2021-06-09 08:13:24 -04:00
|
|
|
start_server {tags {"acl external:skip"}} {
|
2019-01-28 05:39:58 -05:00
|
|
|
test {Connections start with the default user} {
|
|
|
|
|
r ACL WHOAMI
|
|
|
|
|
} {default}
|
2019-01-28 05:44:10 -05:00
|
|
|
|
|
|
|
|
test {It is possible to create new users} {
|
|
|
|
|
r ACL setuser newuser
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-06 00:58:28 -05:00
|
|
|
test {Usernames can not contain spaces or null characters} {
|
|
|
|
|
catch {r ACL setuser "a a"} err
|
|
|
|
|
set err
|
|
|
|
|
} {*Usernames can't contain spaces or null characters*}
|
|
|
|
|
|
2019-01-28 05:44:10 -05:00
|
|
|
test {New users start disabled} {
|
|
|
|
|
r ACL setuser newuser >passwd1
|
|
|
|
|
catch {r AUTH newuser passwd1} err
|
|
|
|
|
set err
|
|
|
|
|
} {*WRONGPASS*}
|
|
|
|
|
|
|
|
|
|
test {Enabling the user allows the login} {
|
2019-01-28 06:06:25 -05:00
|
|
|
r ACL setuser newuser on +acl
|
2019-01-28 05:44:10 -05:00
|
|
|
r AUTH newuser passwd1
|
2019-01-28 06:06:25 -05:00
|
|
|
r ACL WHOAMI
|
|
|
|
|
} {newuser}
|
|
|
|
|
|
|
|
|
|
test {Only the set of correct passwords work} {
|
|
|
|
|
r ACL setuser newuser >passwd2
|
|
|
|
|
catch {r AUTH newuser passwd1} e
|
|
|
|
|
assert {$e eq "OK"}
|
|
|
|
|
catch {r AUTH newuser passwd2} e
|
|
|
|
|
assert {$e eq "OK"}
|
|
|
|
|
catch {r AUTH newuser passwd3} e
|
|
|
|
|
set e
|
|
|
|
|
} {*WRONGPASS*}
|
|
|
|
|
|
|
|
|
|
test {It is possible to remove passwords from the set of valid ones} {
|
|
|
|
|
r ACL setuser newuser <passwd1
|
|
|
|
|
catch {r AUTH newuser passwd1} e
|
|
|
|
|
set e
|
|
|
|
|
} {*WRONGPASS*}
|
2019-01-28 06:33:14 -05:00
|
|
|
|
2019-09-17 06:32:35 -04:00
|
|
|
test {Test password hashes can be added} {
|
|
|
|
|
r ACL setuser newuser #34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e6
|
|
|
|
|
catch {r AUTH newuser passwd4} e
|
|
|
|
|
assert {$e eq "OK"}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test {Test password hashes validate input} {
|
|
|
|
|
# Validate Length
|
|
|
|
|
catch {r ACL setuser newuser #34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e} e
|
|
|
|
|
# Validate character outside set
|
|
|
|
|
catch {r ACL setuser newuser #34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4eq} e
|
|
|
|
|
set e
|
|
|
|
|
} {*Error in ACL SETUSER modifier*}
|
|
|
|
|
|
|
|
|
|
test {ACL GETUSER returns the password hash instead of the actual password} {
|
|
|
|
|
set passstr [dict get [r ACL getuser newuser] passwords]
|
|
|
|
|
assert_match {*34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e6*} $passstr
|
|
|
|
|
assert_no_match {*passwd4*} $passstr
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-30 12:22:55 -04:00
|
|
|
test {Test hashed passwords removal} {
|
|
|
|
|
r ACL setuser newuser !34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e6
|
|
|
|
|
set passstr [dict get [r ACL getuser newuser] passwords]
|
|
|
|
|
assert_no_match {*34344e4d60c2b6d639b7bd22e18f2b0b91bc34bf0ac5f9952744435093cfb4e6*} $passstr
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-28 06:33:14 -05:00
|
|
|
test {By default users are not able to access any command} {
|
|
|
|
|
catch {r SET foo bar} e
|
|
|
|
|
set e
|
2022-01-12 13:05:14 -05:00
|
|
|
} {*NOPERM*set*}
|
2019-01-28 06:33:14 -05:00
|
|
|
|
|
|
|
|
test {By default users are not able to access any key} {
|
|
|
|
|
r ACL setuser newuser +set
|
|
|
|
|
catch {r SET foo bar} e
|
|
|
|
|
set e
|
|
|
|
|
} {*NOPERM*key*}
|
|
|
|
|
|
|
|
|
|
test {It's possible to allow the access of a subset of keys} {
|
|
|
|
|
r ACL setuser newuser allcommands ~foo:* ~bar:*
|
|
|
|
|
r SET foo:1 a
|
|
|
|
|
r SET bar:2 b
|
|
|
|
|
catch {r SET zap:3 c} e
|
|
|
|
|
r ACL setuser newuser allkeys; # Undo keys ACL
|
|
|
|
|
set e
|
|
|
|
|
} {*NOPERM*key*}
|
2019-01-28 06:40:07 -05:00
|
|
|
|
2022-01-30 05:02:55 -05:00
|
|
|
test {By default, only default user is able to publish to any channel} {
|
|
|
|
|
r AUTH default pwd
|
|
|
|
|
r PUBLISH foo bar
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
r ACL setuser psuser on >pspass +acl +client +@pubsub
|
|
|
|
|
r AUTH psuser pspass
|
2022-01-30 05:02:55 -05:00
|
|
|
catch {r PUBLISH foo bar} e
|
|
|
|
|
set e
|
|
|
|
|
} {*NOPERM*channels*}
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
|
2022-01-30 05:02:55 -05:00
|
|
|
test {By default, only default user is not able to publish to any shard channel} {
|
|
|
|
|
r AUTH default pwd
|
2022-01-02 19:54:47 -05:00
|
|
|
r SPUBLISH foo bar
|
2022-01-30 05:02:55 -05:00
|
|
|
r AUTH psuser pspass
|
|
|
|
|
catch {r SPUBLISH foo bar} e
|
|
|
|
|
set e
|
|
|
|
|
} {*NOPERM*channels*}
|
2022-01-02 19:54:47 -05:00
|
|
|
|
2022-01-30 05:02:55 -05:00
|
|
|
test {By default, only default user is able to subscribe to any channel} {
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
set rd [redis_deferring_client]
|
2022-01-30 05:02:55 -05:00
|
|
|
$rd AUTH default pwd
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
$rd read
|
|
|
|
|
$rd SUBSCRIBE foo
|
|
|
|
|
assert_match {subscribe foo 1} [$rd read]
|
2022-01-30 05:02:55 -05:00
|
|
|
$rd UNSUBSCRIBE
|
|
|
|
|
$rd read
|
|
|
|
|
$rd AUTH psuser pspass
|
|
|
|
|
$rd read
|
|
|
|
|
$rd SUBSCRIBE foo
|
|
|
|
|
catch {$rd read} e
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
$rd close
|
2022-01-30 05:02:55 -05:00
|
|
|
set e
|
|
|
|
|
} {*NOPERM*channels*}
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
|
2022-01-30 05:02:55 -05:00
|
|
|
test {By default, only default user is able to subscribe to any shard channel} {
|
2022-01-02 19:54:47 -05:00
|
|
|
set rd [redis_deferring_client]
|
2022-01-30 05:02:55 -05:00
|
|
|
$rd AUTH default pwd
|
2022-01-02 19:54:47 -05:00
|
|
|
$rd read
|
|
|
|
|
$rd SSUBSCRIBE foo
|
|
|
|
|
assert_match {ssubscribe foo 1} [$rd read]
|
2022-01-30 05:02:55 -05:00
|
|
|
$rd SUNSUBSCRIBE
|
|
|
|
|
$rd read
|
|
|
|
|
$rd AUTH psuser pspass
|
|
|
|
|
$rd read
|
|
|
|
|
$rd SSUBSCRIBE foo
|
|
|
|
|
catch {$rd read} e
|
2022-01-02 19:54:47 -05:00
|
|
|
$rd close
|
2022-01-30 05:02:55 -05:00
|
|
|
set e
|
|
|
|
|
} {*NOPERM*channels*}
|
2022-01-02 19:54:47 -05:00
|
|
|
|
2022-01-30 05:02:55 -05:00
|
|
|
test {By default, only default user is able to subscribe to any pattern} {
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
set rd [redis_deferring_client]
|
2022-01-30 05:02:55 -05:00
|
|
|
$rd AUTH default pwd
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
$rd read
|
|
|
|
|
$rd PSUBSCRIBE bar*
|
|
|
|
|
assert_match {psubscribe bar\* 1} [$rd read]
|
2022-01-30 05:02:55 -05:00
|
|
|
$rd PUNSUBSCRIBE
|
|
|
|
|
$rd read
|
|
|
|
|
$rd AUTH psuser pspass
|
|
|
|
|
$rd read
|
|
|
|
|
$rd PSUBSCRIBE bar*
|
|
|
|
|
catch {$rd read} e
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
$rd close
|
2022-01-30 05:02:55 -05:00
|
|
|
set e
|
|
|
|
|
} {*NOPERM*channels*}
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
|
|
|
|
|
test {It's possible to allow publishing to a subset of channels} {
|
|
|
|
|
r ACL setuser psuser resetchannels &foo:1 &bar:*
|
|
|
|
|
assert_equal {0} [r PUBLISH foo:1 somemessage]
|
|
|
|
|
assert_equal {0} [r PUBLISH bar:2 anothermessage]
|
|
|
|
|
catch {r PUBLISH zap:3 nosuchmessage} e
|
|
|
|
|
set e
|
|
|
|
|
} {*NOPERM*channel*}
|
|
|
|
|
|
2022-01-02 19:54:47 -05:00
|
|
|
test {It's possible to allow publishing to a subset of shard channels} {
|
|
|
|
|
r ACL setuser psuser resetchannels &foo:1 &bar:*
|
|
|
|
|
assert_equal {0} [r SPUBLISH foo:1 somemessage]
|
|
|
|
|
assert_equal {0} [r SPUBLISH bar:2 anothermessage]
|
|
|
|
|
catch {r SPUBLISH zap:3 nosuchmessage} e
|
|
|
|
|
set e
|
|
|
|
|
} {*NOPERM*channel*}
|
|
|
|
|
|
2021-04-19 06:27:44 -04:00
|
|
|
test {Validate subset of channels is prefixed with resetchannels flag} {
|
|
|
|
|
r ACL setuser hpuser on nopass resetchannels &foo +@all
|
|
|
|
|
|
|
|
|
|
# Verify resetchannels flag is prefixed before the channel name(s)
|
|
|
|
|
set users [r ACL LIST]
|
|
|
|
|
set curruser "hpuser"
|
|
|
|
|
foreach user [lshuffle $users] {
|
|
|
|
|
if {[string first $curruser $user] != -1} {
|
|
|
|
|
assert_equal {user hpuser on nopass resetchannels &foo +@all} $user
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# authenticate as hpuser
|
|
|
|
|
r AUTH hpuser pass
|
|
|
|
|
|
|
|
|
|
assert_equal {0} [r PUBLISH foo bar]
|
|
|
|
|
catch {r PUBLISH bar game} e
|
|
|
|
|
|
|
|
|
|
# Falling back to psuser for the below tests
|
|
|
|
|
r AUTH psuser pspass
|
|
|
|
|
r ACL deluser hpuser
|
|
|
|
|
set e
|
|
|
|
|
} {*NOPERM*channel*}
|
|
|
|
|
|
2021-03-26 07:10:01 -04:00
|
|
|
test {In transaction queue publish/subscribe/psubscribe to unauthorized channel will fail} {
|
|
|
|
|
r ACL setuser psuser +multi +discard
|
|
|
|
|
r MULTI
|
2022-01-12 13:05:14 -05:00
|
|
|
assert_error {*NOPERM*channel*} {r PUBLISH notexits helloworld}
|
2021-03-26 07:10:01 -04:00
|
|
|
r DISCARD
|
|
|
|
|
r MULTI
|
2022-01-12 13:05:14 -05:00
|
|
|
assert_error {*NOPERM*channel*} {r SUBSCRIBE notexits foo:1}
|
2021-03-26 07:10:01 -04:00
|
|
|
r DISCARD
|
|
|
|
|
r MULTI
|
2022-01-12 13:05:14 -05:00
|
|
|
assert_error {*NOPERM*channel*} {r PSUBSCRIBE notexits:* bar:*}
|
2021-03-26 07:10:01 -04:00
|
|
|
r DISCARD
|
|
|
|
|
}
|
|
|
|
|
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
test {It's possible to allow subscribing to a subset of channels} {
|
|
|
|
|
set rd [redis_deferring_client]
|
|
|
|
|
$rd AUTH psuser pspass
|
|
|
|
|
$rd read
|
|
|
|
|
$rd SUBSCRIBE foo:1
|
|
|
|
|
assert_match {subscribe foo:1 1} [$rd read]
|
|
|
|
|
$rd SUBSCRIBE bar:2
|
|
|
|
|
assert_match {subscribe bar:2 2} [$rd read]
|
|
|
|
|
$rd SUBSCRIBE zap:3
|
|
|
|
|
catch {$rd read} e
|
|
|
|
|
set e
|
|
|
|
|
} {*NOPERM*channel*}
|
|
|
|
|
|
2022-01-02 19:54:47 -05:00
|
|
|
test {It's possible to allow subscribing to a subset of shard channels} {
|
|
|
|
|
set rd [redis_deferring_client]
|
|
|
|
|
$rd AUTH psuser pspass
|
|
|
|
|
$rd read
|
|
|
|
|
$rd SSUBSCRIBE foo:1
|
|
|
|
|
assert_match {ssubscribe foo:1 1} [$rd read]
|
|
|
|
|
$rd SSUBSCRIBE bar:2
|
|
|
|
|
assert_match {ssubscribe bar:2 2} [$rd read]
|
|
|
|
|
$rd SSUBSCRIBE zap:3
|
|
|
|
|
catch {$rd read} e
|
|
|
|
|
set e
|
|
|
|
|
} {*NOPERM*channel*}
|
|
|
|
|
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
test {It's possible to allow subscribing to a subset of channel patterns} {
|
|
|
|
|
set rd [redis_deferring_client]
|
|
|
|
|
$rd AUTH psuser pspass
|
|
|
|
|
$rd read
|
|
|
|
|
$rd PSUBSCRIBE foo:1
|
|
|
|
|
assert_match {psubscribe foo:1 1} [$rd read]
|
|
|
|
|
$rd PSUBSCRIBE bar:*
|
|
|
|
|
assert_match {psubscribe bar:\* 2} [$rd read]
|
|
|
|
|
$rd PSUBSCRIBE bar:baz
|
|
|
|
|
catch {$rd read} e
|
|
|
|
|
set e
|
|
|
|
|
} {*NOPERM*channel*}
|
|
|
|
|
|
|
|
|
|
test {Subscribers are killed when revoked of channel permission} {
|
|
|
|
|
set rd [redis_deferring_client]
|
|
|
|
|
r ACL setuser psuser resetchannels &foo:1
|
|
|
|
|
$rd AUTH psuser pspass
|
2020-12-02 10:24:27 -05:00
|
|
|
$rd read
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
$rd CLIENT SETNAME deathrow
|
2020-12-02 10:24:27 -05:00
|
|
|
$rd read
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
$rd SUBSCRIBE foo:1
|
2020-12-02 10:24:27 -05:00
|
|
|
$rd read
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
r ACL setuser psuser resetchannels
|
|
|
|
|
assert_no_match {*deathrow*} [r CLIENT LIST]
|
|
|
|
|
$rd close
|
|
|
|
|
} {0}
|
|
|
|
|
|
2022-01-02 19:54:47 -05:00
|
|
|
test {Subscribers are killed when revoked of channel permission} {
|
|
|
|
|
set rd [redis_deferring_client]
|
|
|
|
|
r ACL setuser psuser resetchannels &foo:1
|
|
|
|
|
$rd AUTH psuser pspass
|
|
|
|
|
$rd read
|
|
|
|
|
$rd CLIENT SETNAME deathrow
|
|
|
|
|
$rd read
|
|
|
|
|
$rd SSUBSCRIBE foo:1
|
|
|
|
|
$rd read
|
|
|
|
|
r ACL setuser psuser resetchannels
|
|
|
|
|
assert_no_match {*deathrow*} [r CLIENT LIST]
|
|
|
|
|
$rd close
|
|
|
|
|
} {0}
|
|
|
|
|
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
test {Subscribers are killed when revoked of pattern permission} {
|
|
|
|
|
set rd [redis_deferring_client]
|
|
|
|
|
r ACL setuser psuser resetchannels &bar:*
|
|
|
|
|
$rd AUTH psuser pspass
|
2020-12-02 10:24:27 -05:00
|
|
|
$rd read
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
$rd CLIENT SETNAME deathrow
|
2020-12-02 10:24:27 -05:00
|
|
|
$rd read
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
$rd PSUBSCRIBE bar:*
|
2020-12-02 10:24:27 -05:00
|
|
|
$rd read
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
r ACL setuser psuser resetchannels
|
|
|
|
|
assert_no_match {*deathrow*} [r CLIENT LIST]
|
|
|
|
|
$rd close
|
|
|
|
|
} {0}
|
|
|
|
|
|
|
|
|
|
test {Subscribers are pardoned if literal permissions are retained and/or gaining allchannels} {
|
|
|
|
|
set rd [redis_deferring_client]
|
2022-01-02 19:54:47 -05:00
|
|
|
r ACL setuser psuser resetchannels &foo:1 &bar:* &orders
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
$rd AUTH psuser pspass
|
2020-12-02 10:24:27 -05:00
|
|
|
$rd read
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
$rd CLIENT SETNAME pardoned
|
2020-12-02 10:24:27 -05:00
|
|
|
$rd read
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
$rd SUBSCRIBE foo:1
|
2020-12-02 10:24:27 -05:00
|
|
|
$rd read
|
2022-01-02 19:54:47 -05:00
|
|
|
$rd SSUBSCRIBE orders
|
|
|
|
|
$rd read
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
$rd PSUBSCRIBE bar:*
|
2020-12-02 10:24:27 -05:00
|
|
|
$rd read
|
2022-01-02 19:54:47 -05:00
|
|
|
r ACL setuser psuser resetchannels &foo:1 &bar:* &orders &baz:qaz &zoo:*
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
assert_match {*pardoned*} [r CLIENT LIST]
|
|
|
|
|
r ACL setuser psuser allchannels
|
|
|
|
|
assert_match {*pardoned*} [r CLIENT LIST]
|
|
|
|
|
$rd close
|
|
|
|
|
} {0}
|
|
|
|
|
|
2019-01-28 06:40:07 -05:00
|
|
|
test {Users can be configured to authenticate with any password} {
|
|
|
|
|
r ACL setuser newuser nopass
|
|
|
|
|
r AUTH newuser zipzapblabla
|
|
|
|
|
} {OK}
|
|
|
|
|
|
|
|
|
|
test {ACLs can exclude single commands} {
|
|
|
|
|
r ACL setuser newuser -ping
|
|
|
|
|
r INCR mycounter ; # Should not raise an error
|
|
|
|
|
catch {r PING} e
|
|
|
|
|
set e
|
2022-01-12 13:05:14 -05:00
|
|
|
} {*NOPERM*ping*}
|
2019-01-28 06:40:07 -05:00
|
|
|
|
2019-09-17 06:32:35 -04:00
|
|
|
test {ACLs can include or exclude whole classes of commands} {
|
2019-01-28 06:40:07 -05:00
|
|
|
r ACL setuser newuser -@all +@set +acl
|
|
|
|
|
r SADD myset a b c; # Should not raise an error
|
|
|
|
|
r ACL setuser newuser +@all -@string
|
|
|
|
|
r SADD myset a b c; # Again should not raise an error
|
|
|
|
|
# String commands instead should raise an error
|
|
|
|
|
catch {r SET foo bar} e
|
|
|
|
|
r ACL setuser newuser allcommands; # Undo commands ACL
|
|
|
|
|
set e
|
2022-01-12 13:05:14 -05:00
|
|
|
} {*NOPERM*set*}
|
2019-01-28 12:29:22 -05:00
|
|
|
|
|
|
|
|
test {ACLs can include single subcommands} {
|
|
|
|
|
r ACL setuser newuser +@all -client
|
|
|
|
|
r ACL setuser newuser +client|id +client|setname
|
Treat subcommands as commands (#9504)
## Intro
The purpose is to allow having different flags/ACL categories for
subcommands (Example: CONFIG GET is ok-loading but CONFIG SET isn't)
We create a small command table for every command that has subcommands
and each subcommand has its own flags, etc. (same as a "regular" command)
This commit also unites the Redis and the Sentinel command tables
## Affected commands
CONFIG
Used to have "admin ok-loading ok-stale no-script"
Changes:
1. Dropped "ok-loading" in all except GET (this doesn't change behavior since
there were checks in the code doing that)
XINFO
Used to have "read-only random"
Changes:
1. Dropped "random" in all except CONSUMERS
XGROUP
Used to have "write use-memory"
Changes:
1. Dropped "use-memory" in all except CREATE and CREATECONSUMER
COMMAND
No changes.
