diff options
| author | antirez <antirez@gmail.com> | 2019-02-05 17:59:05 +0100 |
|---|---|---|
| committer | antirez <antirez@gmail.com> | 2019-02-05 17:59:05 +0100 |
| commit | 7604ab7118d1154e9120ea41a88d9c214f2202c3 (patch) | |
| tree | e2df41c6d089ee3c7b36db9f4cdf77aae5059132 | |
| parent | cc116736c1306f53869510a768cb8bb4d6c6b04c (diff) | |
| download | redis-7604ab7118d1154e9120ea41a88d9c214f2202c3.tar.gz | |
ACL: redis.conf: mark old ACL-alike stuff as deprecated.
| -rw-r--r-- | redis.conf | 37 |
1 files changed, 28 insertions, 9 deletions
diff --git a/redis.conf b/redis.conf index 93ab9a42e..d1ced7eb3 100644 --- a/redis.conf +++ b/redis.conf @@ -493,20 +493,39 @@ replica-priority 100 ################################## SECURITY ################################### -# Require clients to issue AUTH <PASSWORD> before processing any other -# commands. This might be useful in environments in which you do not trust -# others with access to the host running redis-server. +# Warning: since Redis is pretty fast an outside user can try up to +# 1 million passwords per second against a modern box. This means that you +# should use very strong passwords, otherwise they will be very easy to break. +# Note that because the password is really a shared secret between the client +# and the server, and should not be memorized by any human, the password +# can be easily a long string from /dev/urandom or whatever, so by using a +# long and unguessable password no brute force attack will be possible. + +# Instead of configuring users here in this file, it is possible to use +# a stand-alone file just listing users. The two methods cannot be mixed: +# if you configure users here and at the same time you activate the exteranl +# ACL file, the server will refuse to start. # -# This should stay commented out for backward compatibility and because most -# people do not need auth (e.g. they run their own servers). +# The format of the external ACL user file is exactly the same as the +# format that is used inside redis.conf to describe users. # -# Warning: since Redis is pretty fast an outside user can try up to -# 150k passwords per second against a good box. This means that you should -# use a very strong password otherwise it will be very easy to break. +# aclfile /etc/redis/users.acl + +# IMPORTANT NOTE: starting with Redis 6 "requirepass" is just a compatiblity +# layer on top of the new ACL system. The option effect will be just setting +# the password for the default user. Clients will still authenticate using +# AUTH <password> as usually, or more explicitly with AUTH default <password> +# if they follow the new protocol: both will work. # # requirepass foobared -# Command renaming. +# Command renaming (DEPRECATED). +# +# ------------------------------------------------------------------------ +# WARNING: avoid using this option if possible. Instead use ACLs to remove +# commands from the default user, and put them only in some admin user you +# create for administrative purposes. +# ------------------------------------------------------------------------ # # It is possible to change the name of dangerous commands in a shared # environment. For instance the CONFIG command may be renamed into something |