[Question] Authenticating users with the Redis AUTH command
5st7 opened this issue · 8 comments
Hello, thanks for this useful software !
Can I use this operator to authenticate users with the Redis AUTH command?
Thanks
We currently do not support this feature of redis. This is mostly because we don't expose redis outside of our kubernetes clusters. What is your use case for this feature? It may be something we should consider supporting.
Thanks for the reply!
I use Redis Cluster inside a Kubernetes cluster without exposing it to the outside.
However, if an external attacker can break into Kubernetes Cluster, they can easily gain access to the Redis Cluster.
I would like to authenticate client with the AUTH command to have redundancy in security layer.
@antonioua can you take a look at this issue and see what kind of effort it'd take to add support for this feature? will help us prioritize this issue with the others that we have on our backlog. @5st7 we accept PRs too of course. ;)
we can add support of auth Secret:
apiVersion: v1
data:
admin-password: <base64_users_password>
kind: Secret
metadata:
name: redis-password
type: Opaque
On Secret change operator will update /redis-extra-conf/redis.conf and restart the cluster.
What about using the new ACLs? It looks like we may be able to update credentials w/out restarting (just took a quick look could be wrong).
@antonioua just reminded me about this issue. Sorry for the delay. It'll be a couple more weeks before we can really look into this. Unfortunately our team's been heads down on other issues.
I was just reading a bit more into this and am thinking this may work out of the box by simply specifying the user and ACL entries in the redis.configuration.valueMap or in the redis.configuration.file itself. See more details here. However, I'm also not certain the settings would be updated properly if they were modified while the cluster is up.
Adding users in the valueMap does indeed work. It does not update dynamically unfortunately (we only support updating some config settings dynamically). I think the biggest issue is that if you were to limit the default user's permissions (or even simply require a password), it'd break the operator's ability to manage the cluster in the current implementation.The operator currently uses redis-cli command to mange the cluster, perform key migrations, etc. We don't have any auth support there, so pretty much every thing would break. That's probably the biggest obstacle to adding support for AUTH/ACLs. Also I think we'd ideally want to remove the default user.
Using the valueMap or file configs probably isn't a good idea for production use cases anyway as they wouldn't update the ACLs dynamically. We'd probably want to store the ACL config in a separate configmap/secret that the operator watches and updates on the pod's filesystem when it changes. This would allow the operator to use the acl load command to update the ACL config dynamically.
I'm sure there are at least a few things I'm not considering at this point; but from what I've seen, I think this would take a decent effort to support (at least a sprint). We will circle up with our leadership and determine if this is something we can support. TBH, we're a small team and have our plates full ATM.