MEMORY
Used to have "random read-only"
Changes:
1. Dropped "random" in PURGE and USAGE
ACL
Used to have "admin no-script ok-loading ok-stale"
Changes:
1. Dropped "admin" in WHOAMI, GENPASS, and CAT
LATENCY
No changes.
MODULE
No changes.
SLOWLOG
Used to have "admin random ok-loading ok-stale"
Changes:
1. Dropped "random" in RESET
OBJECT
Used to have "read-only random"
Changes:
1. Dropped "random" in ENCODING and REFCOUNT
SCRIPT
Used to have "may-replicate no-script"
Changes:
1. Dropped "may-replicate" in all except FLUSH and LOAD
CLIENT
Used to have "admin no-script random ok-loading ok-stale"
Changes:
1. Dropped "random" in all except INFO and LIST
2. Dropped "admin" in ID, TRACKING, CACHING, GETREDIR, INFO, SETNAME, GETNAME, and REPLY
STRALGO
No changes.
PUBSUB
No changes.
CLUSTER
Changes:
1. Dropped "admin in countkeysinslots, getkeysinslot, info, nodes, keyslot, myid, and slots
SENTINEL
No changes.
(note that DEBUG also fits, but we decided not to convert it since it's for
debugging and anyway undocumented)
## New sub-command
This commit adds another element to the per-command output of COMMAND,
describing the list of subcommands, if any (in the same structure as "regular" commands)
Also, it adds a new subcommand:
```
COMMAND LIST [FILTERBY (MODULE <module-name>|ACLCAT <cat>|PATTERN <pattern>)]
```
which returns a set of all commands (unless filters), but excluding subcommands.
## Module API
A new module API, RM_CreateSubcommand, was added, in order to allow
module writer to define subcommands
## ACL changes:
1. Now, that each subcommand is actually a command, each has its own ACL id.
2. The old mechanism of allowed_subcommands is redundant
(blocking/allowing a subcommand is the same as blocking/allowing a regular command),
but we had to keep it, to support the widespread usage of allowed_subcommands
to block commands with certain args, that aren't subcommands (e.g. "-select +select|0").
3. I have renamed allowed_subcommands to allowed_firstargs to emphasize the difference.
4. Because subcommands are commands in ACL too, you can now use "-" to block subcommands
(e.g. "+client -client|kill"), which wasn't possible in the past.
5. It is also possible to use the allowed_firstargs mechanism with subcommand.
For example: `+config -config|set +config|set|loglevel` will block all CONFIG SET except
for setting the log level.
6. All of the ACL changes above required some amount of refactoring.
## Misc
1. There are two approaches: Either each subcommand has its own function or all
subcommands use the same function, determining what to do according to argv[0].
For now, I took the former approaches only with CONFIG and COMMAND,
while other commands use the latter approach (for smaller blamelog diff).
2. Deleted memoryGetKeys: It is no longer needed because MEMORY USAGE now uses the "range" key spec.
4. Bugfix: GETNAME was missing from CLIENT's help message.
5. Sentinel and Redis now use the same table, with the same function pointer.
Some commands have a different implementation in Sentinel, so we redirect
them (these are ROLE, PUBLISH, and INFO).
6. Command stats now show the stats per subcommand (e.g. instead of stats just
for "config" you will have stats for "config|set", "config|get", etc.)
7. It is now possible to use COMMAND directly on subcommands:
COMMAND INFO CONFIG|GET (The pipeline syntax was inspired from ACL, and
can be used in functions lookupCommandBySds and lookupCommandByCString)
8. STRALGO is now a container command (has "help")
## Breaking changes:
1. Command stats now show the stats per subcommand (see (5) above)
2021-10-20 04:52:57 -04:00
|
|
|
set cmdstr [dict get [r ACL getuser newuser] commands]
|
|
|
|
|
assert_match {+@all*-client*+client|id*} $cmdstr
|
|
|
|
|
assert_match {+@all*-client*+client|setname*} $cmdstr
|
|
|
|
|
r CLIENT ID; # Should not fail
|
|
|
|
|
r CLIENT SETNAME foo ; # Should not fail
|
|
|
|
|
catch {r CLIENT KILL type master} e
|
|
|
|
|
set e
|
2022-01-12 13:05:14 -05:00
|
|
|
} {*NOPERM*client|kill*}
|
Treat subcommands as commands (#9504)
## Intro
The purpose is to allow having different flags/ACL categories for
subcommands (Example: CONFIG GET is ok-loading but CONFIG SET isn't)
We create a small command table for every command that has subcommands
and each subcommand has its own flags, etc. (same as a "regular" command)
This commit also unites the Redis and the Sentinel command tables
## Affected commands
CONFIG
Used to have "admin ok-loading ok-stale no-script"
Changes:
1. Dropped "ok-loading" in all except GET (this doesn't change behavior since
there were checks in the code doing that)
XINFO
Used to have "read-only random"
Changes:
1. Dropped "random" in all except CONSUMERS
XGROUP
Used to have "write use-memory"
Changes:
1. Dropped "use-memory" in all except CREATE and CREATECONSUMER
COMMAND
No changes.
MEMORY
Used to have "random read-only"
Changes:
1. Dropped "random" in PURGE and USAGE
ACL
Used to have "admin no-script ok-loading ok-stale"
Changes:
1. Dropped "admin" in WHOAMI, GENPASS, and CAT
LATENCY
No changes.
MODULE
No changes.
SLOWLOG
Used to have "admin random ok-loading ok-stale"
Changes:
1. Dropped "random" in RESET
OBJECT
Used to have "read-only random"
Changes:
1. Dropped "random" in ENCODING and REFCOUNT
SCRIPT
Used to have "may-replicate no-script"
Changes:
1. Dropped "may-replicate" in all except FLUSH and LOAD
CLIENT
Used to have "admin no-script random ok-loading ok-stale"
Changes:
1. Dropped "random" in all except INFO and LIST
2. Dropped "admin" in ID, TRACKING, CACHING, GETREDIR, INFO, SETNAME, GETNAME, and REPLY
STRALGO
No changes.
PUBSUB
No changes.
CLUSTER
Changes:
1. Dropped "admin in countkeysinslots, getkeysinslot, info, nodes, keyslot, myid, and slots
SENTINEL
No changes.
(note that DEBUG also fits, but we decided not to convert it since it's for
debugging and anyway undocumented)
## New sub-command
This commit adds another element to the per-command output of COMMAND,
describing the list of subcommands, if any (in the same structure as "regular" commands)
Also, it adds a new subcommand:
```
COMMAND LIST [FILTERBY (MODULE <module-name>|ACLCAT <cat>|PATTERN <pattern>)]
```
which returns a set of all commands (unless filters), but excluding subcommands.
## Module API
A new module API, RM_CreateSubcommand, was added, in order to allow
module writer to define subcommands
## ACL changes:
1. Now, that each subcommand is actually a command, each has its own ACL id.
2. The old mechanism of allowed_subcommands is redundant
(blocking/allowing a subcommand is the same as blocking/allowing a regular command),
but we had to keep it, to support the widespread usage of allowed_subcommands
to block commands with certain args, that aren't subcommands (e.g. "-select +select|0").
3. I have renamed allowed_subcommands to allowed_firstargs to emphasize the difference.
4. Because subcommands are commands in ACL too, you can now use "-" to block subcommands
(e.g. "+client -client|kill"), which wasn't possible in the past.
5. It is also possible to use the allowed_firstargs mechanism with subcommand.
For example: `+config -config|set +config|set|loglevel` will block all CONFIG SET except
for setting the log level.
6. All of the ACL changes above required some amount of refactoring.
## Misc
1. There are two approaches: Either each subcommand has its own function or all
subcommands use the same function, determining what to do according to argv[0].
For now, I took the former approaches only with CONFIG and COMMAND,
while other commands use the latter approach (for smaller blamelog diff).
2. Deleted memoryGetKeys: It is no longer needed because MEMORY USAGE now uses the "range" key spec.
4. Bugfix: GETNAME was missing from CLIENT's help message.
5. Sentinel and Redis now use the same table, with the same function pointer.
Some commands have a different implementation in Sentinel, so we redirect
them (these are ROLE, PUBLISH, and INFO).
6. Command stats now show the stats per subcommand (e.g. instead of stats just
for "config" you will have stats for "config|set", "config|get", etc.)
7. It is now possible to use COMMAND directly on subcommands:
COMMAND INFO CONFIG|GET (The pipeline syntax was inspired from ACL, and
can be used in functions lookupCommandBySds and lookupCommandByCString)
8. STRALGO is now a container command (has "help")
## Breaking changes:
1. Command stats now show the stats per subcommand (see (5) above)
2021-10-20 04:52:57 -04:00
|
|
|
|
|
|
|
|
test {ACLs can exclude single subcommands, case 1} {
|
|
|
|
|
r ACL setuser newuser +@all -client|kill
|
|
|
|
|
set cmdstr [dict get [r ACL getuser newuser] commands]
|
|
|
|
|
assert_equal {+@all -client|kill} $cmdstr
|
2019-01-28 12:29:22 -05:00
|
|
|
r CLIENT ID; # Should not fail
|
|
|
|
|
r CLIENT SETNAME foo ; # Should not fail
|
|
|
|
|
catch {r CLIENT KILL type master} e
|
|
|
|
|
set e
|
2022-01-12 13:05:14 -05:00
|
|
|
} {*NOPERM*client|kill*}
|
2019-01-30 06:01:23 -05:00
|
|
|
|
Treat subcommands as commands (#9504)
## Intro
The purpose is to allow having different flags/ACL categories for
subcommands (Example: CONFIG GET is ok-loading but CONFIG SET isn't)
We create a small command table for every command that has subcommands
and each subcommand has its own flags, etc. (same as a "regular" command)
This commit also unites the Redis and the Sentinel command tables
## Affected commands
CONFIG
Used to have "admin ok-loading ok-stale no-script"
Changes:
1. Dropped "ok-loading" in all except GET (this doesn't change behavior since
there were checks in the code doing that)
XINFO
Used to have "read-only random"
Changes:
1. Dropped "random" in all except CONSUMERS
XGROUP
Used to have "write use-memory"
Changes:
1. Dropped "use-memory" in all except CREATE and CREATECONSUMER
COMMAND
No changes.
MEMORY
Used to have "random read-only"
Changes:
1. Dropped "random" in PURGE and USAGE
ACL
Used to have "admin no-script ok-loading ok-stale"
Changes:
1. Dropped "admin" in WHOAMI, GENPASS, and CAT
LATENCY
No changes.
MODULE
No changes.
SLOWLOG
Used to have "admin random ok-loading ok-stale"
Changes:
1. Dropped "random" in RESET
OBJECT
Used to have "read-only random"
Changes:
1. Dropped "random" in ENCODING and REFCOUNT
SCRIPT
Used to have "may-replicate no-script"
Changes:
1. Dropped "may-replicate" in all except FLUSH and LOAD
CLIENT
Used to have "admin no-script random ok-loading ok-stale"
Changes:
1. Dropped "random" in all except INFO and LIST
2. Dropped "admin" in ID, TRACKING, CACHING, GETREDIR, INFO, SETNAME, GETNAME, and REPLY
STRALGO
No changes.
PUBSUB
No changes.
CLUSTER
Changes:
1. Dropped "admin in countkeysinslots, getkeysinslot, info, nodes, keyslot, myid, and slots
SENTINEL
No changes.
(note that DEBUG also fits, but we decided not to convert it since it's for
debugging and anyway undocumented)
## New sub-command
This commit adds another element to the per-command output of COMMAND,
describing the list of subcommands, if any (in the same structure as "regular" commands)
Also, it adds a new subcommand:
```
COMMAND LIST [FILTERBY (MODULE <module-name>|ACLCAT <cat>|PATTERN <pattern>)]
```
which returns a set of all commands (unless filters), but excluding subcommands.
## Module API
A new module API, RM_CreateSubcommand, was added, in order to allow
module writer to define subcommands
## ACL changes:
1. Now, that each subcommand is actually a command, each has its own ACL id.
2. The old mechanism of allowed_subcommands is redundant
(blocking/allowing a subcommand is the same as blocking/allowing a regular command),
but we had to keep it, to support the widespread usage of allowed_subcommands
to block commands with certain args, that aren't subcommands (e.g. "-select +select|0").
3. I have renamed allowed_subcommands to allowed_firstargs to emphasize the difference.
4. Because subcommands are commands in ACL too, you can now use "-" to block subcommands
(e.g. "+client -client|kill"), which wasn't possible in the past.
5. It is also possible to use the allowed_firstargs mechanism with subcommand.
For example: `+config -config|set +config|set|loglevel` will block all CONFIG SET except
for setting the log level.
6. All of the ACL changes above required some amount of refactoring.
## Misc
1. There are two approaches: Either each subcommand has its own function or all
subcommands use the same function, determining what to do according to argv[0].
For now, I took the former approaches only with CONFIG and COMMAND,
while other commands use the latter approach (for smaller blamelog diff).
2. Deleted memoryGetKeys: It is no longer needed because MEMORY USAGE now uses the "range" key spec.
4. Bugfix: GETNAME was missing from CLIENT's help message.
5. Sentinel and Redis now use the same table, with the same function pointer.
Some commands have a different implementation in Sentinel, so we redirect
them (these are ROLE, PUBLISH, and INFO).
6. Command stats now show the stats per subcommand (e.g. instead of stats just
for "config" you will have stats for "config|set", "config|get", etc.)
