ciphers that meet your organizations policies. +{{< /note >}} + +## Requiring HTTPS for API Endpoints + +By default, the Redis Enterprise Software API supports communication over HTTP and HTTPS. However, you can disable support for HTTP to ensure that API requests are encrypted. +Before you disable HTTP support, be sure to migrate any scripts or proxy configurations that use HTTP to the encrypted API endpoint to prevent broken connections. To disable HTTP support for API endpoints, run: + +```sh +rladmin cluster config http_support disabled +``` diff --git a/content/rs/security/admin-console-security/ldap.md b/content/rs/security/admin-console-security/ldap.md new file mode 100644 index 00000000000..ee642d0bf7a --- /dev/null +++ b/content/rs/security/admin-console-security/ldap.md @@ -0,0 +1,72 @@ +--- +Title: LDAP authentication +description: +weight: 20 +alwaysopen: false +categories: ["RS"] +aliases: [/rs/administering/designing-production/security/ldap-integration/] +--- +Redis Enterprise Software supports Lightweight Directory Access Protocol (LDAP) admin console users. + +{{< note >}} +Known Limitations: + +- LDAP access is not yet available for database access, but this is planned for a future release. +- This process does not apply when running Redis Enterprise on Kubernetes. +{{< /note >}} + +## Enabling LDAP + +To enable LDAP: + +1. Import the `saslauthd` configuration. +1. Restart `saslauthd` service. +1. Configure LDAP users. + +## Configuring LDAP + +To provide the LDAP configuration information: + +1. Edit the configuration file located at /etc/opt/redislabs/saslauthd.conf or the installation directory of your choice during initial configuration. +1. Provide the following information associated with each variable: + + - ldap_servers: the ldap servers that you authenticate against and the port to use + - Provide the following information associated with each variable + - **ldap_servers:** the ldap servers that you authenticate against and the port to use + - Port 389 is standardly used for unencrypted LDAP connections + - Port 636 is standardly used for encrypted LDAP connections and is strongly recommended. + - **Ldap_tls_cacert_file (optional):** The path to your CA Certificates. This is required for encrypted LDAP connections only. + - **ldap_filter:** the filter used to search for users. + - **ldap_bind_dn:** The distinguished name for the user that will be used to authenticate to the LDAP server. + - **ldap_password:** The password used for the user specified in ldap_bind_dn +1. Import the saslauthd configuration into Redis Enterprise using the below command. This will distribute the configuration to all nodes in the cluster. + + ```sh + rladmin cluster config saslauthd_ldap_conf + ``` + + {{< note >}} +If this is a new server installation, for this command to work, a cluster must be set up already. + {{< /note >}} + +1. Restart `saslauthd`: + + ```sh + sudo supervisorctl restart saslauthd + ``` + +An example configuration for your reference may be found below: + +```sh +ldap_servers: ldaps://ldap1.mydomain.com:636 ldap://ldap2.mydomain.com:636 +ldap_tls_cacert_file: /path/to/your/CARootCert.crt +ldap_search_base: ou=coolUsers,dc=company,dc=com +ldap_search_base: ou=coolUsers,dc=company,dc=com +ldap_filter: (sAMAccountName=%u) +ldap_bind_dn: cn=admin,dc=company,dc=com +ldap_password: secretSquirrel +``` + +### Setting up LDAP users in Redis Enterprise + +To set up an LDAP user, simply select an external account type when configuring the user following the procedure to configure users. diff --git a/content/rs/security/admin-console-security/user-security.md b/content/rs/security/admin-console-security/user-security.md new file mode 100644 index 00000000000..e564f9eed9b --- /dev/null +++ b/content/rs/security/admin-console-security/user-security.md @@ -0,0 +1,243 @@ +--- +Title: Authentication and authorization +description: +weight: 10 +alwaysopen: false +categories: ["RS"] +aliases: ["/rs/administering/designing-production/security/login-lockout"] +--- +You can configure users and roles for the admin console. This section details how you can set users and roles, configure external identity providers for authentication, and set up user account security within Redis Enterprise. + +## Role-Based Access Control + +Redis Enterprise includes five pre-built roles to help users who need limited access to the admin console. + +1. **DB Viewer** - Read