Alauda Cache Service for Redis OSS

User Management

Implementing proper authentication and access control is essential for securing your Redis environment. This section covers password management and role-based access control configuration for Redis instances.

Version Compatibility Note

Redis 5.0 supports only basic password authentication with a single credential set, while Redis 6.0 and later versions implement a comprehensive Access Control List (ACL) system that supports multiple users with granular permissions. Redis 6.0+ maintains the default user for backward compatibility with legacy clients.

TOC

View Users

The following methods allow you to view all users associated with a Redis instance.

CLI
Web Console

Redis instances (version 6.0+) utilize the RedisUser Custom Resource (CR) to manage user accounts. To list all users associated with a specific instance:

$ kubectl -n default get redisuser -l middleware.instance/name=<instance_name>

For example, to list all users for the instance named s6:

$ kubectl -n test get redisuser -l middleware.instance/name=s6
NAME                  INSTANCE   USERNAME   PHASE     AGE
rfr-acl-s6-admin      s6         admin      Success   22s
rfr-acl-s6-app-a      s6         app-a      Success   45s
rfr-acl-s6-app-b      s6         app-b      Success   6s
rfr-acl-s6-default    s6         default    Success   3m17s
rfr-acl-s6-operator   s6         operator   Success   3m17s

The output fields provide the following information:

FieldDescription
NAMEThe RedisUser custom resource identifier
INSTANCEThe associated Redis instance name
USERNAMEThe username registered within Redis
PHASEThe synchronization status:
  • Success: User configuration successfully synchronized to all Redis nodes
  • Fail: User synchronization failed on one or more Redis nodes
  • Pending: Associated Redis instance is not ready or synchronization is in progress
System Operator Account

Each Redis instance includes a built-in operator user that is automatically provisioned during instance creation. This system account has comprehensive permissions (including user management capabilities) and is secured with a complex 64-character password.

This account is reserved exclusively for system operations and should never be used for application access. Any modification to this account's configuration may cause severe instance instability and potentially lead to unrecoverable failure states.

Update Password

The following procedures allow you to update user passwords for enhanced security. Regular password rotation is recommended as a security best practice.

Procedure

CLI
Redis 5.0 CLI
Web Console
Version Compatibility

The following operations apply only to Redis 6.0 or later versions. For Redis 5.0, refer to the "Redis 5.0 CLI" tab.

  1. Identify the target user from the RedisUser list.

    For this example, we'll update the password for the default user of instance s6.

  2. Retrieve the RedisUser resource to identify the associated password Secret:

$ kubectl -n default get RedisUser rfr-acl-s6-default -o yaml
apiVersion: redis.middleware.alauda.io/v1
kind: RedisUser
metadata:
  annotations:
    middleware.alauda.io/acl-supported-version: "6.0"
  creationTimestamp: "2025-02-28T02:07:26Z"
  finalizers:
  - redisusers.redis.middleware.alauda.io/finalizer
  generation: 1
  labels:
    managed-by: redis-operator
    middleware.instance/name: s6
  name: rfr-acl-s6-default
  namespace: default
  ownerReferences:
  - apiVersion: databases.spotahome.com/v1
    blockOwnerDeletion: true
    controller: true
    kind: RedisFailover
    name: s6
    uid: 56596fa0-4a42-408b-ba26-d61b3a42b60c
  - apiVersion: middleware.alauda.io/v1
    blockOwnerDeletion: true
    kind: Redis
    name: s6
    uid: 80d2e7b0-02d2-490f-bec4-f145f2c738fc
  resourceVersion: "1014064"
  uid: aae888f3-86ba-48bd-9376-710070bf07e0
spec:
  accountType: default
  aclRules: +@all -acl -flushall -flushdb -keys ~*
  arch: sentinel
  passwordSecrets:
  - redis-s6-2hqxb
  redisName: s6
  username: default
status:
  Phase: Success
  lastUpdateSuccess: "2025-02-28T02:16:28Z"

From the spec.passwordSecrets[0] field, we can see that the password is stored in the Secret redis-s6-2hqxb.

  1. Examine the current password Secret:
$ kubectl -n default get secret redis-s6-2hqxb -o yaml
apiVersion: v1
data:
  password: YWRtaW5AMTIz
kind: Secret
metadata:
  annotations:
    cpaas.io/creator: admin
    cpaas.io/operator: admin
    cpaas.io/updated-at: "2025-02-28T08:49:38Z"
  creationTimestamp: "2025-02-28T02:07:24Z"
  generateName: redis-s6-
  labels:
    managed-by: redis-operator
    middleware.instance/name: s6
  name: redis-s6-2hqxb
  namespace: default
  ownerReferences:
  - apiVersion: redis.middleware.alauda.io/v1
    blockOwnerDeletion: true
    controller: true
    kind: RedisUser
    name: rfr-acl-s6-default
    uid: aae888f3-86ba-48bd-9376-710070bf07e0
  resourceVersion: "1183397"
  uid: 45a5faa7-5b47-4a6a-a4e4-c614feccb806
type: Opaque

Note: The password key is a reserved field name utilized by the Redis Operator. Its value is stored as a base64-encoded string.

  1. Update the Secret with the new password:
$ kubectl -n default patch secret redis-s6-2hqxb --type=merge --patch='{"stringData": {"password": "admin@12345"}}'
  1. Verify the password update:
$ kubectl -n default get secret redis-s6-2hqxb -o jsonpath='{.data.password}' | base64 -d
admin@12345

After updating the password, the RedisUser resource will temporarily enter the Pending state while the change propagates to all Redis nodes. Once synchronized, the status will return to Success.

Update Permissions

Redis 6.0+ supports fine-grained access control through its ACL system. The platform provides predefined permission profiles for common use cases:

Permission ProfileACL RulesDescription
NotDangerous+@all -@dangerous ~*Grants access to all commands on all keys except those classified as potentially dangerous operations
ReadWrite-@all +@write +@read -@dangerous ~*Permits read and write operations on all keys while blocking dangerous commands
ReadOnly-@all +@read -keys ~*Restricts access to read-only operations on all keys
Administrator+@all -acl ~*Provides comprehensive access to all Redis functionality except ACL management commands

For advanced use cases, custom ACL rules are supported. Refer to the Redis ACL Documentation for detailed syntax and capabilities.

Note: All permission profiles, including custom ones, explicitly revoke ACL management permissions. User modifications must be performed through the platform's user management interfaces.

Procedure

CLI
Web Console
$ kubectl -n default patch RedisUser s56 --type=merge --patch='{"spec": {"aclRules": "+@all ~*"}}'

After successful creation, the user randomly enters the Pending state. Wait for it to change to the Success state, indicating that the update has been successful.

Create User

Procedure

CLI
Web Console

Create for the Redis cluster instance.

$ cat << EOF | kubectl -n default create -f -
apiVersion: redis.middleware.alauda.io/v1
kind: RedisUser
metadata:
  name: rfr-acl-s6-app-a
spec:
  accountType: custom
  aclRules: +@all -acl ~*
  passwordSecrets:
  - new-redis-password
  redisName: s6
  username: app-a
EOF

Once the resource status changes to `Success`, you can connect with the new password for debugging.