7. It is now possible to use COMMAND directly on subcommands:
COMMAND INFO CONFIG|GET (The pipeline syntax was inspired from ACL, and
can be used in functions lookupCommandBySds and lookupCommandByCString)
8. STRALGO is now a container command (has "help")
## Breaking changes:
1. Command stats now show the stats per subcommand (see (5) above)
2021-10-20 04:52:57 -04:00
|
|
|
test {ACLs can exclude single subcommands, case 2} {
|
|
|
|
|
r ACL setuser newuser -@all +acl +config -config|set
|
|
|
|
|
set cmdstr [dict get [r ACL getuser newuser] commands]
|
|
|
|
|
assert_match {*+config*} $cmdstr
|
|
|
|
|
assert_match {*-config|set*} $cmdstr
|
|
|
|
|
r CONFIG GET loglevel; # Should not fail
|
|
|
|
|
catch {r CONFIG SET loglevel debug} e
|
|
|
|
|
set e
|
2022-01-12 13:05:14 -05:00
|
|
|
} {*NOPERM*config|set*}
|
Treat subcommands as commands (#9504)
## Intro
The purpose is to allow having different flags/ACL categories for
subcommands (Example: CONFIG GET is ok-loading but CONFIG SET isn't)
We create a small command table for every command that has subcommands
and each subcommand has its own flags, etc. (same as a "regular" command)
This commit also unites the Redis and the Sentinel command tables
## Affected commands
CONFIG
Used to have "admin ok-loading ok-stale no-script"
Changes:
1. Dropped "ok-loading" in all except GET (this doesn't change behavior since
there were checks in the code doing that)
XINFO
Used to have "read-only random"
Changes:
1. Dropped "random" in all except CONSUMERS
XGROUP
Used to have "write use-memory"
Changes:
1. Dropped "use-memory" in all except CREATE and CREATECONSUMER
COMMAND
No changes.
MEMORY
Used to have "random read-only"
Changes:
1. Dropped "random" in PURGE and USAGE
ACL
Used to have "admin no-script ok-loading ok-stale"
Changes:
1. Dropped "admin" in WHOAMI, GENPASS, and CAT
LATENCY
No changes.
MODULE
No changes.
SLOWLOG
Used to have "admin random ok-loading ok-stale"
Changes:
1. Dropped "random" in RESET
OBJECT
Used to have "read-only random"
Changes:
1. Dropped "random" in ENCODING and REFCOUNT
SCRIPT
Used to have "may-replicate no-script"
Changes:
1. Dropped "may-replicate" in all except FLUSH and LOAD
CLIENT
Used to have "admin no-script random ok-loading ok-stale"
Changes:
1. Dropped "random" in all except INFO and LIST
2. Dropped "admin" in ID, TRACKING, CACHING, GETREDIR, INFO, SETNAME, GETNAME, and REPLY
STRALGO
No changes.
PUBSUB
No changes.
CLUSTER
Changes:
1. Dropped "admin in countkeysinslots, getkeysinslot, info, nodes, keyslot, myid, and slots
SENTINEL
No changes.
(note that DEBUG also fits, but we decided not to convert it since it's for
debugging and anyway undocumented)
## New sub-command
This commit adds another element to the per-command output of COMMAND,
describing the list of subcommands, if any (in the same structure as "regular" commands)
Also, it adds a new subcommand:
```
COMMAND LIST [FILTERBY (MODULE <module-name>|ACLCAT <cat>|PATTERN <pattern>)]
```
which returns a set of all commands (unless filters), but excluding subcommands.
## Module API
A new module API, RM_CreateSubcommand, was added, in order to allow
module writer to define subcommands
## ACL changes:
1. Now, that each subcommand is actually a command, each has its own ACL id.
2. The old mechanism of allowed_subcommands is redundant
(blocking/allowing a subcommand is the same as blocking/allowing a regular command),
but we had to keep it, to support the widespread usage of allowed_subcommands
to block commands with certain args, that aren't subcommands (e.g. "-select +select|0").
3. I have renamed allowed_subcommands to allowed_firstargs to emphasize the difference.
4. Because subcommands are commands in ACL too, you can now use "-" to block subcommands
(e.g. "+client -client|kill"), which wasn't possible in the past.
5. It is also possible to use the allowed_firstargs mechanism with subcommand.
For example: `+config -config|set +config|set|loglevel` will block all CONFIG SET except
for setting the log level.
6. All of the ACL changes above required some amount of refactoring.
## Misc
1. There are two approaches: Either each subcommand has its own function or all
subcommands use the same function, determining what to do according to argv[0].
For now, I took the former approaches only with CONFIG and COMMAND,
while other commands use the latter approach (for smaller blamelog diff).
2. Deleted memoryGetKeys: It is no longer needed because MEMORY USAGE now uses the "range" key spec.
4. Bugfix: GETNAME was missing from CLIENT's help message.
5. Sentinel and Redis now use the same table, with the same function pointer.
Some commands have a different implementation in Sentinel, so we redirect
them (these are ROLE, PUBLISH, and INFO).
6. Command stats now show the stats per subcommand (e.g. instead of stats just
for "config" you will have stats for "config|set", "config|get", etc.)
7. It is now possible to use COMMAND directly on subcommands:
COMMAND INFO CONFIG|GET (The pipeline syntax was inspired from ACL, and
can be used in functions lookupCommandBySds and lookupCommandByCString)
8. STRALGO is now a container command (has "help")
## Breaking changes:
1. Command stats now show the stats per subcommand (see (5) above)
2021-10-20 04:52:57 -04:00
|
|
|
|
2022-01-22 07:09:40 -05:00
|
|
|
test {ACLs cannot include a subcommand with a specific arg} {
|
Treat subcommands as commands (#9504)
## Intro
The purpose is to allow having different flags/ACL categories for
subcommands (Example: CONFIG GET is ok-loading but CONFIG SET isn't)
We create a small command table for every command that has subcommands
and each subcommand has its own flags, etc. (same as a "regular" command)
This commit also unites the Redis and the Sentinel command tables
## Affected commands
CONFIG
Used to have "admin ok-loading ok-stale no-script"
Changes:
1. Dropped "ok-loading" in all except GET (this doesn't change behavior since
there were checks in the code doing that)
XINFO
Used to have "read-only random"
Changes:
1. Dropped "random" in all except CONSUMERS
XGROUP
Used to have "write use-memory"
Changes:
1. Dropped "use-memory" in all except CREATE and CREATECONSUMER
COMMAND
No changes.
MEMORY
Used to have "random read-only"
Changes:
1. Dropped "random" in PURGE and USAGE
ACL
Used to have "admin no-script ok-loading ok-stale"
Changes:
1. Dropped "admin" in WHOAMI, GENPASS, and CAT
LATENCY
No changes.
MODULE
No changes.
SLOWLOG
Used to have "admin random ok-loading ok-stale"
Changes:
1. Dropped "random" in RESET
OBJECT
Used to have "read-only random"
Changes:
1. Dropped "random" in ENCODING and REFCOUNT
SCRIPT
Used to have "may-replicate no-script"
Changes:
1. Dropped "may-replicate" in all except FLUSH and LOAD
CLIENT
Used to have "admin no-script random ok-loading ok-stale"
Changes:
1. Dropped "random" in all except INFO and LIST
2. Dropped "admin" in ID, TRACKING, CACHING, GETREDIR, INFO, SETNAME, GETNAME, and REPLY
STRALGO
No changes.
PUBSUB
No changes.
CLUSTER
Changes:
1. Dropped "admin in countkeysinslots, getkeysinslot, info, nodes, keyslot, myid, and slots
SENTINEL
No changes.
(note that DEBUG also fits, but we decided not to convert it since it's for
debugging and anyway undocumented)
## New sub-command
This commit adds another element to the per-command output of COMMAND,
describing the list of subcommands, if any (in the same structure as "regular" commands)
Also, it adds a new subcommand:
```
COMMAND LIST [FILTERBY (MODULE <module-name>|ACLCAT <cat>|PATTERN <pattern>)]
```
which returns a set of all commands (unless filters), but excluding subcommands.
## Module API
A new module API, RM_CreateSubcommand, was added, in order to allow
module writer to define subcommands
## ACL changes:
1. Now, that each subcommand is actually a command, each has its own ACL id.
2. The old mechanism of allowed_subcommands is redundant
(blocking/allowing a subcommand is the same as blocking/allowing a regular command),
but we had to keep it, to support the widespread usage of allowed_subcommands
to block commands with certain args, that aren't subcommands (e.g. "-select +select|0").
3. I have renamed allowed_subcommands to allowed_firstargs to emphasize the difference.
4. Because subcommands are commands in ACL too, you can now use "-" to block subcommands
(e.g. "+client -client|kill"), which wasn't possible in the past.
5. It is also possible to use the allowed_firstargs mechanism with subcommand.
For example: `+config -config|set +config|set|loglevel` will block all CONFIG SET except
for setting the log level.
6. All of the ACL changes above required some amount of refactoring.
## Misc
1. There are two approaches: Either each subcommand has its own function or all
subcommands use the same function, determining what to do according to argv[0].
For now, I took the former approaches only with CONFIG and COMMAND,
while other commands use the latter approach (for smaller blamelog diff).
2. Deleted memoryGetKeys: It is no longer needed because MEMORY USAGE now uses the "range" key spec.
4. Bugfix: GETNAME was missing from CLIENT's help message.
5. Sentinel and Redis now use the same table, with the same function pointer.
Some commands have a different implementation in Sentinel, so we redirect
them (these are ROLE, PUBLISH, and INFO).
6. Command stats now show the stats per subcommand (e.g. instead of stats just
for "config" you will have stats for "config|set", "config|get", etc.)
7. It is now possible to use COMMAND directly on subcommands:
COMMAND INFO CONFIG|GET (The pipeline syntax was inspired from ACL, and
can be used in functions lookupCommandBySds and lookupCommandByCString)
8. STRALGO is now a container command (has "help")
## Breaking changes:
1. Command stats now show the stats per subcommand (see (5) above)
2021-10-20 04:52:57 -04:00
|
|
|
r ACL setuser newuser +@all -config|get
|
2022-01-22 07:09:40 -05:00
|
|
|
catch { r ACL setuser newuser +config|get|appendonly} e
|
Treat subcommands as commands (#9504)
## Intro
The purpose is to allow having different flags/ACL categories for
subcommands (Example: CONFIG GET is ok-loading but CONFIG SET isn't)
We create a small command table for every command that has subcommands
and each subcommand has its own flags, etc. (same as a "regular" command)
This commit also unites the Redis and the Sentinel command tables
## Affected commands
CONFIG
Used to have "admin ok-loading ok-stale no-script"
Changes:
1. Dropped "ok-loading" in all except GET (this doesn't change behavior since
there were checks in the code doing that)
XINFO
Used to have "read-only random"
Changes:
1. Dropped "random" in all except CONSUMERS
XGROUP
Used to have "write use-memory"
Changes:
1. Dropped "use-memory" in all except CREATE and CREATECONSUMER
COMMAND
No changes.
MEMORY
Used to have "random read-only"
Changes:
1. Dropped "random" in PURGE and USAGE
ACL
Used to have "admin no-script ok-loading ok-stale"
Changes:
1. Dropped "admin" in WHOAMI, GENPASS, and CAT
LATENCY
No changes.
MODULE
No changes.
SLOWLOG
Used to have "admin random ok-loading ok-stale"
Changes:
1. Dropped "random" in RESET
OBJECT
Used to have "read-only random"
Changes:
1. Dropped "random" in ENCODING and REFCOUNT
SCRIPT
Used to have "may-replicate no-script"
Changes:
1. Dropped "may-replicate" in all except FLUSH and LOAD
CLIENT
Used to have "admin no-script random ok-loading ok-stale"
Changes:
1. Dropped "random" in all except INFO and LIST
2. Dropped "admin" in ID, TRACKING, CACHING, GETREDIR, INFO, SETNAME, GETNAME, and REPLY
STRALGO
No changes.
PUBSUB
No changes.
CLUSTER
Changes:
1. Dropped "admin in countkeysinslots, getkeysinslot, info, nodes, keyslot, myid, and slots
SENTINEL
No changes.
(note that DEBUG also fits, but we decided not to convert it since it's for
debugging and anyway undocumented)
## New sub-command
This commit adds another element to the per-command output of COMMAND,
describing the list of subcommands, if any (in the same structure as "regular" commands)
Also, it adds a new subcommand:
```
COMMAND LIST [FILTERBY (MODULE <module-name>|ACLCAT <cat>|PATTERN <pattern>)]
```
which returns a set of all commands (unless filters), but excluding subcommands.
## Module API
A new module API, RM_CreateSubcommand, was added, in order to allow
module writer to define subcommands
## ACL changes:
1. Now, that each subcommand is actually a command, each has its own ACL id.
2. The old mechanism of allowed_subcommands is redundant
(blocking/allowing a subcommand is the same as blocking/allowing a regular command),
but we had to keep it, to support the widespread usage of allowed_subcommands
to block commands with certain args, that aren't subcommands (e.g. "-select +select|0").
3. I have renamed allowed_subcommands to allowed_firstargs to emphasize the difference.
4. Because subcommands are commands in ACL too, you can now use "-" to block subcommands
(e.g. "+client -client|kill"), which wasn't possible in the past.
5. It is also possible to use the allowed_firstargs mechanism with subcommand.
For example: `+config -config|set +config|set|loglevel` will block all CONFIG SET except
for setting the log level.
6. All of the ACL changes above required some amount of refactoring.
## Misc
1. There are two approaches: Either each subcommand has its own function or all
subcommands use the same function, determining what to do according to argv[0].
For now, I took the former approaches only with CONFIG and COMMAND,
while other commands use the latter approach (for smaller blamelog diff).
2. Deleted memoryGetKeys: It is no longer needed because MEMORY USAGE now uses the "range" key spec.
4. Bugfix: GETNAME was missing from CLIENT's help message.
5. Sentinel and Redis now use the same table, with the same function pointer.
Some commands have a different implementation in Sentinel, so we redirect
them (these are ROLE, PUBLISH, and INFO).
6. Command stats now show the stats per subcommand (e.g. instead of stats just
for "config" you will have stats for "config|set", "config|get", etc.)
7. It is now possible to use COMMAND directly on subcommands:
COMMAND INFO CONFIG|GET (The pipeline syntax was inspired from ACL, and
can be used in functions lookupCommandBySds and lookupCommandByCString)
8. STRALGO is now a container command (has "help")
## Breaking changes:
1. Command stats now show the stats per subcommand (see (5) above)
2021-10-20 04:52:57 -04:00
|
|
|
set e
|
2022-01-22 07:09:40 -05:00
|
|
|
} {*Allowing first-arg of a subcommand is not supported*}
|
|
|
|
|
|
|
|
|
|
test {ACLs cannot exclude or include a container commands with a specific arg} {
|
|
|
|
|
r ACL setuser newuser +@all +config|get
|
|
|
|
|
catch { r ACL setuser newuser +@all +config|asdf} e
|
|
|
|
|
assert_match "*Unknown command or category name in ACL*" $e
|
|
|
|
|
catch { r ACL setuser newuser +@all -config|asdf} e
|
|
|
|
|
assert_match "*Unknown command or category name in ACL*" $e
|
|
|
|
|
} {}
|
|
|
|
|
|
|
|
|
|
test {ACLs cannot exclude or include a container command with two args} {
|
|
|
|
|
r ACL setuser newuser +@all +config|get
|
|
|
|
|
catch { r ACL setuser newuser +@all +get|key1|key2} e
|
|
|
|
|
assert_match "*Unknown command or category name in ACL*" $e
|
|
|
|
|
catch { r ACL setuser newuser +@all -get|key1|key2} e
|
|
|
|
|
assert_match "*Unknown command or category name in ACL*" $e
|
|
|
|
|
} {}
|
Treat subcommands as commands (#9504)
## Intro
The purpose is to allow having different flags/ACL categories for
subcommands (Example: CONFIG GET is ok-loading but CONFIG SET isn't)
We create a small command table for every command that has subcommands
and each subcommand has its own flags, etc. (same as a "regular" command)
This commit also unites the Redis and the Sentinel command tables
## Affected commands
CONFIG
Used to have "admin ok-loading ok-stale no-script"
Changes:
1. Dropped "ok-loading" in all except GET (this doesn't change behavior since
there were checks in the code doing that)
XINFO
Used to have "read-only random"
Changes:
1. Dropped "random" in all except CONSUMERS
XGROUP
Used to have "write use-memory"
Changes:
1. Dropped "use-memory" in all except CREATE and CREATECONSUMER
COMMAND
No changes.
MEMORY
Used to have "random read-only"
Changes:
1. Dropped "random" in PURGE and USAGE
ACL
Used to have "admin no-script ok-loading ok-stale"
Changes:
1. Dropped "admin" in WHOAMI, GENPASS, and CAT
LATENCY
No changes.
MODULE
No changes.
SLOWLOG
Used to have "admin random ok-loading ok-stale"
Changes:
1. Dropped "random" in RESET
OBJECT
Used to have "read-only random"
Changes:
1. Dropped "random" in ENCODING and REFCOUNT
SCRIPT
Used to have "may-replicate no-script"
Changes:
1. Dropped "may-replicate" in all except FLUSH and LOAD
CLIENT
Used to have "admin no-script random ok-loading ok-stale"
Changes:
1. Dropped "random" in all except INFO and LIST
2. Dropped "admin" in ID, TRACKING, CACHING, GETREDIR, INFO, SETNAME, GETNAME, and REPLY
STRALGO
No changes.
PUBSUB
No changes.
CLUSTER
Changes:
1. Dropped "admin in countkeysinslots, getkeysinslot, info, nodes, keyslot, myid, and slots
SENTINEL
No changes.
(note that DEBUG also fits, but we decided not to convert it since it's for
debugging and anyway undocumented)
## New sub-command
This commit adds another element to the per-command output of COMMAND,
describing the list of subcommands, if any (in the same structure as "regular" commands)
Also, it adds a new subcommand:
```
COMMAND LIST [FILTERBY (MODULE <module-name>|ACLCAT <cat>|PATTERN <pattern>)]
```
which returns a set of all commands (unless filters), but excluding subcommands.