any settings for databases +1. **DB Member** - Administer databases +1. **Cluster Viewer** - Read any cluster settings +1. **Cluster Member** - Administrator the cluster +1. **Admin** - Full cluster access + +The following table elaborates on the privileges for each of these roles: + +{{< embed-html "account-role-table.html" >}} + +### Configuring users with roles + +To add a user to the cluster: + +1. Go to the access control tab +1. Click ![Add](/images/rs/icon_add.png#no-click "Add") +1. Enter the name, email and password of the new user and select the role to assign to the user. +1. Select the internal user type +1. For email alerts, click "Edit" and select the alerts that the user should receive. You can select: + + - Receive alerts for databases - The alerts that are enabled for the selected databases will be sent to the user. You can either select "All databases", or you can select "Customize" and select the individual databases to send alerts for. + - Receive cluster alerts - The alerts that are enabled for the cluster in **settings** > **alerts** are sent to the user. + +1. Select the save icon. +{{< video "/images/rs/new-user-add.mp4" "Create a new user" >}} + +## User Account Security + +Redis Enterprise supports the following user account security settings: + +1. Password complexity +1. Password expiration +1. User Lockouts +1. Account inactivity timeout + +To enforce a more advanced password policy, we recommend that you use LDAP integration with an external identity provider, such as Active Directory. + +### Enabling the password complexity profile + +Redis Enterprise Software provides an optional password complexity profile +that meets most organizational needs. When enabled, this password profile requires the following: + +- At least 8 characters +- At least one uppercase character +- At least one lowercase character +- At least one number (not first or last character) +- At least one special character (not first or last character) + +In addition, the password: + +- Cannot contain the user ID or reverse of the user ID +- Cannot have more than three repeating characters + +{{< note >}} +The password complexity profile applies when a new user is added or an existing user changes their password. This profile does not apply to users authenticated through an external identity provider. +{{< /note >}} + +To enable the password complexity profile, run the following `curl` command against the REST API: + +```sh +curl -k -X PUT -v -H "cache-control: no-cache" -H "content-type: application/json" -u ":" -d '{"password_complexity":true}' https://:9443/v1/cluster +``` + +To disable the password complexity requirement, run the same command, but set "password_complexity" to "false". + +### Enabling password expiration + +To enforce an expiration of a user's password after a specified number of days, run the following command: + +```sh +curl -k -X PUT -v -H "cache-control: no-cache" -H "content-type: application/json" -u ":" -d '{"password_expiration_duration":}' https://:9443/v1/cluster +``` + +To disable password expiration, set the number of days to `0`. + +## User Login Lockout + +The parameters for the user login lockout are: + +- **Login Lockout Threshold** - The number of failed login attempts allowed before the user account is locked. (Default: 5) +- **Login Lockout Counter Reset** - The amount of time during which failed login attempts are counted. (Default: 15 minutes) +- **Login Lockout Duration** - The amount of time that the user account is locked after excessive failed login attempts. (Default: 30 minutes) + +By default, after 5 failed login attempts within 15 minutes, the user account is locked for 30 minutes. + +You can view the user login restrictions for your cluster with: + +```sh +rladmin info cluster | grep login_lockout +``` + +### Changing the login lockout threshold + +You can set the login lockout threshold with the command: + +```sh +rladmin tune cluster login_lockout_threshold +``` + +For example, to set the lockout threshold to 10 failed login attempts. + +```sh +rladmin tune cluster login_lockout_threshold 10 +``` + +Setting the lockout threshold to 0 disables account lockout. In this case, the cluster settings show: login_lockout_threshold: disabled + +### Changing the login lockout counter + +You can set the login lockout reset counter in seconds with the command: + +```sh +rladmin tune cluster login_lockout_counter_reset_after +``` + +To set the lockout reset to 1 hour, run: + +```sh +rladmin tune cluster login_lockout_counter_reset_after 3600 +``` + +### Changing the Login Lockout Duration + +You can set the login lockout duration in seconds with the command: + +```sh +rladmin tune cluster login_lockout_duration +``` + +For example, to set the lockout duration to 1 hour use the command: + +```sh +rladmin tune cluster login_lockout_duration 3600 +``` + +If you set the lockout duration to 0, then the account can be unlocked only when an administrator changes the account's password. In this case, the cluster settings show: login_lockout_duration: admin-release + +#### Unlocking Locked User Accounts + +To unlock a user account or reset a user password from the CLI, run: + +```sh +rladmin cluster reset_password +``` + +### Session timeout + +The Redis Enterprise admin console supports session timeouts. By default, users are automatically logged out after 15 minutes of inactivity. + +To customize the session timeout you can run the following command: + +```sh +rladmin cluster config cm_session_timeout_minutes +``` + +Here, number_of_min is the number of minutes after which sessions will time out. + +## Setting up LDAP + +Redis Enterprise supports LDAP Authentication for the admin console. + +{{< note >}} +LDAP access is not yet available for database access, but this is planned for a future release. +{{< /note >}} + +There following steps should be used when configuring LDAP: + +1. Configure the saslauthd service +1. Import the saslauthd configuration +1. Restart saslauthd service +1. Configure LDAP users + +### Configuring the saslauthd Service + +Saslauthd is a process that handles authentication requests on behalf of Redis Enterprise to LDAP. There are two steps to configuring this process: + +1. Modify the mechanisms configuration to LDAP +1. Provide the LDAP configuration information + +**To modify the mechanisms configuration:** + +1. Edit the saslauthd file located in /etc/default + - In this file change the MECHANISMS variable to MECHANISMS=”ldap” + +**To provide the LDAP configuration information:** + +1. Edit the configuration file located at /etc/opt/redislabs/saslauthd.conf or the installation directory of your choice during initial configuration. +1. Provide the following information associated with each variable + - ldap_servers: the ldap servers that you authenticate against and the port to use + - Provide the following information associated with each variable + - **ldap_servers:** the ldap servers that you authenticate against and the port to use + - Port 389 is standardly used for unencrypted LDAP connections + - Port 636 is standardly used for encrypted LDAP connections and is strongly recommended. + - **Ldap_tls_cacert_file (optional):** The path to your CA Certificates. This is required for encrypted LDAP connections only. + - **ldap_filter:** the filter used to search for users + - **ldap_bind_dn:** The distinguished name for the user that will be used to authenticate to the LDAP server. + - **ldap_password:** The password used for the user specified in ldap_bind_dn +1. Import the saslauthd configuration into Redis Enterprise using the below command + +```sh +rladmin cluster config saslauthd_ldap_conf +``` + +{{< note >}} +If this is a new server installation, for this command to work, a cluster must be set up already. +{{< /note >}} + +1. If this is a new server installation, for this command to work, a cluster must be set up already. + + ```sh + sudo supervisorctl restart saslauthd + ``` + +An example configuration for your reference may be found below: + +```sh +ldap_servers: ldaps://ldap1.mydomain.com:636 ldap://ldap2.mydomain.com:636 +ldap_tls_cacert_file: /path/to/your/CARootCert.crt +ldap_search_base: ou=coolUsers,dc=company,dc=com +ldap_search_base: ou=coolUsers,dc=company,dc=com +ldap_filter: (sAMAccountName=%u) +ldap_bind_dn: cn=admin,dc=company,dc=com +ldap_password: secretSquirrel + +``` + +### Setting up LDAP users in Redis Enterprise + +To set up an LDAP user, simply select an external account type when configuring the user following the procedure to configure users. diff --git a/content/rs/security/logging.md b/content/rs/security/logging.md new file mode 100644 index 00000000000..c3981b3fadc --- /dev/null +++ b/content/rs/security/logging.md @@ -0,0 +1,54 @@ +--- +Title: Log security +description: +weight: 50 +alwaysopen: false +categories: ["RS"] +--- +Redis Enterprise comes with [a set of logs]({{< relref "/rs/administering/logging/_index.md" >}}) on the server and available through the user interface to assist users in investigating actions taken on the server and to troubleshoot issues. + +## Sending logs to a remote logging server + +Redis Enterprise sends logs to syslog by default. You can send these logs to a remote logging server by configuring syslog. + +To do this, modify the syslog or rsyslog configuration on your operating system to send logs in `/var/opt/redislabs/log` to a remote monitoring server of your choice. + +## Log rotation + +Redis Enterprise uses the default logrotate daemon to schedule rotation of logs stored on the operating system. The configuration of log rotation may be found at /etc/logrotate.d. + +By default the log rotation should occur on a daily basis. We recommend that you send log files to a remote logging server so that they can be more effectively maintained. + +The below log rotation policy is enabled by default with Redis Enterprise but can be modified to meet your needs. + +```sh +/var/opt/redislabs/log/*.log +{ + daily + missingok + copytruncate + rotate 7 + compress + notifempty +} +``` + +Below describes what the log rotation this configuration policy puts into effect. + +- `/var/opt/redislabs/log/*.log` - When logrotate runs it checks the files under directory `/var/opt/redislabs/log/` and rotates any files that end with the extension .log. + +- Daily - The interval is set to daily. + +- Missingok - If there are missing logfiles don't do anything. + +- Copytruncate - Truncate the original log file to zero sizes after creating a copy. + +- rotate 7 - Keep 7 log files and delete the rest. + +- compress - gzip log files. + +- notifempty - Don't rotate the log file if it is empty + +{{< note >}} +For large scale deployments, it may be nessesary to rotate logs at quicker intervals, such as hourly. This can be done through a cronjob or external vendor solutions. +{{< /note >}} diff --git a/content/rs/security/passwords-users-roles.md b/content/rs/security/passwords-users-roles.md new file mode 100644 index 00000000000..03d201f7de4 --- /dev/null +++ b/content/rs/security/passwords-users-roles.md @@ -0,0 +1,127 @@ +--- +Title: Database access control +description: +weight: 10 +alwaysopen: false +categories: ["RS"] +aliases: ["/rs/administering/access-control/user-roles"] +--- +Role-based access control allows you to scale your Redis deployments while minimizing the overhead involved in managing a cluster with many databases, multiple users, and various access control lists. With RBAC, you can create a role once and then deploy it across multiple databases in the cluster with ease. + +Roles may be configured using standard or custom templates for database permissions that are based on the Redis ACL syntax. Redis Enterprise allows you to restrict database operations by command, command category, and key pattern. +Keys are typically restricted based on a namespace using a glob style wildcard. + +The role CacheReader demonstrated below has been given the acl rule "+get ~cache:*". Users in this role can access a key prefixed with “cached:” and the get command only. This would allow them to access the key cached:foo with the command get but not give them access to the set command. This role would not be able to access the key ‘foo’ because it is not prefixed with ‘cached:’ as you can see below. + +![role](/images/rs/Redis-Role.png#no-click "role") + +To learn more on Redis command and key restrictions visit the [Redis documentation](https://redis.io/topics/acl#acl-rules) + +## Redis ACL command syntax +Redis ACLs are defined by a [Redis syntax](https://redis.io/topics/acl#acl-rules) where you specify the commands or command categories that are allowed for specific keys. + +{{< note >}} +Redis Enterprise Modules are not currently assigned a command category. +{{< /note >}} + +Redis Enterprise allows you to: + +1. Include commands and categories with the "+" prefix for commands or "+@" prefix for command categories +1. Exclude commands and categories with the "-" prefix for commands or "-@" prefix for command categories +1. Include keys or key patterns with the "~" prefix + +To define database access control, you can: + +1. Use the predefined user roles and add Redis ACLs for specific databases. +1. Create new user roles and select the management roles and Redis