ACL安全策略
2021-03-30 本文已影响0人
慕知
ACL安全策略在redis版本6之后
1、为Redis设置密码
[root@\ redis~]# vim /usr/local/redis/etc/redis.conf
... ...
requirepass abc123
... ...
#修改完密码无法正常使用
[root@\ redis~]# systemctl restart redis
[root@\ redis~]# redis-cli
127.0.0.1:6379> set a b
(error) NOAUTH Authentication required.
127.0.0.1:6379>
方式一:
127.0.0.1:6379> AUTH abc123 #或者auth default abc123
OK
127.0.0.1:6379> set a b
OK
方式二:
[root@\ redis~]# redis-cli -a abc123
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
127.0.0.1:6379> set abc bcd
OK
# 注:Redis当中默认的用户是default
# 在redis当中,设置密码只能给default用户设置密码,而且设置的是超管权限
2、新特性ACL安全策略,开启
# 新特性让redis支持了多用户
# 新特新让redis支持不同权限
开启方式:
1,单独的acl配置文件
[root@\ redis~]# vim /usr/local/redis/etc/redis.conf
# aclfile /etc/redis/users.acl
更改为
aclfile /usr/local/redis/users.acl
2,创建文件
[root@\ redis~]# touch /usr/local/redis/users.acl
3,重启即可
[root@\ redis~]# systemctl restart redis
3,ACL设置
[root@\ redis~]# redis-cli
127.0.0.1:6379> ACL SETUSER egon on
# on 激活用户
# off 未激活用户
127.0.0.1:6379> ACL LIST
1) "user default on nopass ~* &* +@all"
2) "user egon on &* -@all"
#未设置密码登录会报错
127.0.0.1:6379> AUTH egon
(error) ERR AUTH <password> called without any password configured for the default user. Are you sure your configuration is correct?
127.0.0.1:6379>
#设置密码
127.0.0.1:6379> ACL SETUSER egon >a123
OK
#登录
127.0.0.1:6379> auth egon a123
OK
#无法执行任何操作
127.0.0.1:6379> set a b
(error) NOPERM this user has no permissions to run the 'set' command or its subcommand
127.0.0.1:6379> keys *
(error) NOPERM this user has no permissions to run the 'keys' command or its subcommand
127.0.0.1:6379>
#退出用default登录查询权限
[root@\ redis~]# redis-cli
127.0.0.1:6379> ACL LIST
1) "user default on nopass ~* &* +@all"
2) "user egon on #7c04837eb356565e28bb14e5a1dedb240a5ac2561f8ed318c54a279fb6a9665e &* -@all"
# -@all 代表没有任何权限
# 设置用户使用命令的权限,给egon用户针对key是name开头给与st和get的权限
127.0.0.1:6380> ACL SETUSER egon ~name* +get
OK
127.0.0.1:6380> ACL SETUSER egon ~name* +set
OK
# 查看egon用户的权限
127.0.0.1:6380> ACL LIST
1) "user default on nopass sanitize-payload ~* &* +@all"
2) "user egon on #a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3 ~name* &* -@all +set +get"
127.0.0.1:6380> AUTH egon a123
OK
127.0.0.1:6380> set name zx
OK
127.0.0.1:6380> get name
"zx"
# 这里设置key为非name的便设置不了
127.0.0.1:6380> set age 18
(error) NOPERM this user has no permissions to access one of the keys used as arguments
#取消密码
127.0.0.1:6380> ACL SETUSER egon <123
OK
#设置一个和默认用户default一样的权限账号
127.0.0.1:6380> ACL SETUSER root on >root ~* +@all
OK
4,ACL常用操作
1,获取acl用户列表及权限
127.0.0.1:6380> ACL LIST
1) "user default on nopass sanitize-payload ~* &* +@all"
2) "user egon on ~name* &* -@all +set +get"
3) "user root on #4813494d137e1631bba301d5acab6e7bb7aa74ce1185d456565ef51d737677b2 ~* &* +@all"
2,只查看acl用户
127.0.0.1:6380> ACL USERS
1) "default"
2) "egon"
3) "root"
3,查看当前用户
127.0.0.1:6380> ACL WHOAMI
"default"
# 切换用户
127.0.0.1:6380> AUTH egon 123
OK
4,查看当前用户的权限
127.0.0.1:6380> ACL CAT
1) "keyspace"
2) "read"
3) "write"
4) "set"
5) "sortedset"
6) "list"
7) "hash"
8) "string"
9) "bitmap"
10) "hyperloglog"
11) "geo"
12) "stream"
13) "pubsub"
14) "admin"
15) "fast"
16) "slow"
17) "blocking"
18) "dangerous"
19) "connection"
20) "transaction"
21) "scripting"
5, 创建或设置用户
127.0.0.1:6380> ACL SETUSER root on >abc123 ~* +@all
ACL SETUSER 用户名 激活状态 >密码 匹配规则 权限列表
6,获取用户的相关权限
127.0.0.1:6380> ACL GETUSER egon
1) "flags"
2) 1) "on"
2) "allchannels"
3) "passwords"
4) 1) "7c04837eb356565e28bb14e5a1dedb240a5ac2561f8ed318c54a279fb6a9665e"
5) "commands"
6) "-@all +set +get"
7) "keys"
8) 1) "name*"
9) "channels"
10) 1) "*"
7,删除用户
127.0.0.1:6380> ACL USERS
1) "default"
2) "egon"
3) "root"
127.0.0.1:6380> ACL DELUSER root
(integer) 1
127.0.0.1:6380> ACL USERS
1) "default"
2) "egon"
8,持久化
# 配置这打开并设置存放acl目录路径
[root@\ redis/usr/local/redis]# vim /usr/local/redis/etc/redis6380.conf
... ...
aclfile /usr/local/redis/users.acl
... ...
127.0.0.1:6380> ACL SAVE
OK
[root@\ redis/usr/local/redis]# cat users.acl
user default on nopass ~* &* +@all
user egon off #a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3 ~* &* +@all
# 将配置文件中的配置读取到redis服务中
127.0.0.1:6380> ACL LOAD
OK