## Module API
A new module API, RM_CreateSubcommand, was added, in order to allow
module writer to define subcommands
## ACL changes:
1. Now, that each subcommand is actually a command, each has its own ACL id.
2. The old mechanism of allowed_subcommands is redundant
(blocking/allowing a subcommand is the same as blocking/allowing a regular command),
but we had to keep it, to support the widespread usage of allowed_subcommands
to block commands with certain args, that aren't subcommands (e.g. "-select +select|0").
3. I have renamed allowed_subcommands to allowed_firstargs to emphasize the difference.
4. Because subcommands are commands in ACL too, you can now use "-" to block subcommands
(e.g. "+client -client|kill"), which wasn't possible in the past.
5. It is also possible to use the allowed_firstargs mechanism with subcommand.
For example: `+config -config|set +config|set|loglevel` will block all CONFIG SET except
for setting the log level.
6. All of the ACL changes above required some amount of refactoring.
## Misc
1. There are two approaches: Either each subcommand has its own function or all
subcommands use the same function, determining what to do according to argv[0].
For now, I took the former approaches only with CONFIG and COMMAND,
while other commands use the latter approach (for smaller blamelog diff).
2. Deleted memoryGetKeys: It is no longer needed because MEMORY USAGE now uses the "range" key spec.
4. Bugfix: GETNAME was missing from CLIENT's help message.
5. Sentinel and Redis now use the same table, with the same function pointer.
Some commands have a different implementation in Sentinel, so we redirect
them (these are ROLE, PUBLISH, and INFO).
6. Command stats now show the stats per subcommand (e.g. instead of stats just
for "config" you will have stats for "config|set", "config|get", etc.)
7. It is now possible to use COMMAND directly on subcommands:
COMMAND INFO CONFIG|GET (The pipeline syntax was inspired from ACL, and
can be used in functions lookupCommandBySds and lookupCommandByCString)
8. STRALGO is now a container command (has "help")
## Breaking changes:
1. Command stats now show the stats per subcommand (see (5) above)
2021-10-20 04:52:57 -04:00
|
|
|
|
|
|
|
|
test {ACLs including of a type includes also subcommands} {
|
2022-08-03 05:11:32 -04:00
|
|
|
r ACL setuser newuser -@all +del +acl +@stream
|
|
|
|
|
r DEL key
|
Treat subcommands as commands (#9504)
## Intro
The purpose is to allow having different flags/ACL categories for
subcommands (Example: CONFIG GET is ok-loading but CONFIG SET isn't)
We create a small command table for every command that has subcommands
and each subcommand has its own flags, etc. (same as a "regular" command)
This commit also unites the Redis and the Sentinel command tables
## Affected commands
CONFIG
Used to have "admin ok-loading ok-stale no-script"
Changes:
1. Dropped "ok-loading" in all except GET (this doesn't change behavior since
there were checks in the code doing that)
XINFO
Used to have "read-only random"
Changes:
1. Dropped "random" in all except CONSUMERS
XGROUP
Used to have "write use-memory"
Changes:
1. Dropped "use-memory" in all except CREATE and CREATECONSUMER
COMMAND
No changes.
MEMORY
Used to have "random read-only"
Changes:
1. Dropped "random" in PURGE and USAGE
ACL
Used to have "admin no-script ok-loading ok-stale"
Changes:
1. Dropped "admin" in WHOAMI, GENPASS, and CAT
LATENCY
No changes.
MODULE
No changes.
SLOWLOG
Used to have "admin random ok-loading ok-stale"
Changes:
1. Dropped "random" in RESET
OBJECT
Used to have "read-only random"
Changes:
1. Dropped "random" in ENCODING and REFCOUNT
SCRIPT
Used to have "may-replicate no-script"
Changes:
1. Dropped "may-replicate" in all except FLUSH and LOAD
CLIENT
Used to have "admin no-script random ok-loading ok-stale"
Changes:
1. Dropped "random" in all except INFO and LIST
2. Dropped "admin" in ID, TRACKING, CACHING, GETREDIR, INFO, SETNAME, GETNAME, and REPLY
STRALGO
No changes.
PUBSUB
No changes.
CLUSTER
Changes:
1. Dropped "admin in countkeysinslots, getkeysinslot, info, nodes, keyslot, myid, and slots
SENTINEL
No changes.
(note that DEBUG also fits, but we decided not to convert it since it's for
debugging and anyway undocumented)
## New sub-command
This commit adds another element to the per-command output of COMMAND,
describing the list of subcommands, if any (in the same structure as "regular" commands)
Also, it adds a new subcommand:
```
COMMAND LIST [FILTERBY (MODULE <module-name>|ACLCAT <cat>|PATTERN <pattern>)]
```
which returns a set of all commands (unless filters), but excluding subcommands.
## Module API
A new module API, RM_CreateSubcommand, was added, in order to allow
module writer to define subcommands
## ACL changes:
1. Now, that each subcommand is actually a command, each has its own ACL id.
2. The old mechanism of allowed_subcommands is redundant
(blocking/allowing a subcommand is the same as blocking/allowing a regular command),
but we had to keep it, to support the widespread usage of allowed_subcommands
to block commands with certain args, that aren't subcommands (e.g. "-select +select|0").
3. I have renamed allowed_subcommands to allowed_firstargs to emphasize the difference.
4. Because subcommands are commands in ACL too, you can now use "-" to block subcommands
(e.g. "+client -client|kill"), which wasn't possible in the past.
5. It is also possible to use the allowed_firstargs mechanism with subcommand.
For example: `+config -config|set +config|set|loglevel` will block all CONFIG SET except
for setting the log level.
6. All of the ACL changes above required some amount of refactoring.
## Misc
1. There are two approaches: Either each subcommand has its own function or all
subcommands use the same function, determining what to do according to argv[0].
For now, I took the former approaches only with CONFIG and COMMAND,
while other commands use the latter approach (for smaller blamelog diff).
2. Deleted memoryGetKeys: It is no longer needed because MEMORY USAGE now uses the "range" key spec.
4. Bugfix: GETNAME was missing from CLIENT's help message.
5. Sentinel and Redis now use the same table, with the same function pointer.
Some commands have a different implementation in Sentinel, so we redirect
them (these are ROLE, PUBLISH, and INFO).
6. Command stats now show the stats per subcommand (e.g. instead of stats just
for "config" you will have stats for "config|set", "config|get", etc.)
7. It is now possible to use COMMAND directly on subcommands:
COMMAND INFO CONFIG|GET (The pipeline syntax was inspired from ACL, and
can be used in functions lookupCommandBySds and lookupCommandByCString)
8. STRALGO is now a container command (has "help")
## Breaking changes:
1. Command stats now show the stats per subcommand (see (5) above)
2021-10-20 04:52:57 -04:00
|
|
|
r XADD key * field value
|
|
|
|
|
r XINFO STREAM key
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test {ACLs can block SELECT of all but a specific DB} {
|
|
|
|
|
r ACL setuser newuser -@all +acl +select|0
|
|
|
|
|
set cmdstr [dict get [r ACL getuser newuser] commands]
|
|
|
|
|
assert_match {*+select|0*} $cmdstr
|
|
|
|
|
r SELECT 0
|
|
|
|
|
catch {r SELECT 1} e
|
|
|
|
|
set e
|
2022-08-03 05:11:32 -04:00
|
|
|
} {*NOPERM*select*} {singledb:skip}
|
Treat subcommands as commands (#9504)
## Intro
The purpose is to allow having different flags/ACL categories for
subcommands (Example: CONFIG GET is ok-loading but CONFIG SET isn't)
We create a small command table for every command that has subcommands
and each subcommand has its own flags, etc. (same as a "regular" command)
This commit also unites the Redis and the Sentinel command tables
## Affected commands
CONFIG
Used to have "admin ok-loading ok-stale no-script"
Changes:
1. Dropped "ok-loading" in all except GET (this doesn't change behavior since
there were checks in the code doing that)
XINFO
Used to have "read-only random"
Changes:
1. Dropped "random" in all except CONSUMERS
XGROUP
Used to have "write use-memory"
Changes:
1. Dropped "use-memory" in all except CREATE and CREATECONSUMER
COMMAND
No changes.
MEMORY
Used to have "random read-only"
Changes:
1. Dropped "random" in PURGE and USAGE
ACL
Used to have "admin no-script ok-loading ok-stale"
Changes:
1. Dropped "admin" in WHOAMI, GENPASS, and CAT
LATENCY
No changes.
MODULE
No changes.
SLOWLOG
Used to have "admin random ok-loading ok-stale"
Changes:
1. Dropped "random" in RESET
OBJECT
Used to have "read-only random"
Changes:
1. Dropped "random" in ENCODING and REFCOUNT
SCRIPT
Used to have "may-replicate no-script"
Changes:
1. Dropped "may-replicate" in all except FLUSH and LOAD
CLIENT
Used to have "admin no-script random ok-loading ok-stale"
Changes:
1. Dropped "random" in all except INFO and LIST
2. Dropped "admin" in ID, TRACKING, CACHING, GETREDIR, INFO, SETNAME, GETNAME, and REPLY
STRALGO
No changes.
PUBSUB
No changes.
CLUSTER
Changes:
1. Dropped "admin in countkeysinslots, getkeysinslot, info, nodes, keyslot, myid, and slots
SENTINEL
No changes.
(note that DEBUG also fits, but we decided not to convert it since it's for
debugging and anyway undocumented)
## New sub-command
This commit adds another element to the per-command output of COMMAND,
describing the list of subcommands, if any (in the same structure as "regular" commands)
Also, it adds a new subcommand:
```
COMMAND LIST [FILTERBY (MODULE <module-name>|ACLCAT <cat>|PATTERN <pattern>)]
```
which returns a set of all commands (unless filters), but excluding subcommands.
## Module API
A new module API, RM_CreateSubcommand, was added, in order to allow
module writer to define subcommands
## ACL changes:
1. Now, that each subcommand is actually a command, each has its own ACL id.
2. The old mechanism of allowed_subcommands is redundant
(blocking/allowing a subcommand is the same as blocking/allowing a regular command),
but we had to keep it, to support the widespread usage of allowed_subcommands
to block commands with certain args, that aren't subcommands (e.g. "-select +select|0").
3. I have renamed allowed_subcommands to allowed_firstargs to emphasize the difference.
4. Because subcommands are commands in ACL too, you can now use "-" to block subcommands
(e.g. "+client -client|kill"), which wasn't possible in the past.
5. It is also possible to use the allowed_firstargs mechanism with subcommand.
For example: `+config -config|set +config|set|loglevel` will block all CONFIG SET except
for setting the log level.
6. All of the ACL changes above required some amount of refactoring.
## Misc
1. There are two approaches: Either each subcommand has its own function or all
subcommands use the same function, determining what to do according to argv[0].
For now, I took the former approaches only with CONFIG and COMMAND,
while other commands use the latter approach (for smaller blamelog diff).
2. Deleted memoryGetKeys: It is no longer needed because MEMORY USAGE now uses the "range" key spec.
4. Bugfix: GETNAME was missing from CLIENT's help message.
5. Sentinel and Redis now use the same table, with the same function pointer.
Some commands have a different implementation in Sentinel, so we redirect
them (these are ROLE, PUBLISH, and INFO).
6. Command stats now show the stats per subcommand (e.g. instead of stats just
for "config" you will have stats for "config|set", "config|get", etc.)
7. It is now possible to use COMMAND directly on subcommands:
COMMAND INFO CONFIG|GET (The pipeline syntax was inspired from ACL, and
can be used in functions lookupCommandBySds and lookupCommandByCString)
8. STRALGO is now a container command (has "help")
## Breaking changes:
1. Command stats now show the stats per subcommand (see (5) above)
2021-10-20 04:52:57 -04:00
|
|
|
|
|
|
|
|
test {ACLs can block all DEBUG subcommands except one} {
|
2022-08-03 05:11:32 -04:00
|
|
|
r ACL setuser newuser -@all +acl +del +incr +debug|object
|
|
|
|
|
r DEL key
|
Treat subcommands as commands (#9504)
## Intro
The purpose is to allow having different flags/ACL categories for
subcommands (Example: CONFIG GET is ok-loading but CONFIG SET isn't)
We create a small command table for every command that has subcommands
and each subcommand has its own flags, etc. (same as a "regular" command)
This commit also unites the Redis and the Sentinel command tables
## Affected commands
CONFIG
Used to have "admin ok-loading ok-stale no-script"
Changes:
1. Dropped "ok-loading" in all except GET (this doesn't change behavior since
there were checks in the code doing that)
XINFO
Used to have "read-only random"
Changes:
1. Dropped "random" in all except CONSUMERS
XGROUP
Used to have "write use-memory"
Changes:
1. Dropped "use-memory" in all except CREATE and CREATECONSUMER
COMMAND
No changes.
MEMORY
Used to have "random read-only"
Changes:
1. Dropped "random" in PURGE and USAGE
ACL
Used to have "admin no-script ok-loading ok-stale"
Changes:
1. Dropped "admin" in WHOAMI, GENPASS, and CAT
LATENCY
No changes.
MODULE
No changes.
SLOWLOG
Used to have "admin random ok-loading ok-stale"
Changes:
1. Dropped "random" in RESET
OBJECT
Used to have "read-only random"
Changes:
1. Dropped "random" in ENCODING and REFCOUNT
SCRIPT
Used to have "may-replicate no-script"
Changes:
1. Dropped "may-replicate" in all except FLUSH and LOAD
CLIENT
Used to have "admin no-script random ok-loading ok-stale"
Changes:
1. Dropped "random" in all except INFO and LIST
2. Dropped "admin" in ID, TRACKING, CACHING, GETREDIR, INFO, SETNAME, GETNAME, and REPLY
STRALGO
No changes.
PUBSUB
No changes.
CLUSTER
Changes:
1. Dropped "admin in countkeysinslots, getkeysinslot, info, nodes, keyslot, myid, and slots
SENTINEL
No changes.
(note that DEBUG also fits, but we decided not to convert it since it's for
debugging and anyway undocumented)
## New sub-command
This commit adds another element to the per-command output of COMMAND,
describing the list of subcommands, if any (in the same structure as "regular" commands)
Also, it adds a new subcommand:
```
COMMAND LIST [FILTERBY (MODULE <module-name>|ACLCAT <cat>|PATTERN <pattern>)]
```
which returns a set of all commands (unless filters), but excluding subcommands.
## Module API
A new module API, RM_CreateSubcommand, was added, in order to allow
module writer to define subcommands
## ACL changes:
1. Now, that each subcommand is actually a command, each has its own ACL id.
2. The old mechanism of allowed_subcommands is redundant
(blocking/allowing a subcommand is the same as blocking/allowing a regular command),
but we had to keep it, to support the widespread usage of allowed_subcommands
to block commands with certain args, that aren't subcommands (e.g. "-select +select|0").
3. I have renamed allowed_subcommands to allowed_firstargs to emphasize the difference.
4. Because subcommands are commands in ACL too, you can now use "-" to block subcommands
(e.g. "+client -client|kill"), which wasn't possible in the past.
5. It is also possible to use the allowed_firstargs mechanism with subcommand.
For example: `+config -config|set +config|set|loglevel` will block all CONFIG SET except
for setting the log level.
6. All of the ACL changes above required some amount of refactoring.
## Misc
1. There are two approaches: Either each subcommand has its own function or all
subcommands use the same function, determining what to do according to argv[0].
For now, I took the former approaches only with CONFIG and COMMAND,
while other commands use the latter approach (for smaller blamelog diff).
2. Deleted memoryGetKeys: It is no longer needed because MEMORY USAGE now uses the "range" key spec.
4. Bugfix: GETNAME was missing from CLIENT's help message.
5. Sentinel and Redis now use the same table, with the same function pointer.
Some commands have a different implementation in Sentinel, so we redirect
them (these are ROLE, PUBLISH, and INFO).
6. Command stats now show the stats per subcommand (e.g. instead of stats just
for "config" you will have stats for "config|set", "config|get", etc.)
7. It is now possible to use COMMAND directly on subcommands:
COMMAND INFO CONFIG|GET (The pipeline syntax was inspired from ACL, and
can be used in functions lookupCommandBySds and lookupCommandByCString)
8. STRALGO is now a container command (has "help")
## Breaking changes:
1. Command stats now show the stats per subcommand (see (5) above)
2021-10-20 04:52:57 -04:00
|
|
|
set cmdstr [dict get [r ACL getuser newuser] commands]
|
|
|
|
|
assert_match {*+debug|object*} $cmdstr
|
|
|
|
|
r INCR key
|
|
|
|
|
r DEBUG OBJECT key
|
|
|
|
|
catch {r DEBUG SEGFAULT} e
|
|
|
|
|
set e
|
2022-01-12 13:05:14 -05:00
|
|
|
} {*NOPERM*debug*}
|
Treat subcommands as commands (#9504)
## Intro
The purpose is to allow having different flags/ACL categories for
subcommands (Example: CONFIG GET is ok-loading but CONFIG SET isn't)
We create a small command table for every command that has subcommands
and each subcommand has its own flags, etc. (same as a "regular" command)
This commit also unites the Redis and the Sentinel command tables
## Affected commands
CONFIG
Used to have "admin ok-loading ok-stale no-script"
Changes:
1. Dropped "ok-loading" in all except GET (this doesn't change behavior since
there were checks in the code doing that)
XINFO
Used to have "read-only random"
Changes:
1. Dropped "random" in all except CONSUMERS
XGROUP
Used to have "write use-memory"
Changes:
1. Dropped "use-memory" in all except CREATE and CREATECONSUMER
COMMAND
No changes.
MEMORY
Used to have "random read-only"
Changes:
1. Dropped "random" in PURGE and USAGE
ACL
Used to have "admin no-script ok-loading ok-stale"
Changes:
1. Dropped "admin" in WHOAMI, GENPASS, and CAT
LATENCY
No changes.