ACLs that apply to the user roles for specific databases. +1. Assign roles and Redis ACLs to a database in the access control list section of the database configuration. + +The predefined Redis ACLs are: + +- **Full Access** - All commands are allowed on all keys. +- **Not Dangerous** - All commands are allowed except those that are administrative, could affect availability, or could affect performance. +- **Read Only** - Only read-only commands are allowed on keys. + +## Configuring Redis ACLs + +To configure a Redis ACL rule that you can assign to a user role: + +1. In **access control** > **redis acls**: + + - Edit an existing Redis ACL - Hover over a Redis ACL and click ![Edit](/images/rc/icon_edit.png#no-click "Edit"). + - Create a new Redis ACL - Click ![Add](/images/rs/icon_add.png#no-click "Add"). + +1. Enter a descriptive name for the Redis ACL. This will be used to reference the ACL rule to the role. +1. Define the ACL rule. +1. Click Save. + +{{< video "/images/rs/new-redis-acl-rule.mp4" "Create a new Redis ACL Rule" >}} + +{{< note >}} + In Redis Enterprise: + - The following ACL commands are blocked: LOAD, SAVE, SETUSER, DELUSER, GENPASS, LOG + - The following ACL subcommands are allowed: LIST, USER, GETUSER, CAT, WHOAMI, HELP + - The MULTI, EXEC, DISCARD commands are always allowed, but ACLs are enforced on MULTI subcommands. + - External users are not currently supported for database authentication. + - Multi-key commands on multi-slot keys, the return value is `failure` but the command runs on the keys that are allowed. +{{< /note >}} + +## Configuring roles and users + +In **access control** > **roles**, you can configure user roles with: + +- **Management roles** - Management roles define user access to the UI and API of the cluster +- **Data access controls** - Data access controls define the permissions each role has to each database in the cluster. + +### Defining roles for database access + +To create a user role for users that cannot connect to the Redis Enterprise control plane, assign the "**None**" management role to the user role. +{{< note >}} +We recommend that you set the management role to None for any role used for database access. +{{< /note >}} + +To define a role for database access: + +1. In **access control** > **roles**: + + - Edit an existing Redis ACL - Hover over a Redis ACL and click ![Edit](/images/rc/icon_edit.png#no-click "Edit"). + - Create a new Redis ACL - Click ![Add](/images/rs/icon_add.png#no-click "Add"). + +1. Enter a descriptive name for the role. This will be used to reference the role when configuring users. +1. Select a Cluster management role by default this is set to "**None**" +1. Select Add under Redis ACLs ![Add](/images/rs/icon_add.png#no-click "Add") +1. Select the databases the role applies to +1. Select the Redis ACL to apply to the role +1. Select the save icon +1. Select save +{{< video "/images/rs/new-redis-role.mp4" "Create a new Redis Role" >}} + +### Adding Users + +To add a user to the cluster: + +1. Go to the access control tab +1. Click ![Add](/images/rs/icon_add.png#no-click "Add") +1. Enter the name, email and password of the new user and select the role to assign to the user. +1. Select the internal user type +1. For email alerts, click "Edit" and select the alerts that the user should receive. You can select: + - Receive alerts for databases - The alerts that are enabled for the selected databases will be sent to the user. You can either select "All databases", or you can select "Customize" and select the individual databases to send alerts for. + - Receive cluster alerts - The alerts that are enabled for the cluster in **settings** > **alerts** are sent to the user. +1. Select the save icon. +{{< video "/images/rs/new-user-add.mp4" "Create a new user" >}} + +### Disabling the default user + +When you provision a database, default user will be enabled. This allows for backwards compatibility with versions of Redis before Redis 6. + +To disable the default user: + +1. Select the configuration tab. +1. Find the Default database access setting. +1. Deselect the checkbox. + +{{< note >}} +We recommend that you disable the default user when using ACLs with your database and backwards compatibility is not required. +{{< /note >}} + +![default](/images/rs/default-user.png#no-click "default") diff --git a/content/rs/security/tls-ssl.md b/content/rs/security/tls-ssl.md new file mode 100644 