-
Notifications
You must be signed in to change notification settings - Fork 0
Home
- This is my first GitHub project, so please be kind.
- This is my first experience with git. And it’s been years since I’ve collaborated on software in any but the most informal settings. So, again, please be kind.
This fork was created to extend authorization and privilege control for Redis clients. This is to support an internal project— but I thought others may want these features as well. Yes, this authorization layer will slow down the Redis server by some amount. I am using a common-sense approach to minimize the performance hit. But if you need to eek the very last drop of performance out of this server, this mod is not for you.
requirepass should be set in the redis.conf — this should be considered a ‘su’ password, and the auth modifications treat it as such.
Clients can login with additional auth tokens by setting the key auth.<token> to an integer value. The integer is a bit-flag field that provides a certain granularity of permissions:
- (1) – CAN_MOD: Client can access commands that will modify values in the store.
- (2) – CAN_SUB: Client can (p)subscribe to channels.
- (4) – CAN_ROOT: Client is not bound to a ‘jailed’ set of root paths (more on this in a second).
- (8) – CAN_ADMIN: Client has access to admin-like commands (eg, FLUSHDB, FLUSHALL, SAVE, SHUTDOWN, …)
To jail a client to a set of keys (and channel (p)subscription prefixes), issue the following commands:
-
SET auth.<token> 3## Bitwise (1|2) SADD auth.<token>.prefixes jailed.
Note: include the trailing ‘.’ (if you are using canonical naming). Simply adding jailed will allow the client access to jailedButNotReally key.
Other Note: If you do not supply a SET named ‘auth..prefixes’, then you must set the auth token permission to include CAN_ROOT, otherwise the client will be extremely limited.
This mod will be used in my system with MD5 hashes as auth tokens to limit not-entirely-trusted users to have a certain amount of access and visibility into the larger system.
define AUTH_FEATURE in the compile phase (— Add -DAUTH_FEATURE to ./src/Makefile).
I am currently tracking the progress of converting different functions in ./src/README.AUTH. If the community likes this mod, we should probably write unit tests to ensure quality.