MODULE
No changes.
SLOWLOG
Used to have "admin random ok-loading ok-stale"
Changes:
1. Dropped "random" in RESET
OBJECT
Used to have "read-only random"
Changes:
1. Dropped "random" in ENCODING and REFCOUNT
SCRIPT
Used to have "may-replicate no-script"
Changes:
1. Dropped "may-replicate" in all except FLUSH and LOAD
CLIENT
Used to have "admin no-script random ok-loading ok-stale"
Changes:
1. Dropped "random" in all except INFO and LIST
2. Dropped "admin" in ID, TRACKING, CACHING, GETREDIR, INFO, SETNAME, GETNAME, and REPLY
STRALGO
No changes.
PUBSUB
No changes.
CLUSTER
Changes:
1. Dropped "admin in countkeysinslots, getkeysinslot, info, nodes, keyslot, myid, and slots
SENTINEL
No changes.
(note that DEBUG also fits, but we decided not to convert it since it's for
debugging and anyway undocumented)
## New sub-command
This commit adds another element to the per-command output of COMMAND,
describing the list of subcommands, if any (in the same structure as "regular" commands)
Also, it adds a new subcommand:
```
COMMAND LIST [FILTERBY (MODULE <module-name>|ACLCAT <cat>|PATTERN <pattern>)]
```
which returns a set of all commands (unless filters), but excluding subcommands.
## Module API
A new module API, RM_CreateSubcommand, was added, in order to allow
module writer to define subcommands
## ACL changes:
1. Now, that each subcommand is actually a command, each has its own ACL id.
2. The old mechanism of allowed_subcommands is redundant
(blocking/allowing a subcommand is the same as blocking/allowing a regular command),
but we had to keep it, to support the widespread usage of allowed_subcommands
to block commands with certain args, that aren't subcommands (e.g. "-select +select|0").
3. I have renamed allowed_subcommands to allowed_firstargs to emphasize the difference.
4. Because subcommands are commands in ACL too, you can now use "-" to block subcommands
(e.g. "+client -client|kill"), which wasn't possible in the past.
5. It is also possible to use the allowed_firstargs mechanism with subcommand.
For example: `+config -config|set +config|set|loglevel` will block all CONFIG SET except
for setting the log level.
6. All of the ACL changes above required some amount of refactoring.
## Misc
1. There are two approaches: Either each subcommand has its own function or all
subcommands use the same function, determining what to do according to argv[0].
For now, I took the former approaches only with CONFIG and COMMAND,
while other commands use the latter approach (for smaller blamelog diff).
2. Deleted memoryGetKeys: It is no longer needed because MEMORY USAGE now uses the "range" key spec.
4. Bugfix: GETNAME was missing from CLIENT's help message.
5. Sentinel and Redis now use the same table, with the same function pointer.
Some commands have a different implementation in Sentinel, so we redirect
them (these are ROLE, PUBLISH, and INFO).
6. Command stats now show the stats per subcommand (e.g. instead of stats just
for "config" you will have stats for "config|set", "config|get", etc.)
7. It is now possible to use COMMAND directly on subcommands:
COMMAND INFO CONFIG|GET (The pipeline syntax was inspired from ACL, and
can be used in functions lookupCommandBySds and lookupCommandByCString)
8. STRALGO is now a container command (has "help")
## Breaking changes:
1. Command stats now show the stats per subcommand (see (5) above)
2021-10-20 04:52:57 -04:00
|
|
|
|
2021-02-22 08:22:25 -05:00
|
|
|
test {ACLs set can include subcommands, if already full command exists} {
|
|
|
|
|
r ACL setuser bob +memory|doctor
|
|
|
|
|
set cmdstr [dict get [r ACL getuser bob] commands]
|
|
|
|
|
assert_equal {-@all +memory|doctor} $cmdstr
|
|
|
|
|
|
|
|
|
|
# Validate the commands have got engulfed to +memory.
|
|
|
|
|
r ACL setuser bob +memory
|
|
|
|
|
set cmdstr [dict get [r ACL getuser bob] commands]
|
|
|
|
|
assert_equal {-@all +memory} $cmdstr
|
|
|
|
|
|
|
|
|
|
# Appending to the existing access string of bob.
|
|
|
|
|
r ACL setuser bob +@all +client|id
|
|
|
|
|
# Validate the new commands has got engulfed to +@all.
|
|
|
|
|
set cmdstr [dict get [r ACL getuser bob] commands]
|
|
|
|
|
assert_equal {+@all} $cmdstr
|
Treat subcommands as commands (#9504)
## Intro
The purpose is to allow having different flags/ACL categories for
subcommands (Example: CONFIG GET is ok-loading but CONFIG SET isn't)
We create a small command table for every command that has subcommands
and each subcommand has its own flags, etc. (same as a "regular" command)
This commit also unites the Redis and the Sentinel command tables
## Affected commands
CONFIG
Used to have "admin ok-loading ok-stale no-script"
Changes:
1. Dropped "ok-loading" in all except GET (this doesn't change behavior since
there were checks in the code doing that)
XINFO
Used to have "read-only random"
Changes:
1. Dropped "random" in all except CONSUMERS
XGROUP
Used to have "write use-memory"
Changes:
1. Dropped "use-memory" in all except CREATE and CREATECONSUMER
COMMAND
No changes.
MEMORY
Used to have "random read-only"
Changes:
1. Dropped "random" in PURGE and USAGE
ACL
Used to have "admin no-script ok-loading ok-stale"
Changes:
1. Dropped "admin" in WHOAMI, GENPASS, and CAT
LATENCY
No changes.
MODULE
No changes.
SLOWLOG
Used to have "admin random ok-loading ok-stale"
Changes:
1. Dropped "random" in RESET
OBJECT
Used to have "read-only random"
Changes:
1. Dropped "random" in ENCODING and REFCOUNT
SCRIPT
Used to have "may-replicate no-script"
Changes:
1. Dropped "may-replicate" in all except FLUSH and LOAD
CLIENT
Used to have "admin no-script random ok-loading ok-stale"
Changes:
1. Dropped "random" in all except INFO and LIST
2. Dropped "admin" in ID, TRACKING, CACHING, GETREDIR, INFO, SETNAME, GETNAME, and REPLY
STRALGO
No changes.
PUBSUB
No changes.
CLUSTER
Changes:
1. Dropped "admin in countkeysinslots, getkeysinslot, info, nodes, keyslot, myid, and slots
SENTINEL
No changes.
(note that DEBUG also fits, but we decided not to convert it since it's for
debugging and anyway undocumented)
## New sub-command
This commit adds another element to the per-command output of COMMAND,
describing the list of subcommands, if any (in the same structure as "regular" commands)
Also, it adds a new subcommand:
```
COMMAND LIST [FILTERBY (MODULE <module-name>|ACLCAT <cat>|PATTERN <pattern>)]
```
which returns a set of all commands (unless filters), but excluding subcommands.
## Module API
A new module API, RM_CreateSubcommand, was added, in order to allow
module writer to define subcommands
## ACL changes:
1. Now, that each subcommand is actually a command, each has its own ACL id.
2. The old mechanism of allowed_subcommands is redundant
(blocking/allowing a subcommand is the same as blocking/allowing a regular command),
but we had to keep it, to support the widespread usage of allowed_subcommands
to block commands with certain args, that aren't subcommands (e.g. "-select +select|0").
3. I have renamed allowed_subcommands to allowed_firstargs to emphasize the difference.
4. Because subcommands are commands in ACL too, you can now use "-" to block subcommands
(e.g. "+client -client|kill"), which wasn't possible in the past.
5. It is also possible to use the allowed_firstargs mechanism with subcommand.
For example: `+config -config|set +config|set|loglevel` will block all CONFIG SET except
for setting the log level.
6. All of the ACL changes above required some amount of refactoring.
## Misc
1. There are two approaches: Either each subcommand has its own function or all
subcommands use the same function, determining what to do according to argv[0].
For now, I took the former approaches only with CONFIG and COMMAND,
while other commands use the latter approach (for smaller blamelog diff).
2. Deleted memoryGetKeys: It is no longer needed because MEMORY USAGE now uses the "range" key spec.
4. Bugfix: GETNAME was missing from CLIENT's help message.
5. Sentinel and Redis now use the same table, with the same function pointer.
Some commands have a different implementation in Sentinel, so we redirect
them (these are ROLE, PUBLISH, and INFO).
6. Command stats now show the stats per subcommand (e.g. instead of stats just
for "config" you will have stats for "config|set", "config|get", etc.)
7. It is now possible to use COMMAND directly on subcommands:
COMMAND INFO CONFIG|GET (The pipeline syntax was inspired from ACL, and
can be used in functions lookupCommandBySds and lookupCommandByCString)
8. STRALGO is now a container command (has "help")
## Breaking changes:
1. Command stats now show the stats per subcommand (see (5) above)
2021-10-20 04:52:57 -04:00
|
|
|
|
|
|
|
|
r ACL setuser bob >passwd1 on
|
|
|
|
|
r AUTH bob passwd1
|
2021-02-22 08:22:25 -05:00
|
|
|
r CLIENT ID; # Should not fail
|
|
|
|
|
r MEMORY DOCTOR; # Should not fail
|
|
|
|
|
}
|
|
|
|
|
|
Treat subcommands as commands (#9504)
## Intro
The purpose is to allow having different flags/ACL categories for
subcommands (Example: CONFIG GET is ok-loading but CONFIG SET isn't)
We create a small command table for every command that has subcommands
and each subcommand has its own flags, etc. (same as a "regular" command)
This commit also unites the Redis and the Sentinel command tables
## Affected commands
CONFIG
Used to have "admin ok-loading ok-stale no-script"
Changes:
1. Dropped "ok-loading" in all except GET (this doesn't change behavior since
there were checks in the code doing that)
XINFO
Used to have "read-only random"
Changes:
1. Dropped "random" in all except CONSUMERS
XGROUP
Used to have "write use-memory"
Changes:
1. Dropped "use-memory" in all except CREATE and CREATECONSUMER
COMMAND
No changes.
MEMORY
Used to have "random read-only"
Changes:
1. Dropped "random" in PURGE and USAGE
ACL
Used to have "admin no-script ok-loading ok-stale"
Changes:
1. Dropped "admin" in WHOAMI, GENPASS, and CAT
LATENCY
No changes.
MODULE
No changes.
SLOWLOG
Used to have "admin random ok-loading ok-stale"
Changes:
1. Dropped "random" in RESET
OBJECT
Used to have "read-only random"
Changes:
1. Dropped "random" in ENCODING and REFCOUNT
SCRIPT
Used to have "may-replicate no-script"
Changes:
1. Dropped "may-replicate" in all except FLUSH and LOAD
CLIENT
Used to have "admin no-script random ok-loading ok-stale"
Changes:
1. Dropped "random" in all except INFO and LIST
2. Dropped "admin" in ID, TRACKING, CACHING, GETREDIR, INFO, SETNAME, GETNAME, and REPLY
STRALGO
No changes.
PUBSUB
No changes.
CLUSTER
Changes:
1. Dropped "admin in countkeysinslots, getkeysinslot, info, nodes, keyslot, myid, and slots
SENTINEL
No changes.
(note that DEBUG also fits, but we decided not to convert it since it's for
debugging and anyway undocumented)
## New sub-command
This commit adds another element to the per-command output of COMMAND,
describing the list of subcommands, if any (in the same structure as "regular" commands)
Also, it adds a new subcommand:
```
COMMAND LIST [FILTERBY (MODULE <module-name>|ACLCAT <cat>|PATTERN <pattern>)]
```
which returns a set of all commands (unless filters), but excluding subcommands.
## Module API
A new module API, RM_CreateSubcommand, was added, in order to allow
module writer to define subcommands
## ACL changes:
1. Now, that each subcommand is actually a command, each has its own ACL id.
2. The old mechanism of allowed_subcommands is redundant
(blocking/allowing a subcommand is the same as blocking/allowing a regular command),
but we had to keep it, to support the widespread usage of allowed_subcommands
to block commands with certain args, that aren't subcommands (e.g. "-select +select|0").
3. I have renamed allowed_subcommands to allowed_firstargs to emphasize the difference.
4. Because subcommands are commands in ACL too, you can now use "-" to block subcommands
(e.g. "+client -client|kill"), which wasn't possible in the past.
5. It is also possible to use the allowed_firstargs mechanism with subcommand.
For example: `+config -config|set +config|set|loglevel` will block all CONFIG SET except
for setting the log level.
6. All of the ACL changes above required some amount of refactoring.
## Misc
1. There are two approaches: Either each subcommand has its own function or all
subcommands use the same function, determining what to do according to argv[0].
For now, I took the former approaches only with CONFIG and COMMAND,
while other commands use the latter approach (for smaller blamelog diff).
2. Deleted memoryGetKeys: It is no longer needed because MEMORY USAGE now uses the "range" key spec.
4. Bugfix: GETNAME was missing from CLIENT's help message.
5. Sentinel and Redis now use the same table, with the same function pointer.
Some commands have a different implementation in Sentinel, so we redirect
them (these are ROLE, PUBLISH, and INFO).
6. Command stats now show the stats per subcommand (e.g. instead of stats just
for "config" you will have stats for "config|set", "config|get", etc.)
7. It is now possible to use COMMAND directly on subcommands:
COMMAND INFO CONFIG|GET (The pipeline syntax was inspired from ACL, and
can be used in functions lookupCommandBySds and lookupCommandByCString)
8. STRALGO is now a container command (has "help")
## Breaking changes:
1. Command stats now show the stats per subcommand (see (5) above)
2021-10-20 04:52:57 -04:00
|
|
|
test {ACLs set can exclude subcommands, if already full command exists} {
|
|
|
|
|
r ACL setuser alice +@all -memory|doctor
|
|
|
|
|
set cmdstr [dict get [r ACL getuser alice] commands]
|
|
|
|
|
assert_equal {+@all -memory|doctor} $cmdstr
|
|
|
|
|
|
|
|
|
|
r ACL setuser alice >passwd1 on
|
|
|
|
|
r AUTH alice passwd1
|
|
|
|
|
|
2022-01-12 13:05:14 -05:00
|
|
|
assert_error {*NOPERM*memory|doctor*} {r MEMORY DOCTOR}
|
Treat subcommands as commands (#9504)
## Intro
The purpose is to allow having different flags/ACL categories for
subcommands (Example: CONFIG GET is ok-loading but CONFIG SET isn't)
We create a small command table for every command that has subcommands
and each subcommand has its own flags, etc. (same as a "regular" command)
This commit also unites the Redis and the Sentinel command tables
## Affected commands
CONFIG
Used to have "admin ok-loading ok-stale no-script"
Changes:
1. Dropped "ok-loading" in all except GET (this doesn't change behavior since
there were checks in the code doing that)
XINFO
Used to have "read-only random"
Changes:
1. Dropped "random" in all except CONSUMERS
XGROUP
Used to have "write use-memory"
Changes:
1. Dropped "use-memory" in all except CREATE and CREATECONSUMER
COMMAND
No changes.
MEMORY
Used to have "random read-only"
Changes:
1. Dropped "random" in PURGE and USAGE
ACL
Used to have "admin no-script ok-loading ok-stale"
Changes:
1. Dropped "admin" in WHOAMI, GENPASS, and CAT
LATENCY
No changes.
MODULE
No changes.
SLOWLOG
Used to have "admin random ok-loading ok-stale"
Changes:
1. Dropped "random" in RESET
OBJECT
Used to have "read-only random"
Changes:
1. Dropped "random" in ENCODING and REFCOUNT
SCRIPT
Used to have "may-replicate no-script"
Changes:
1. Dropped "may-replicate" in all except FLUSH and LOAD
CLIENT
Used to have "admin no-script random ok-loading ok-stale"
Changes:
1. Dropped "random" in all except INFO and LIST
2. Dropped "admin" in ID, TRACKING, CACHING, GETREDIR, INFO, SETNAME, GETNAME, and REPLY
STRALGO
No changes.
PUBSUB
No changes.
CLUSTER
Changes:
1. Dropped "admin in countkeysinslots, getkeysinslot, info, nodes, keyslot, myid, and slots
SENTINEL
No changes.
(note that DEBUG also fits, but we decided not to convert it since it's for
debugging and anyway undocumented)
## New sub-command
This commit adds another element to the per-command output of COMMAND,
describing the list of subcommands, if any (in the same structure as "regular" commands)
Also, it adds a new subcommand:
```
COMMAND LIST [FILTERBY (MODULE <module-name>|ACLCAT <cat>|PATTERN <pattern>)]
```
which returns a set of all commands (unless filters), but excluding subcommands.
## Module API
A new module API, RM_CreateSubcommand, was added, in order to allow
module writer to define subcommands
## ACL changes:
1. Now, that each subcommand is actually a command, each has its own ACL id.
2. The old mechanism of allowed_subcommands is redundant
(blocking/allowing a subcommand is the same as blocking/allowing a regular command),
but we had to keep it, to support the widespread usage of allowed_subcommands
to block commands with certain args, that aren't subcommands (e.g. "-select +select|0").
3. I have renamed allowed_subcommands to allowed_firstargs to emphasize the difference.
4. Because subcommands are commands in ACL too, you can now use "-" to block subcommands
(e.g. "+client -client|kill"), which wasn't possible in the past.
5. It is also possible to use the allowed_firstargs mechanism with subcommand.
For example: `+config -config|set +config|set|loglevel` will block all CONFIG SET except
for setting the log level.
6. All of the ACL changes above required some amount of refactoring.
## Misc
1. There are two approaches: Either each subcommand has its own function or all
subcommands use the same function, determining what to do according to argv[0].
For now, I took the former approaches only with CONFIG and COMMAND,
while other commands use the latter approach (for smaller blamelog diff).