index 00000000000..ab36a55d087 --- /dev/null +++ b/content/rs/security/tls-ssl.md @@ -0,0 +1,153 @@ +--- +Title: Transport Layer Security (TLS) +description: +weight: 10 +alwaysopen: false +categories: ["RS"] +aliases: ["/rs/administering/designing-production/security/tls-configuration", "/rs/administering/designing-production/security/client-connections"] +--- +Transport Layer Security (TLS), commonly called “SSL”, ensures the privacy of data sent between applications and their Redis databases. TLS also secures connections between Redis Enterprise Software nodes. + +## TLS authentication + +You can enable TLS for the following two scenarios: + +1. Client-server traffic between your Redis clients and your Redis databases +1. Replication and synchronization traffic between the nodes of a Redis Enterprise Software cluster + +When you configure `Replica Of` for a database, synchronization traffic flows between the primary instance of the database and the replica instance of the database. You can configure authentication for Replica Of synchronization traffic only, or for all communications, including Replica Of synchronization traffic and data traffic between the database and the clients. + +To enable and configure TLS authentication: + +1. In **databases**, either: + - Click **Add** (+) to create a new database. + - Click on the database that you want to configure and at the bottom of the page click edit. +1. Enable the TLS option on the configuration page. When creating a database, you can find this under "Show advanced options". + ![database-tls-config](/images/rs/database-tls-config.png "Database TLS Configuration") +1. Select the TLS scope: + - Require TLS for Replica Of communications only - This option will only encrypt synchronization traffic. + - Require TLS for all communications - This option will encrypt synchronization traffic and traffic between a client and a server. + ![database-tls-all](/images/rs/database-tls-all.png "database-tls-all") + +1. Select if you would like authentication enforced. By deselecting this option you enforce encryption without authentication. +1. Enter the certificates authorized to authenticate. +1. Copy the syncer certificate from the cluster settings tab. The syncer certificate is used to facilitate encrypted replication and synchronization traffic. +1. Click Add ![Add](/images/rs/icon_add.png#no-click "Add") to configure certificates. +1. Paste the syncer certificate into the certificate box. + ![database-tls-replica-certs](/images/rs/database-tls-replica-certs.png "Database TLS Configuration") +1. Save the certificates. ![icon_save](/images/rs/icon_save.png#no-click "Save") +1. Repeat for any client certificates you would like to be able to authenticate to your database. + +{{< note >}} +There are two considerations for replication authentication you should be aware of: + +1. The syncer certificates of the clusters that host the replica instances of the database must always be set when enabling a database for encryption. +2. When using CRDB, the syncer certificate for each cluster must be configured on the database. +{{< /note >}} + +## Certificate Authentication for Active-Active Databases + +When you create a new CRDB, you can configure authentication for traffic between active-active databases using the same process for as replication traffic. + +{{< note >}} +You cannot enable or disable TLS after the CRDB is created, but you can change +the TLS configuration. +{{< /note >}} + +### Configuring TLS for CRDB communication + +To enable TLS for CRDB communication for a CRDB: + +1. In **databases**, click ![icon_add](/images/rs/icon_add.png#no-click "Add") + to create a new CRDB. +1. In **configuration**, at the bottom of the page click **edit**. +1. Enable **TLS**. +![crdb-tls-config-enable](/images/rs/crdb-tls-config-enable.png "crdb-tls-config-enable") +1. After you create the CRDB on all participating clusters, on the participating clusters for which you want to require TLS, edit the CRDB instance and select your TLS scope. + - Require TLS for CRDB communication only - This option will require TLS for CRDB synchronization only +data traffic between the database and the clients. + - Require TLS for all communications - This option will encrypt synchronization traffic and traffic between a client and a server. + ![crdb-tls-all](/images/rs/crdb-tls-all.png "crdb-tls-all") +1. Ensure you copy the syncer certificate