redis 用户权限管理

redis6 可以使用acl命令创建用户分配权限，还可以支持操作key的范围

fanghailiang2016

2371人浏览 · 2022-11-29 10:39:17

fanghailiang2016 · 2022-11-29 10:39:17 发布

ads：

关注以下公众号查看更多文章

redis6 可以使用acl命令创建用户分配权限，还可以支持操作key的范围

创建一个用户test2 并指定密码 123456

acl setuser test2 >123456

查看可以分配的权限组

acl cat

返回的列表是这样的

 1) "keyspace"
 2) "read"
 3) "write"
 4) "set"
 5) "sortedset"
 6) "list"
 7) "hash"
 8) "string"
 9) "bitmap"
10) "hyperloglog"
11) "geo"
12) "stream"
13) "pubsub"
14) "admin"
15) "fast"
16) "slow"
17) "blocking"
18) "dangerous"
19) "connection"
20) "transaction"
21) "scripting"

查看权限组下具体包含的命令有哪些

acl cat keyspace

返回如下

 1) "expireat"
 2) "randomkey"
 3) "restore-asking"
 4) "pexpire"
 5) "flushall"
 6) "dump"
 7) "persist"
 8) "keys"
 9) "exists"
10) "expiretime"
11) "migrate"
12) "pexpiretime"
13) "move"
14) "ttl"
15) "pexpireat"
16) "dbsize"
17) "object|freq"
18) "object|encoding"
19) "object|idletime"
20) "object|help"
21) "object|refcount"
22) "swapdb"
23) "pttl"
24) "expire"
25) "unlink"
26) "type"
27) "scan"
28) "renamenx"
29) "touch"
30) "restore"
31) "del"
32) "flushdb"
33) "copy"
34) "rename"

我们想给test2这个用户授予 string 权限组权力，以及    expireat
   pexpireat
   pexpire
   exists
   keys
   ttl
   expire
   unlink 这几个命令的权力，允许操作key的命名格式为 test2:

acl setuser test2 +@string +expireat +pexpireat +pexpire +exists +keys +ttl +expire +unlink ~test2:*

看一下test2这个用户的情况

acl getuser test2

返回如下

 1) "flags"
 2) 1) "off"
 3) "passwords"
 4) 1) "8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92"
 5) "commands"
 6) "-@all +@string +pexpire +keys +exists +ttl +pexpireat +expire +unlink +expireat"
 7) "keys"
 8) "~test2:*"
 9) "channels"
10) ""
11) "selectors"
12) (empty array)

打开test2这个用户允许登陆

acl setuser test2 on

下面我们用test2 这个用户登陆验证权限

➜  ~ redis-cli
127.0.0.1:6379> auth test2 123456
OK
127.0.0.1:6379> keys *
1) "age"
127.0.0.1:6379> keys test2*
(empty array)
127.0.0.1:6379> del age
(error) NOPERM this user has no permissions to run the 'del' command
127.0.0.1:6379> unlink age
(error) NOPERM this user has no permissions to access one of the keys used as arguments
127.0.0.1:6379> set test2:age 12
OK
127.0.0.1:6379> unlink test2:age
(integer) 1
127.0.0.1:6379> unlink age
(error) NOPERM this user has no permissions to access one of the keys used as arguments
127.0.0.1:6379>

=====================================================================

2022-12-07 补充

上面设置内容重启redis后无法保存并失效，redis.conf需要配置acl文件位置