2. Deleted memoryGetKeys: It is no longer needed because MEMORY USAGE now uses the "range" key spec.
4. Bugfix: GETNAME was missing from CLIENT's help message.
5. Sentinel and Redis now use the same table, with the same function pointer.
Some commands have a different implementation in Sentinel, so we redirect
them (these are ROLE, PUBLISH, and INFO).
6. Command stats now show the stats per subcommand (e.g. instead of stats just
for "config" you will have stats for "config|set", "config|get", etc.)
7. It is now possible to use COMMAND directly on subcommands:
COMMAND INFO CONFIG|GET (The pipeline syntax was inspired from ACL, and
can be used in functions lookupCommandBySds and lookupCommandByCString)
8. STRALGO is now a container command (has "help")
## Breaking changes:
1. Command stats now show the stats per subcommand (see (5) above)
2021-10-20 04:52:57 -04:00
|
|
|
r MEMORY STATS ;# should work
|
|
|
|
|
|
|
|
|
|
# Validate the commands have got engulfed to -memory.
|
|
|
|
|
r ACL setuser alice +@all -memory
|
|
|
|
|
set cmdstr [dict get [r ACL getuser alice] commands]
|
|
|
|
|
assert_equal {+@all -memory} $cmdstr
|
|
|
|
|
|
2022-01-12 13:05:14 -05:00
|
|
|
assert_error {*NOPERM*memory|doctor*} {r MEMORY DOCTOR}
|
|
|
|
|
assert_error {*NOPERM*memory|stats*} {r MEMORY STATS}
|
Treat subcommands as commands (#9504)
## Intro
The purpose is to allow having different flags/ACL categories for
subcommands (Example: CONFIG GET is ok-loading but CONFIG SET isn't)
We create a small command table for every command that has subcommands
and each subcommand has its own flags, etc. (same as a "regular" command)
This commit also unites the Redis and the Sentinel command tables
## Affected commands
CONFIG
Used to have "admin ok-loading ok-stale no-script"
Changes:
1. Dropped "ok-loading" in all except GET (this doesn't change behavior since
there were checks in the code doing that)
XINFO
Used to have "read-only random"
Changes:
1. Dropped "random" in all except CONSUMERS
XGROUP
Used to have "write use-memory"
Changes:
1. Dropped "use-memory" in all except CREATE and CREATECONSUMER
COMMAND
No changes.
MEMORY
Used to have "random read-only"
Changes:
1. Dropped "random" in PURGE and USAGE
ACL
Used to have "admin no-script ok-loading ok-stale"
Changes:
1. Dropped "admin" in WHOAMI, GENPASS, and CAT
LATENCY
No changes.
MODULE
No changes.
SLOWLOG
Used to have "admin random ok-loading ok-stale"
Changes:
1. Dropped "random" in RESET
OBJECT
Used to have "read-only random"
Changes:
1. Dropped "random" in ENCODING and REFCOUNT
SCRIPT
Used to have "may-replicate no-script"
Changes:
1. Dropped "may-replicate" in all except FLUSH and LOAD
CLIENT
Used to have "admin no-script random ok-loading ok-stale"
Changes:
1. Dropped "random" in all except INFO and LIST
2. Dropped "admin" in ID, TRACKING, CACHING, GETREDIR, INFO, SETNAME, GETNAME, and REPLY
STRALGO
No changes.
PUBSUB
No changes.
CLUSTER
Changes:
1. Dropped "admin in countkeysinslots, getkeysinslot, info, nodes, keyslot, myid, and slots
SENTINEL
No changes.
(note that DEBUG also fits, but we decided not to convert it since it's for
debugging and anyway undocumented)
## New sub-command
This commit adds another element to the per-command output of COMMAND,
describing the list of subcommands, if any (in the same structure as "regular" commands)
Also, it adds a new subcommand:
```
COMMAND LIST [FILTERBY (MODULE <module-name>|ACLCAT <cat>|PATTERN <pattern>)]
```
which returns a set of all commands (unless filters), but excluding subcommands.
## Module API
A new module API, RM_CreateSubcommand, was added, in order to allow
module writer to define subcommands
## ACL changes:
1. Now, that each subcommand is actually a command, each has its own ACL id.
2. The old mechanism of allowed_subcommands is redundant
(blocking/allowing a subcommand is the same as blocking/allowing a regular command),
but we had to keep it, to support the widespread usage of allowed_subcommands
to block commands with certain args, that aren't subcommands (e.g. "-select +select|0").
3. I have renamed allowed_subcommands to allowed_firstargs to emphasize the difference.
4. Because subcommands are commands in ACL too, you can now use "-" to block subcommands
(e.g. "+client -client|kill"), which wasn't possible in the past.
5. It is also possible to use the allowed_firstargs mechanism with subcommand.
For example: `+config -config|set +config|set|loglevel` will block all CONFIG SET except
for setting the log level.
6. All of the ACL changes above required some amount of refactoring.
## Misc
1. There are two approaches: Either each subcommand has its own function or all
subcommands use the same function, determining what to do according to argv[0].
For now, I took the former approaches only with CONFIG and COMMAND,
while other commands use the latter approach (for smaller blamelog diff).
2. Deleted memoryGetKeys: It is no longer needed because MEMORY USAGE now uses the "range" key spec.
4. Bugfix: GETNAME was missing from CLIENT's help message.
5. Sentinel and Redis now use the same table, with the same function pointer.
Some commands have a different implementation in Sentinel, so we redirect
them (these are ROLE, PUBLISH, and INFO).
6. Command stats now show the stats per subcommand (e.g. instead of stats just
for "config" you will have stats for "config|set", "config|get", etc.)
7. It is now possible to use COMMAND directly on subcommands:
COMMAND INFO CONFIG|GET (The pipeline syntax was inspired from ACL, and
can be used in functions lookupCommandBySds and lookupCommandByCString)
8. STRALGO is now a container command (has "help")
## Breaking changes:
1. Command stats now show the stats per subcommand (see (5) above)
2021-10-20 04:52:57 -04:00
|
|
|
|
|
|
|
|
# Appending to the existing access string of alice.
|
|
|
|
|
r ACL setuser alice -@all
|
|
|
|
|
|
|
|
|
|
# Now, alice can't do anything, we need to auth newuser to execute ACL GETUSER
|
|
|
|
|
r AUTH newuser passwd1
|
|
|
|
|
|
|
|
|
|
# Validate the new commands has got engulfed to -@all.
|
|
|
|
|
set cmdstr [dict get [r ACL getuser alice] commands]
|
|
|
|
|
assert_equal {-@all} $cmdstr
|
|
|
|
|
|
|
|
|
|
r AUTH alice passwd1
|
|
|
|
|
|
2022-01-12 13:05:14 -05:00
|
|
|
assert_error {*NOPERM*get*} {r GET key}
|
|
|
|
|
assert_error {*NOPERM*memory|stats*} {r MEMORY STATS}
|
Treat subcommands as commands (#9504)
## Intro
The purpose is to allow having different flags/ACL categories for
subcommands (Example: CONFIG GET is ok-loading but CONFIG SET isn't)
We create a small command table for every command that has subcommands
and each subcommand has its own flags, etc. (same as a "regular" command)
This commit also unites the Redis and the Sentinel command tables
## Affected commands
CONFIG
Used to have "admin ok-loading ok-stale no-script"
Changes:
1. Dropped "ok-loading" in all except GET (this doesn't change behavior since
there were checks in the code doing that)
XINFO
Used to have "read-only random"
Changes:
1. Dropped "random" in all except CONSUMERS
XGROUP
Used to have "write use-memory"
Changes:
1. Dropped "use-memory" in all except CREATE and CREATECONSUMER
COMMAND
No changes.
MEMORY
Used to have "random read-only"
Changes:
1. Dropped "random" in PURGE and USAGE
ACL
Used to have "admin no-script ok-loading ok-stale"
Changes:
1. Dropped "admin" in WHOAMI, GENPASS, and CAT
LATENCY
No changes.
MODULE
No changes.
SLOWLOG
Used to have "admin random ok-loading ok-stale"
Changes:
1. Dropped "random" in RESET
OBJECT
Used to have "read-only random"
Changes:
1. Dropped "random" in ENCODING and REFCOUNT
SCRIPT
Used to have "may-replicate no-script"
Changes:
1. Dropped "may-replicate" in all except FLUSH and LOAD
CLIENT
Used to have "admin no-script random ok-loading ok-stale"
Changes:
1. Dropped "random" in all except INFO and LIST
2. Dropped "admin" in ID, TRACKING, CACHING, GETREDIR, INFO, SETNAME, GETNAME, and REPLY
STRALGO
No changes.
PUBSUB
No changes.
CLUSTER
Changes:
1. Dropped "admin in countkeysinslots, getkeysinslot, info, nodes, keyslot, myid, and slots
SENTINEL
No changes.
(note that DEBUG also fits, but we decided not to convert it since it's for
debugging and anyway undocumented)
## New sub-command
This commit adds another element to the per-command output of COMMAND,
describing the list of subcommands, if any (in the same structure as "regular" commands)
Also, it adds a new subcommand:
```
COMMAND LIST [FILTERBY (MODULE <module-name>|ACLCAT <cat>|PATTERN <pattern>)]
```
which returns a set of all commands (unless filters), but excluding subcommands.
## Module API
A new module API, RM_CreateSubcommand, was added, in order to allow
module writer to define subcommands
## ACL changes:
1. Now, that each subcommand is actually a command, each has its own ACL id.
2. The old mechanism of allowed_subcommands is redundant
(blocking/allowing a subcommand is the same as blocking/allowing a regular command),
but we had to keep it, to support the widespread usage of allowed_subcommands
to block commands with certain args, that aren't subcommands (e.g. "-select +select|0").
3. I have renamed allowed_subcommands to allowed_firstargs to emphasize the difference.
4. Because subcommands are commands in ACL too, you can now use "-" to block subcommands
(e.g. "+client -client|kill"), which wasn't possible in the past.
5. It is also possible to use the allowed_firstargs mechanism with subcommand.
For example: `+config -config|set +config|set|loglevel` will block all CONFIG SET except
for setting the log level.
6. All of the ACL changes above required some amount of refactoring.
## Misc
1. There are two approaches: Either each subcommand has its own function or all
subcommands use the same function, determining what to do according to argv[0].
For now, I took the former approaches only with CONFIG and COMMAND,
while other commands use the latter approach (for smaller blamelog diff).
2. Deleted memoryGetKeys: It is no longer needed because MEMORY USAGE now uses the "range" key spec.
4. Bugfix: GETNAME was missing from CLIENT's help message.
5. Sentinel and Redis now use the same table, with the same function pointer.
Some commands have a different implementation in Sentinel, so we redirect
them (these are ROLE, PUBLISH, and INFO).
6. Command stats now show the stats per subcommand (e.g. instead of stats just
for "config" you will have stats for "config|set", "config|get", etc.)
7. It is now possible to use COMMAND directly on subcommands:
COMMAND INFO CONFIG|GET (The pipeline syntax was inspired from ACL, and
can be used in functions lookupCommandBySds and lookupCommandByCString)
8. STRALGO is now a container command (has "help")
## Breaking changes:
1. Command stats now show the stats per subcommand (see (5) above)
2021-10-20 04:52:57 -04:00
|
|
|
|
|
|
|
|
# Auth newuser before the next test
|
|
|
|
|
r AUTH newuser passwd1
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-30 06:01:23 -05:00
|
|
|
# Note that the order of the generated ACL rules is not stable in Redis
|
|
|
|
|
# so we need to match the different parts and not as a whole string.
|
|
|
|
|
test {ACL GETUSER is able to translate back command permissions} {
|
|
|
|
|
# Subtractive
|
|
|
|
|
r ACL setuser newuser reset +@all ~* -@string +incr -debug +debug|digest
|
|
|
|
|
set cmdstr [dict get [r ACL getuser newuser] commands]
|
|
|
|
|
assert_match {*+@all*} $cmdstr
|
|
|
|
|
assert_match {*-@string*} $cmdstr
|
|
|
|
|
assert_match {*+incr*} $cmdstr
|
|
|
|
|
assert_match {*-debug +debug|digest**} $cmdstr
|
|
|
|
|
|
|
|
|
|
# Additive
|
|
|
|
|
r ACL setuser newuser reset +@string -incr +acl +debug|digest +debug|segfault
|
|
|
|
|
set cmdstr [dict get [r ACL getuser newuser] commands]
|
|
|
|
|
assert_match {*-@all*} $cmdstr
|
|
|
|
|
assert_match {*+@string*} $cmdstr
|
|
|
|
|
assert_match {*-incr*} $cmdstr
|
|
|
|
|
assert_match {*+debug|digest*} $cmdstr
|
|
|
|
|
assert_match {*+debug|segfault*} $cmdstr
|
|
|
|
|
assert_match {*+acl*} $cmdstr
|
|
|
|
|
}
|
2019-04-08 12:06:50 -04:00
|
|
|
|
2020-10-08 01:09:09 -04:00
|
|
|
# A regression test make sure that as long as there is a simple
|
|
|
|
|
# category defining the commands, that it will be used as is.
|
|
|
|
|
test {ACL GETUSER provides reasonable results} {
|
2020-10-27 00:23:30 -04:00
|
|
|
set categories [r ACL CAT]
|
|
|
|
|
|
|
|
|
|
# Test that adding each single category will
|
|
|
|
|
# result in just that category with both +@all and -@all
|
|
|
|
|
foreach category $categories {
|
|
|
|
|
# Test for future commands where allowed
|
|
|
|
|
r ACL setuser additive reset +@all "-@$category"
|
|
|
|
|
set cmdstr [dict get [r ACL getuser additive] commands]
|
|
|
|
|
assert_equal "+@all -@$category" $cmdstr
|
|
|
|
|
|
|
|
|
|
# Test for future commands where disallowed
|
|
|
|
|
r ACL setuser restrictive reset -@all "+@$category"
|
|
|
|
|
set cmdstr [dict get [r ACL getuser restrictive] commands]
|
|
|
|
|
assert_equal "-@all +@$category" $cmdstr
|
|
|
|
|
}
|
2020-10-08 01:09:09 -04:00
|
|
|
}
|
|
|
|
|
|
2022-01-23 03:05:06 -05:00
|
|
|
test "ACL CAT with illegal arguments" {
|
|
|
|
|
assert_error {*Unknown category 'NON_EXISTS'} {r ACL CAT NON_EXISTS}
|
2022-04-25 06:08:13 -04:00
|
|
|
assert_error {*unknown subcommand or wrong number of arguments for 'CAT'*} {r ACL CAT NON_EXISTS NON_EXISTS2}
|
2022-01-23 03:05:06 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test "ACL CAT without category - list all categories" {
|
|
|
|
|
set categories [r acl cat]
|
|
|
|
|
assert_not_equal [lsearch $categories "keyspace"] -1
|
|
|
|
|
assert_not_equal [lsearch $categories "connection"] -1
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test "ACL CAT category - list all commands/subcommands that belong to category" {
|
|
|
|
|
assert_not_equal [lsearch [r acl cat transaction] "multi"] -1
|
|
|
|
|
assert_not_equal [lsearch [r acl cat scripting] "function|list"] -1
|
|
|
|
|
|
|
|
|
|
# Negative check to make sure it doesn't actually return all commands.
|
|
|
|
|
assert_equal [lsearch [r acl cat keyspace] "set"] -1
|
|
|
|
|
assert_equal [lsearch [r acl cat stream] "get"] -1
|
|
|
|
|
}
|
|
|
|
|
|
2022-05-30 02:42:56 -04:00
|
|
|
test "ACL requires explicit permission for scripting for EVAL_RO, EVALSHA_RO and FCALL_RO" {
|
|
|
|
|
r ACL SETUSER scripter on nopass +readonly
|
|
|
|
|
assert_equal "This user has no permissions to run the 'eval_ro' command" [r ACL DRYRUN scripter EVAL_RO "" 0]
|
|
|
|
|
assert_equal "This user has no permissions to run the 'evalsha_ro' command" [r ACL DRYRUN scripter EVALSHA_RO "" 0]
|
|
|
|
|
assert_equal "This user has no permissions to run the 'fcall_ro' command" [r ACL DRYRUN scripter FCALL_RO "" 0]
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-08 12:08:37 -04:00
|
|
|
test {ACL #5998 regression: memory leaks adding / removing subcommands} {
|
2019-04-08 12:06:50 -04:00
|
|
|
r AUTH default ""
|
|
|
|
|
r ACL setuser newuser reset -debug +debug|a +debug|b +debug|c
|
|
|
|
|
r ACL setuser newuser -debug
|
|
|
|
|
# The test framework will detect a leak if any.
|
|
|
|
|
}
|
2020-01-30 05:09:50 -05:00
|
|
|
|
|
|
|
|
test {ACL LOG shows failed command executions at toplevel} {
|
|
|
|
|
r ACL LOG RESET
|
|
|
|
|
r ACL setuser antirez >foo on +set ~object:1234
|
|
|
|
|
r ACL setuser antirez +eval +multi +exec
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
r ACL setuser antirez resetchannels +publish
|
2020-01-30 05:09:50 -05:00
|
|
|
r AUTH antirez foo
|
2022-01-12 13:05:14 -05:00
|
|
|
assert_error "*NOPERM*get*" {r GET foo}
|
2020-01-30 05:09:50 -05:00
|
|
|
r AUTH default ""
|
|
|
|
|
set entry [lindex [r ACL LOG] 0]
|
|
|
|
|
assert {[dict get $entry username] eq {antirez}}
|
|
|
|
|
assert {[dict get $entry context] eq {toplevel}}
|
|
|
|
|
assert {[dict get $entry reason] eq {command}}
|
|
|
|
|
assert {[dict get $entry object] eq {get}}
|
|
|
|
|
}
|
|
|
|
|
|
2022-01-12 13:05:14 -05:00
|
|
|
test "ACL LOG shows failed subcommand executions at toplevel" {
|
|
|
|
|
r ACL LOG RESET
|
|
|
|
|
r ACL DELUSER demo
|
|
|
|
|
r ACL SETUSER demo on nopass
|
|
|
|
|
r AUTH demo ""
|
|
|
|
|
assert_error "*NOPERM*script|help*" {r SCRIPT HELP}
|
|
|
|
|
r AUTH default ""
|
|
|
|
|
set entry [lindex [r ACL LOG] 0]
|
|
|
|
|
assert_equal [dict get $entry username] {demo}
|
|
|
|
|
assert_equal [dict get $entry context] {toplevel}
|
|
|
|
|
assert_equal [dict get $entry reason] {command}
|
|
|
|
|
assert_equal [dict get $entry object] {script|help}
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-30 05:09:50 -05:00
|
|
|
test {ACL LOG is able to test similar events} {
|
2022-01-12 13:05:14 -05:00
|
|
|
r ACL LOG RESET
|
2020-01-30 05:09:50 -05:00
|
|
|
r AUTH antirez foo
|
|
|
|
|
catch {r GET foo}
|
|
|
|
|
catch {r GET foo}
|
|
|
|
|
catch {r GET foo}
|
|
|
|
|
r AUTH default ""
|
|
|
|
|
set entry [lindex [r ACL LOG] 0]
|
2022-01-12 13:05:14 -05:00
|
|
|
assert {[dict get $entry count] == 3}
|
2020-01-30 05:09:50 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test {ACL LOG is able to log keys access violations and key name} {
|
|
|
|
|
r AUTH antirez foo
|
|
|
|
|
catch {r SET somekeynotallowed 1234}
|
|
|
|
|
r AUTH default ""
|
|
|
|
|
set entry [lindex [r ACL LOG] 0]
|
|
|
|
|
assert {[dict get $entry reason] eq {key}}
|
|
|
|
|
assert {[dict get $entry object] eq {somekeynotallowed}}
|
|
|
|
|
}
|
|
|
|
|
|
Adds pub/sub channel patterns to ACL (#7993)
Fixes #7923.