from the settings tab of all participating clusters. This will ensure that you can authenticate to each CRDB in the cluster. + +## Installing your own certificates + +Redis Enterprise Software uses self-signed certificates out-of-the-box to make sure that the product is secure by default. + +If using a self-signed certificate is not the right solution for you, you can import a certificate signed by a certificate authority of your choice. + +The certificates that help facilitate encrypted traffic to the database and within the cluster are the syncer certificate and the proxy certificate. + +- Proxy - The certificate for connections between clients and database endpoints +- Syncer - The certificate for synchronization between databases for ReplicaOf and CRDB + +{{< warning >}} +When you update the certificates, the new certificate replaces the same certificates on all nodes in the cluster. +{{< /warning >}} + +1. Create a private key: + + ```sh + openssl genrsa -out .pem 2048 + ``` + +1. Create a certificate signing request: + + ```sh + openssl req -new -key .pem -out .csr + ``` + + {{< note >}} +You will be prompted for a Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit and Common Name. You will need to check with your security team or certificate authority on the right values for your organization. The database fqdn is typically used as the common name for the certificate. + {{< /note >}} + +1. Sign the private using your certificate authority: + + - The process to obtain a CA signed certificate is different for each organization and CA vendor. Please consult your security team or certificate authority for the appropriate instructions to sign certificates. + +1. Upload the certificate to the cluster. + +To replace the proxy certificate use the rladmin command line utility: + +```sh + rladmin cluster certificate set proxy certificate_file .pem key_file .pem +``` + +To replace the syncer certificate use the rladmin command line utility: + +```sh + rladmin cluster certificate set syncer certificate_file .pem key_file .pem +``` + +## Configuring TLS Protocols + +TLS protocols that impact the data path impact client to server communications and the discovery service. + +Syntax: rladmin cluster config cluster config min_data_TLS_version +TLS versions available: + +- For TLSv1 - 1 +- For TLSv1.1 - 1.1 +- For TLSv1.2 - 1.2 + +{{< note >}} +TLSv1.2 is generally recommended as the minimum TLS version for encrypted communications. +{{< /note >}} + +For example: + +```sh +rladmin cluster config min_data_TLS_version 1.2 +``` + +For your changes to take effect on the discovery service, restart the service with the command: + +```sh +supervisorctl restart sentinel_service +``` + +## Client Side Encryption + +Client side encryption may be used to help encrypt data through its lifecycle. This comes with some limitations. Operations that must operate on the data, such as increments, comparisons, and searches will not function properly. Client side encryption is used to help protect data in use. + +You can write client side encryption logic directly in your own application or use functions built into clients such as the Java Lettuce cipher codec. diff --git a/static/images/rs/Redis-Role.png b/static/images/rs/Redis-Role.png new file mode 100644 index 00000000000..f2eb15d94a4 Binary files /dev/null and b/static/images/rs/Redis-Role.png differ diff --git a/static/images/rs/default-user.png b/static/images/rs/default-user.png new file mode 100644 index 00000000000..c947c1ee8c7 Binary files /dev/null and b/static/images/rs/default-user.png differ diff --git a/static/images/rs/new-redis-acl-rule.mp4 b/static/images/rs/new-redis-acl-rule.mp4 new file mode 100644 index 00000000000..feeec530093 Binary files /dev/null and b/static/images/rs/new-redis-acl-rule.mp4 differ diff --git a/static/images/rs/new-redis-role.mp4 b/static/images/rs/new-redis-role.mp4 new file mode 100644 index 00000000000..d42d8e321ae Binary files /dev/null and b/static/images/rs/new-redis-role.mp4 differ diff --git a/static/images/rs/new-user-add.mp4 b/static/images/rs/new-user-add.mp4 new file mode 100644 index 00000000000..2d118ac187b Binary files /dev/null and b/static/images/rs/new-user-add.mp4 differ diff --git a/static/images/rs/persistence.mp4 b/static/images/rs/persistence.mp4 new file mode 100644 index 00000000000..dd62a703945 Binary files /dev/null and b/static/images/rs/persistence.mp4 differ