diff options
author | zhaozhao.zz <zhaozhao.zz@alibaba-inc.com> | 2019-02-12 16:44:50 +0800 |
---|---|---|
committer | zhaozhao.zz <zhaozhao.zz@alibaba-inc.com> | 2019-02-12 17:12:37 +0800 |
commit | ea9d3aefec76f5798510e09c9b2c8046e7eb2b8f (patch) | |
tree | 098bb6e92acc9be3b4328d7b96759534bd4e9f62 /src/config.c | |
parent | 85cadafabfa85f596241a64c205979b9287f2542 (diff) | |
download | redis-ea9d3aefec76f5798510e09c9b2c8046e7eb2b8f.tar.gz |
ACL: add masteruser configuration for replication
In mostly production environment, normal user's behavior should be
limited.
Now in redis ACL mechanism we can do it like that:
user default on +@all ~* -@dangerous nopass
user admin on +@all ~* >someSeriousPassword
Then the default normal user can not execute dangerous commands like
FLUSHALL/KEYS.
But some admin commands are in dangerous category too like PSYNC,
and the configurations above will forbid replica from sync with master.
Finally I think we could add a new configuration for replication,
it is masteruser option, like this:
masteruser admin
masterauth someSeriousPassword
Then replica will try AUTH admin someSeriousPassword and get privilege
to execute PSYNC. If masteruser is NULL, replica would AUTH with only
masterauth like before.
Diffstat (limited to 'src/config.c')
-rw-r--r-- | src/config.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/config.c b/src/config.c index fc9160d26..68a2ea227 100644 --- a/src/config.c +++ b/src/config.c @@ -395,6 +395,9 @@ void loadServerConfigFromString(char *config) { err = "repl-backlog-ttl can't be negative "; goto loaderr; } + } else if (!strcasecmp(argv[0],"masteruser") && argc == 2) { + zfree(server.masteruser); + server.masteruser = argv[1][0] ? zstrdup(argv[1]) : NULL; } else if (!strcasecmp(argv[0],"masterauth") && argc == 2) { zfree(server.masterauth); server.masterauth = argv[1][0] ? zstrdup(argv[1]) : NULL; @@ -943,6 +946,9 @@ void configSetCommand(client *c) { sds aclop = sdscatprintf(sdsempty(),">%s",(char*)o->ptr); ACLSetUser(DefaultUser,aclop,sdslen(aclop)); sdsfree(aclop); + } config_set_special_field("masteruser") { + zfree(server.masteruser); + server.masteruser = ((char*)o->ptr)[0] ? zstrdup(o->ptr) : NULL; } config_set_special_field("masterauth") { zfree(server.masterauth); server.masterauth = ((char*)o->ptr)[0] ? zstrdup(o->ptr) : NULL; @@ -1354,6 +1360,7 @@ void configGetCommand(client *c) { /* String values */ config_get_string_field("dbfilename",server.rdb_filename); + config_get_string_field("masteruser",server.masteruser); config_get_string_field("masterauth",server.masterauth); config_get_string_field("cluster-announce-ip",server.cluster_announce_ip); config_get_string_field("unixsocket",server.unixsocket); @@ -2232,6 +2239,7 @@ int rewriteConfig(char *path) { rewriteConfigDirOption(state); rewriteConfigSlaveofOption(state,"replicaof"); rewriteConfigStringOption(state,"replica-announce-ip",server.slave_announce_ip,CONFIG_DEFAULT_SLAVE_ANNOUNCE_IP); + rewriteConfigStringOption(state,"masteruser",server.masteruser,NULL); rewriteConfigStringOption(state,"masterauth",server.masterauth,NULL); rewriteConfigStringOption(state,"cluster-announce-ip",server.cluster_announce_ip,NULL); rewriteConfigYesNoOption(state,"replica-serve-stale-data",server.repl_serve_stale_data,CONFIG_DEFAULT_SLAVE_SERVE_STALE_DATA); |