This PR appropriates the special `&` symbol (because `@` and `*` are taken),
followed by a literal value or pattern for describing the Pub/Sub patterns that
an ACL user can interact with. It is similar to the existing key patterns
mechanism in function (additive) and implementation (copy-pasta). It also adds
the allchannels and resetchannels ACL keywords, naturally.
The default user is given allchannels permissions, whereas new users get
whatever is defined by the acl-pubsub-default configuration directive. For
backward compatibility in 6.2, the default of this directive is allchannels but
this is likely to be changed to resetchannels in the next major version for
stronger default security settings.
Unless allchannels is set for the user, channel access permissions are checked
as follows :
* Calls to both PUBLISH and SUBSCRIBE will fail unless a pattern matching the
argumentative channel name(s) exists for the user.
* Calls to PSUBSCRIBE will fail unless the pattern(s) provided as an argument
literally exist(s) in the user's list.
Such failures are logged to the ACL log.
Runtime changes to channel permissions for a user with existing subscribing
clients cause said clients to disconnect unless the new permissions permit the
connections to continue. Note, however, that PSUBSCRIBErs' patterns are matched
literally, so given the change bar:* -> b*, pattern subscribers to bar:* will be
disconnected.
Notes/questions:
* UNSUBSCRIBE, PUNSUBSCRIBE and PUBSUB remain unprotected due to lack of reasons
for touching them.
2020-12-01 07:21:39 -05:00
|
|
|
test {ACL LOG is able to log channel access violations and channel name} {
|
|
|
|
|
r AUTH antirez foo
|
|
|
|
|
catch {r PUBLISH somechannelnotallowed nullmsg}
|
|
|
|
|
r AUTH default ""
|
|
|
|
|
set entry [lindex [r ACL LOG] 0]
|
|
|
|
|
assert {[dict get $entry reason] eq {channel}}
|
|
|
|
|
assert {[dict get $entry object] eq {somechannelnotallowed}}
|
|
|
|
|
}
|
|
|
|
|
|
2020-01-30 05:09:50 -05:00
|
|
|
test {ACL LOG RESET is able to flush the entries in the log} {
|
|
|
|
|
r ACL LOG RESET
|
|
|
|
|
assert {[llength [r ACL LOG]] == 0}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test {ACL LOG can distinguish the transaction context (1)} {
|
|
|
|
|
r AUTH antirez foo
|
|
|
|
|
r MULTI
|
|
|
|
|
catch {r INCR foo}
|
|
|
|
|
catch {r EXEC}
|
|
|
|
|
r AUTH default ""
|
|
|
|
|
set entry [lindex [r ACL LOG] 0]
|
|
|
|
|
assert {[dict get $entry context] eq {multi}}
|
|
|
|
|
assert {[dict get $entry object] eq {incr}}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test {ACL LOG can distinguish the transaction context (2)} {
|
|
|
|
|
set rd1 [redis_deferring_client]
|
|
|
|
|
r ACL SETUSER antirez +incr
|
|
|
|
|
|
|
|
|
|
r AUTH antirez foo
|
|
|
|
|
r MULTI
|
|
|
|
|
r INCR object:1234
|
|
|
|
|
$rd1 ACL SETUSER antirez -incr
|
|
|
|
|
$rd1 read
|
|
|
|
|
catch {r EXEC}
|
|
|
|
|
$rd1 close
|
|
|
|
|
r AUTH default ""
|
|
|
|
|
set entry [lindex [r ACL LOG] 0]
|
|
|
|
|
assert {[dict get $entry context] eq {multi}}
|
|
|
|
|
assert {[dict get $entry object] eq {incr}}
|
|
|
|
|
r ACL SETUSER antirez -incr
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test {ACL can log errors in the context of Lua scripting} {
|
|
|
|
|
r AUTH antirez foo
|
|
|
|
|
catch {r EVAL {redis.call('incr','foo')} 0}
|
|
|
|
|
r AUTH default ""
|
|
|
|
|
set entry [lindex [r ACL LOG] 0]
|
|
|
|
|
assert {[dict get $entry context] eq {lua}}
|
|
|
|
|
assert {[dict get $entry object] eq {incr}}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test {ACL LOG can accept a numerical argument to show less entries} {
|
|
|
|
|
r AUTH antirez foo
|
|
|
|
|
catch {r INCR foo}
|
|
|
|
|
catch {r INCR foo}
|
|
|
|
|
catch {r INCR foo}
|
|
|
|
|
catch {r INCR foo}
|
|
|
|
|
r AUTH default ""
|
|
|
|
|
assert {[llength [r ACL LOG]] > 1}
|
|
|
|
|
assert {[llength [r ACL LOG 2]] == 2}
|
|
|
|
|
}
|
2020-02-04 06:58:48 -05:00
|
|
|
|
|
|
|
|
test {ACL LOG can log failed auth attempts} {
|
|
|
|
|
catch {r AUTH antirez wrong-password}
|
|
|
|
|
set entry [lindex [r ACL LOG] 0]
|
|
|
|
|
assert {[dict get $entry context] eq {toplevel}}
|
|
|
|
|
assert {[dict get $entry reason] eq {auth}}
|
|
|
|
|
assert {[dict get $entry object] eq {AUTH}}
|
|
|
|
|
assert {[dict get $entry username] eq {antirez}}
|
|
|
|
|
}
|
2020-02-04 07:19:40 -05:00
|
|
|
|
|
|
|
|
test {ACL LOG entries are limited to a maximum amount} {
|
|
|
|
|
r ACL LOG RESET
|
|
|
|
|
r CONFIG SET acllog-max-len 5
|
|
|
|
|
r AUTH antirez foo
|
|
|
|
|
for {set j 0} {$j < 10} {incr j} {
|
|
|
|
|
catch {r SET obj:$j 123}
|
|
|
|
|
}
|
|
|
|
|
r AUTH default ""
|
|
|
|
|
assert {[llength [r ACL LOG]] == 5}
|
|
|
|
|
}
|
2020-03-20 07:52:06 -04:00
|
|
|
|
|
|
|
|
test {When default user is off, new connections are not authenticated} {
|
|
|
|
|
r ACL setuser default off
|
|
|
|
|
catch {set rd1 [redis_deferring_client]} e
|
|
|
|
|
r ACL setuser default on
|
|
|
|
|
set e
|
|
|
|
|
} {*NOAUTH*}
|
2020-07-15 05:38:22 -04:00
|
|
|
|
2021-03-11 00:19:35 -05:00
|
|
|
test {When default user has no command permission, hello command still works for other users} {
|
|
|
|
|
r ACL setuser secure-user >supass on +@all
|
|
|
|
|
r ACL setuser default -@all
|
|
|
|
|
r HELLO 2 AUTH secure-user supass
|
|
|
|
|
r ACL setuser default nopass +@all
|
|
|
|
|
r AUTH default ""
|
|
|
|
|
}
|
|
|
|
|
|
2020-07-15 05:38:22 -04:00
|
|
|
test {ACL HELP should not have unexpected options} {
|
|
|
|
|
catch {r ACL help xxx} e
|
2022-01-23 03:05:06 -05:00
|
|
|
assert_match "*wrong number of arguments for 'acl|help' command" $e
|
2020-07-15 05:38:22 -04:00
|
|
|
}
|
Don't write replies if close the client ASAP (#7202)
Before this commit, we would have continued to add replies to the reply buffer even if client
output buffer limit is reached, so the used memory would keep increasing over the configured limit.
What's more, we shouldn’t write any reply to the client if it is set 'CLIENT_CLOSE_ASAP' flag
because that doesn't conform to its definition and we will close all clients flagged with
'CLIENT_CLOSE_ASAP' in ‘beforeSleep’.
Because of code execution order, before this, we may firstly write to part of the replies to
the socket before disconnecting it, but in fact, we may can’t send the full replies to clients
since OS socket buffer is limited. But this unexpected behavior makes some commands work well,
for instance ACL DELUSER, if the client deletes the current user, we need to send reply to client
and close the connection, but before, we close the client firstly and write the reply to reply
buffer. secondly, we shouldn't do this despite the fact it works well in most cases.
We add a flag 'CLIENT_CLOSE_AFTER_COMMAND' to mark clients, this flag means we will close the
client after executing commands and send all entire replies, so that we can write replies to
reply buffer during executing commands, send replies to clients, and close them later.
We also fix some implicit problems. If client output buffer limit is enforced in 'multi/exec',
all commands will be executed completely in redis and clients will not read any reply instead of
partial replies. Even more, if the client executes 'ACL deluser' the using user in 'multi/exec',
it will not read the replies after 'ACL deluser' just like before executing 'client kill' itself
in 'multi/exec'.
We added some tests for output buffer limit breach during multi-exec and using a pipeline of
many small commands rather than one with big response.
Co-authored-by: Oran Agra <oran@redislabs.com>
2020-09-24 09:01:41 -04:00
|
|
|
|
|
|
|
|
test {Delete a user that the client doesn't use} {
|
|
|
|
|
r ACL setuser not_used on >passwd
|
|
|
|
|
assert {[r ACL deluser not_used] == 1}
|
|
|
|
|
# The client is not closed
|
|
|
|
|
assert {[r ping] eq {PONG}}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test {Delete a user that the client is using} {
|
|
|
|
|
r ACL setuser using on +acl >passwd
|
|
|
|
|
r AUTH using passwd
|
|
|
|
|
# The client will receive reply normally
|
|
|
|
|
assert {[r ACL deluser using] == 1}
|
|
|
|
|
# The client is closed
|
|
|
|
|
catch {[r ping]} e
|
|
|
|
|
assert_match "*I/O error*" $e
|
|
|
|
|
}
|
2022-02-06 00:58:28 -05:00
|
|
|
|
|
|
|
|
test {ACL GENPASS command failed test} {
|
|
|
|
|
catch {r ACL genpass -236} err1
|
|
|
|
|
catch {r ACL genpass 5000} err2
|
|
|
|
|
assert_match "*ACL GENPASS argument must be the number*" $err1
|
|
|
|
|
assert_match "*ACL GENPASS argument must be the number*" $err2
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test {Default user can not be removed} {
|
|
|
|
|
catch {r ACL deluser default} err
|
|
|
|
|
set err
|
|
|
|
|
} {ERR The 'default' user cannot be removed}
|
|
|
|
|
|
|
|
|
|
test {ACL load non-existing configured ACL file} {
|
|
|
|
|
catch {r ACL load} err
|
|
|
|
|
set err
|
|
|
|
|
} {*Redis instance is not configured to use an ACL file*}
|
2019-01-28 05:39:58 -05:00
|
|
|
}
|
2020-09-09 10:13:35 -04:00
|
|
|
|
|
|
|
|
set server_path [tmpdir "server.acl"]
|
|
|
|
|
exec cp -f tests/assets/user.acl $server_path
|
2022-01-30 05:02:55 -05:00
|
|
|
start_server [list overrides [list "dir" $server_path "acl-pubsub-default" "allchannels" "aclfile" "user.acl"] tags [list "external:skip"]] {
|
|
|
|
|
# user alice on allcommands allkeys &* >alice
|
|
|
|
|
# user bob on -@all +@set +acl ~set* &* >bob
|
|
|
|
|
# user default on nopass ~* &* +@all
|
Fix "default" and overwritten / reset users will not have pubsub channels permissions by default. (#8723)
Background:
Redis 6.2 added ACL control for pubsub channels (#7993), which were supposed
to be permissive by default to retain compatibility with redis 6.0 ACL.
But due to a bug, only newly created users got this `acl-pubsub-default` applied,
while overwritten (updated) users got reset to `resetchannels` (denied).
Since the "default" user exists before loading the config file,
any ACL change to it, results in an update / overwrite.
So when a "default" user is loaded from config file or include ACL
file with no channels related rules, the user will not have any
permissions to any channels. But other users will have default
permissions to any channels.
When upgraded from 6.0 with config rewrite, this will lead to
"default" user channels permissions lost.
When users are loaded from include file, then call "acl load", users
will also lost channels permissions.
Similarly, the `reset` ACL rule, would have reset the user to be denied
access to any channels, ignoring `acl-pubsub-default` and breaking
compatibility with redis 6.0.
The implication of this fix is that it regains compatibility with redis 6.0,
but breaks compatibility with redis 6.2.0 and 2.0.1. e.g. after the upgrade,
the default user will regain access to pubsub channels.
Other changes:
Additionally this commit rename server.acl_pubusub_default to
server.acl_pubsub_default and fix typo in acl tests.
2021-04-05 16:13:20 -04:00
|
|
|
|
|
|
|
|
test {default: load from include file, can access any channels} {
|
|
|
|
|
r SUBSCRIBE foo
|
|
|
|
|
r PSUBSCRIBE bar*
|
|
|
|
|
r UNSUBSCRIBE
|
|
|
|
|
r PUNSUBSCRIBE
|
|
|
|
|
r PUBLISH hello world
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test {default: with config acl-pubsub-default allchannels after reset, can access any channels} {
|
|
|
|
|
r ACL setuser default reset on nopass ~* +@all
|
|
|
|
|
r SUBSCRIBE foo
|
|
|
|
|
r PSUBSCRIBE bar*
|
|
|
|
|
r UNSUBSCRIBE
|
|
|
|
|
r PUNSUBSCRIBE
|
|
|
|
|
r PUBLISH hello world
|
|
|
|
|
}
|
2020-09-09 10:13:35 -04:00
|
|
|
|
Fix "default" and overwritten / reset users will not have pubsub channels permissions by default. (#8723)
Background:
Redis 6.2 added ACL control for pubsub channels (#7993), which were supposed
to be permissive by default to retain compatibility with redis 6.0 ACL.
But due to a bug, only newly created users got this `acl-pubsub-default` applied,
while overwritten (updated) users got reset to `resetchannels` (denied).
Since the "default" user exists before loading the config file,
any ACL change to it, results in an update / overwrite.
So when a "default" user is loaded from config file or include ACL
file with no channels related rules, the user will not have any
permissions to any channels. But other users will have default
permissions to any channels.
When upgraded from 6.0 with config rewrite, this will lead to
"default" user channels permissions lost.
When users are loaded from include file, then call "acl load", users
will also lost channels permissions.
Similarly, the `reset` ACL rule, would have reset the user to be denied
access to any channels, ignoring `acl-pubsub-default` and breaking
compatibility with redis 6.0.
The implication of this fix is that it regains compatibility with redis 6.0,
but breaks compatibility with redis 6.2.0 and 2.0.1. e.g. after the upgrade,
the default user will regain access to pubsub channels.
Other changes:
Additionally this commit rename server.acl_pubusub_default to
server.acl_pubsub_default and fix typo in acl tests.
2021-04-05 16:13:20 -04:00
|
|
|
test {default: with config acl-pubsub-default resetchannels after reset, can not access any channels} {
|
|
|
|
|
r CONFIG SET acl-pubsub-default resetchannels
|
|
|
|
|
r ACL setuser default reset on nopass ~* +@all
|
2022-01-12 13:05:14 -05:00
|
|
|
assert_error {*NOPERM*channel*} {r SUBSCRIBE foo}
|
|
|
|
|
assert_error {*NOPERM*channel*} {r PSUBSCRIBE bar*}
|
|
|
|
|
assert_error {*NOPERM*channel*} {r PUBLISH hello world}
|
Fix "default" and overwritten / reset users will not have pubsub channels permissions by default. (#8723)
Background:
Redis 6.2 added ACL control for pubsub channels (#7993), which were supposed
to be permissive by default to retain compatibility with redis 6.0 ACL.
But due to a bug, only newly created users got this `acl-pubsub-default` applied,
while overwritten (updated) users got reset to `resetchannels` (denied).
Since the "default" user exists before loading the config file,
any ACL change to it, results in an update / overwrite.
So when a "default" user is loaded from config file or include ACL
file with no channels related rules, the user will not have any
permissions to any channels. But other users will have default
permissions to any channels.
When upgraded from 6.0 with config rewrite, this will lead to
"default" user channels permissions lost.
When users are loaded from include file, then call "acl load", users
will also lost channels permissions.
Similarly, the `reset` ACL rule, would have reset the user to be denied
access to any channels, ignoring `acl-pubsub-default` and breaking
compatibility with redis 6.0.
The implication of this fix is that it regains compatibility with redis 6.0,
but breaks compatibility with redis 6.2.0 and 2.0.1. e.g. after the upgrade,
the default user will regain access to pubsub channels.
Other changes:
Additionally this commit rename server.acl_pubusub_default to
server.acl_pubsub_default and fix typo in acl tests.
2021-04-05 16:13:20 -04:00
|
|
|
r CONFIG SET acl-pubsub-default resetchannels
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test {Alice: can execute all command} {
|
2020-09-09 10:13:35 -04:00
|
|
|
r AUTH alice alice
|
|
|
|
|
assert_equal "alice" [r acl whoami]
|
|
|
|
|
r SET key value
|
|
|
|
|
}
|
|
|
|
|
|
Fix "default" and overwritten / reset users will not have pubsub channels permissions by default. (#8723)
Background:
Redis 6.2 added ACL control for pubsub channels (#7993), which were supposed
to be permissive by default to retain compatibility with redis 6.0 ACL.
But due to a bug, only newly created users got this `acl-pubsub-default` applied,
while overwritten (updated) users got reset to `resetchannels` (denied).
Since the "default" user exists before loading the config file,
any ACL change to it, results in an update / overwrite.
So when a "default" user is loaded from config file or include ACL
file with no channels related rules, the user will not have any
permissions to any channels. But other users will have default
permissions to any channels.
When upgraded from 6.0 with config rewrite, this will lead to
"default" user channels permissions lost.
When users are loaded from include file, then call "acl load", users
will also lost channels permissions.
Similarly, the `reset` ACL rule, would have reset the user to be denied
access to any channels, ignoring `acl-pubsub-default` and breaking
compatibility with redis 6.0.
The implication of this fix is that it regains compatibility with redis 6.0,
but breaks compatibility with redis 6.2.0 and 2.0.1. e.g. after the upgrade,
the default user will regain access to pubsub channels.
Other changes:
Additionally this commit rename server.acl_pubusub_default to
server.acl_pubsub_default and fix typo in acl tests.
2021-04-05 16:13:20 -04:00
|
|
|
test {Bob: just execute @set and acl command} {
|
2020-09-09 10:13:35 -04:00
|
|
|
r AUTH bob bob
|
|
|
|
|
assert_equal "bob" [r acl whoami]
|
|
|
|
|
assert_equal "3" [r sadd set 1 2 3]
|
|
|
|
|
catch {r SET key value} e
|
|
|
|
|
set e
|
2022-01-12 13:05:14 -05:00
|
|
|
} {*NOPERM*set*}
|
2020-09-09 10:13:35 -04:00
|
|
|
|
Fix "default" and overwritten / reset users will not have pubsub channels permissions by default. (#8723)
Background:
Redis 6.2 added ACL control for pubsub channels (#7993), which were supposed
to be permissive by default to retain compatibility with redis 6.0 ACL.
But due to a bug, only newly created users got this `acl-pubsub-default` applied,
while overwritten (updated) users got reset to `resetchannels` (denied).
Since the "default" user exists before loading the config file,
any ACL change to it, results in an update / overwrite.
So when a "default" user is loaded from config file or include ACL
file with no channels related rules, the user will not have any
permissions to any channels. But other users will have default
permissions to any channels.
When upgraded from 6.0 with config rewrite, this will lead to
"default" user channels permissions lost.
When users are loaded from include file, then call "acl load", users
will also lost channels permissions.
Similarly, the `reset` ACL rule, would have reset the user to be denied
access to any channels, ignoring `acl-pubsub-default` and breaking
compatibility with redis 6.0.
The implication of this fix is that it regains compatibility with redis 6.0,
but breaks compatibility with redis 6.2.0 and 2.0.1. e.g. after the upgrade,
the default user will regain access to pubsub channels.
Other changes:
Additionally this commit rename server.acl_pubusub_default to
server.acl_pubsub_default and fix typo in acl tests.
2021-04-05 16:13:20 -04:00
|
|
|
test {ACL load and save} {
|
2020-09-09 10:13:35 -04:00
|
|
|
r ACL setuser eve +get allkeys >eve on
|
|
|
|
|
r ACL save
|
|
|
|
|
|
|
|
|
|
# ACL load will free user and kill clients
|
|
|
|
|
r ACL load
|
|
|
|
|
catch {r ACL LIST} e
|
|
|
|
|
assert_match {*I/O error*} $e
|
|
|
|
|
|
|
|
|
|
reconnect
|
|
|
|
|
r AUTH alice alice
|
|
|
|
|
r SET key value
|
|
|
|
|
r AUTH eve eve
|
|
|
|
|
r GET key
|
|
|
|
|
catch {r SET key value} e
|
|
|
|
|
set e
|
2022-01-12 13:05:14 -05:00
|
|
|
} {*NOPERM*set*}
|
2021-04-19 06:27:44 -04:00
|
|
|
|
|
|
|
|
test {ACL load and save with restricted channels} {
|
|
|
|
|
r AUTH alice alice
|
|
|
|
|
r ACL setuser harry on nopass resetchannels &test +@all ~*
|
|
|
|
|
r ACL save
|
|
|
|
|
|
|
|
|
|
# ACL load will free user and kill clients
|
|
|
|
|
r ACL load
|
|
|
|
|
catch {r ACL LIST} e
|
|
|
|
|
assert_match {*I/O error*} $e
|
|
|
|
|
|
|
|
|
|
reconnect
|
|
|
|
|
r AUTH harry anything
|
|
|
|
|
r publish test bar
|
|
|
|
|
catch {r publish test1 bar} e
|
|
|
|
|
r ACL deluser harry
|
|
|
|
|
set e
|
2022-01-12 13:05:14 -05:00
|
|
|
} {*NOPERM*channel*}
|
2020-09-09 10:13:35 -04:00
|
|
|
}
|
Fix "default" and overwritten / reset users will not have pubsub channels permissions by default. (#8723)
Background:
Redis 6.2 added ACL control for pubsub channels (#7993), which were supposed
to be permissive by default to retain compatibility with redis 6.0 ACL.
But due to a bug, only newly created users got this `acl-pubsub-default` applied,
while overwritten (updated) users got reset to `resetchannels` (denied).
Since the "default" user exists before loading the config file,
any ACL change to it, results in an update / overwrite.
So when a "default" user is loaded from config file or include ACL
file with no channels related rules, the user will not have any
permissions to any channels. But other users will have default
permissions to any channels.
When upgraded from 6.0 with config rewrite, this will lead to
"default" user channels permissions lost.
When users are loaded from include file, then call "acl load", users
will also lost channels permissions.
Similarly, the `reset` ACL rule, would have reset the user to be denied
access to any channels, ignoring `acl-pubsub-default` and breaking
compatibility with redis 6.0.
The implication of this fix is that it regains compatibility with redis 6.0,
but breaks compatibility with redis 6.2.0 and 2.0.1. e.g. after the upgrade,
the default user will regain access to pubsub channels.
Other changes:
Additionally this commit rename server.acl_pubusub_default to
server.acl_pubsub_default and fix typo in acl tests.
2021-04-05 16:13:20 -04:00
|
|
|
|
2021-04-19 06:27:44 -04:00
|
|
|
set server_path [tmpdir "resetchannels.acl"]
|
|
|
|
|
exec cp -f tests/assets/nodefaultuser.acl $server_path
|
|
|
|
|
exec cp -f tests/assets/default.conf $server_path
|
2022-01-30 05:02:55 -05:00
|
|
|
start_server [list overrides [list "dir" $server_path "aclfile" "nodefaultuser.acl"] tags [list "external:skip"]] {
|
2021-04-19 06:27:44 -04:00
|
|
|
|
|
|
|
|
test {Default user has access to all channels irrespective of flag} {
|
|
|
|
|
set channelinfo [dict get [r ACL getuser default] channels]
|
2022-01-20 16:05:27 -05:00
|
|
|
assert_equal "&*" $channelinfo
|
2021-04-19 06:27:44 -04:00
|
|
|
set channelinfo [dict get [r ACL getuser alice] channels]
|
|
|
|
|
assert_equal "" $channelinfo
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test {Update acl-pubsub-default, existing users shouldn't get affected} {
|
|
|
|
|
set channelinfo [dict get [r ACL getuser default] channels]
|
2022-01-20 16:05:27 -05:00
|
|
|
assert_equal "&*" $channelinfo
|
2021-04-19 06:27:44 -04:00
|
|
|
r CONFIG set acl-pubsub-default allchannels
|
|
|
|
|
r ACL setuser mydefault
|
|
|
|
|
set channelinfo [dict get [r ACL getuser mydefault] channels]
|
2022-01-20 16:05:27 -05:00
|
|
|
assert_equal "&*" $channelinfo
|
2021-04-19 06:27:44 -04:00
|
|
|
r CONFIG set acl-pubsub-default resetchannels
|
|
|
|
|
set channelinfo [dict get [r ACL getuser mydefault] channels]
|
2022-01-20 16:05:27 -05:00
|
|
|
assert_equal "&*" $channelinfo
|
2021-04-19 06:27:44 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test {Single channel is valid} {
|
|
|
|
|
r ACL setuser onechannel &test
|
|
|
|
|
set channelinfo [dict get [r ACL getuser onechannel] channels]
|
2022-01-20 16:05:27 -05:00
|
|
|
assert_equal "&test" $channelinfo
|
2021-04-19 06:27:44 -04:00
|
|
|
r ACL deluser onechannel
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test {Single channel is not valid with allchannels} {
|
|
|
|
|
r CONFIG set acl-pubsub-default allchannels
|
|
|
|
|
catch {r ACL setuser onechannel &test} err
|
|
|
|
|
r CONFIG set acl-pubsub-default resetchannels
|
|
|
|
|
set err
|
|
|
|
|
} {*start with an empty list of channels*}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
set server_path [tmpdir "resetchannels.acl"]
|
|
|
|
|
exec cp -f tests/assets/nodefaultuser.acl $server_path
|
|
|
|
|
exec cp -f tests/assets/default.conf $server_path
|
2021-06-09 08:13:24 -04:00
|
|
|
start_server [list overrides [list "dir" $server_path "acl-pubsub-default" "resetchannels" "aclfile" "nodefaultuser.acl"] tags [list "external:skip"]] {
|
2021-04-19 06:27:44 -04:00
|
|
|
|
|
|
|
|
test {Only default user has access to all channels irrespective of flag} {
|
|
|
|
|
set channelinfo [dict get [r ACL getuser default] channels]
|
2022-01-20 16:05:27 -05:00
|
|
|
assert_equal "&*" $channelinfo
|
2021-04-19 06:27:44 -04:00
|
|
|
set channelinfo [dict get [r ACL getuser alice] channels]
|
|
|
|
|
assert_equal "" $channelinfo
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2021-06-09 08:13:24 -04:00
|
|
|
start_server {overrides {user "default on nopass ~* +@all"} tags {"external:skip"}} {
|
2022-01-30 05:02:55 -05:00
|
|
|
test {default: load from config file, without channel permission default user can't access any channels} {
|
|
|
|
|
catch {r SUBSCRIBE foo} e
|
|
|
|
|
set e
|
|
|
|
|
} {*NOPERM*channel*}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
start_server {overrides {user "default on nopass ~* &* +@all"} tags {"external:skip"}} {
|
|
|
|
|
test {default: load from config file with all channels permissions} {
|
Fix "default" and overwritten / reset users will not have pubsub channels permissions by default. (#8723)
Background:
Redis 6.2 added ACL control for pubsub channels (#7993), which were supposed
to be permissive by default to retain compatibility with redis 6.0 ACL.
But due to a bug, only newly created users got this `acl-pubsub-default` applied,
while overwritten (updated) users got reset to `resetchannels` (denied).
Since the "default" user exists before loading the config file,
any ACL change to it, results in an update / overwrite.
So when a "default" user is loaded from config file or include ACL
file with no channels related rules, the user will not have any
permissions to any channels. But other users will have default
permissions to any channels.
When upgraded from 6.0 with config rewrite, this will lead to
"default" user channels permissions lost.
When users are loaded from include file, then call "acl load", users
will also lost channels permissions.
Similarly, the `reset` ACL rule, would have reset the user to be denied
access to any channels, ignoring `acl-pubsub-default` and breaking
compatibility with redis 6.0.
The implication of this fix is that it regains compatibility with redis 6.0,
but breaks compatibility with redis 6.2.0 and 2.0.1. e.g. after the upgrade,
the default user will regain access to pubsub channels.
Other changes:
Additionally this commit rename server.acl_pubusub_default to
server.acl_pubsub_default and fix typo in acl tests.
2021-04-05 16:13:20 -04:00
|
|
|
r SUBSCRIBE foo
|
|
|
|
|
r PSUBSCRIBE bar*
|
|
|
|
|
r UNSUBSCRIBE
|
|
|
|
|
r PUNSUBSCRIBE
|
|
|
|
|
r PUBLISH hello world
|
|
|
|
|
}
|
|
|
|
|
}
|
2021-09-09 10:40:33 -04:00
|
|
|
|
|
|
|
|
set server_path [tmpdir "duplicate.acl"]
|
|
|
|
|
exec cp -f tests/assets/user.acl $server_path
|
|
|
|
|
exec cp -f tests/assets/default.conf $server_path
|
|
|
|
|
start_server [list overrides [list "dir" $server_path "aclfile" "user.acl"] tags [list "external:skip"]] {
|
|
|
|
|
|
|
|
|
|
test {Test loading an ACL file with duplicate users} {
|
|
|
|
|
exec cp -f tests/assets/user.acl $server_path
|
|
|
|
|
|
|
|
|
|
# Corrupt the ACL file
|
|
|
|
|
set corruption "\nuser alice on nopass ~* -@all"
|
|
|
|
|
exec echo $corruption >> $server_path/user.acl
|
|
|
|
|
catch {r ACL LOAD} err
|
|
|
|
|
assert_match {*Duplicate user 'alice' found*} $err
|
|
|
|
|
|
|
|
|
|
# Verify the previous users still exist
|
|
|
|
|
# NOTE: A missing user evaluates to an empty
|
|
|
|
|
# string.
|
|
|
|
|
assert {[r ACL GETUSER alice] != ""}
|
|
|
|
|
assert_equal [dict get [r ACL GETUSER alice] commands] "+@all"
|
|
|
|
|
assert {[r ACL GETUSER bob] != ""}
|
|
|
|
|
assert {[r ACL GETUSER default] != ""}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test {Test loading an ACL file with duplicate default user} {
|
|
|
|
|
exec cp -f tests/assets/user.acl $server_path
|
|
|
|
|
|
|
|
|
|
# Corrupt the ACL file
|
|
|
|
|
set corruption "\nuser default on nopass ~* -@all"
|
|
|
|
|
exec echo $corruption >> $server_path/user.acl
|
|
|
|
|
catch {r ACL LOAD} err
|
|
|
|
|
assert_match {*Duplicate user 'default' found*} $err
|
|
|
|
|
|
|
|
|
|
# Verify the previous users still exist
|
|
|
|
|
# NOTE: A missing user evaluates to an empty
|
|
|
|
|
# string.
|
|
|
|
|
assert {[r ACL GETUSER alice] != ""}
|
|
|
|
|
assert_equal [dict get [r ACL GETUSER alice] commands] "+@all"
|
|
|
|
|
assert {[r ACL GETUSER bob] != ""}
|
|
|
|
|
assert {[r ACL GETUSER default] != ""}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
test {Test loading duplicate users in config on startup} {
|
|
|
|
|
catch {exec src/redis-server --user foo --user foo} err
|
|
|
|
|
assert_match {*Duplicate user*} $err
|
|
|
|
|
|
|
|
|
|
catch {exec src/redis-server --user default --user default} err
|
|
|
|
|
assert_match {*Duplicate user*} $err
|
|
|
|
|
} {} {external:skip}
|
|
|
|
|
}
|
Fix bugs in CONFIG REWRITE, omitting rename-command and include lines, and inserting comments around module and acl configs (#10761)
A regression from #10285 (redis 7.0).
CONFIG REWRITE would put lines with: `include`, `rename-command`,
`user`, `loadmodule`, and any module specific config in a comment.
For ACL `user`, `loadmodule` and module specific configs would be
re-inserted at the end (instead of updating existing lines), so the only
implication is a messy config file full of comments.
But for `rename-command` and `include`, the implication would be that
they're now missing, so a server restart would lose them.
Co-authored-by: Oran Agra <oran@redislabs.com>
2022-06-02 01:36:55 -04:00
|
|
|
|
|
|
|
|
start_server {overrides {user "default on nopass ~* +@all -flushdb"} tags {acl external:skip}} {
|
|
|
|
|
test {ACL from config file and config rewrite} {
|
|
|
|
|
assert_error {NOPERM *} {r flushdb}
|
|
|
|
|
r config rewrite
|
|
|
|
|
restart_server 0 true false
|
|
|
|
|
assert_error {NOPERM *} {r flushdb}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
