From a43b6922d1e37d60acf63484b7057299c9bf584d Mon Sep 17 00:00:00 2001
From: Harkrishn Patro <30795839+hpatro@users.noreply.github.com>
Date: Sun, 30 Jan 2022 11:02:55 +0100
Subject: Set default channel permission to resetchannels for 7.0 (#10181)

For backwards compatibility in 6.x, channels default permission was set to `allchannels` however with 7.0,
we should modify it and the default value should be `resetchannels` for better security posture.
Also, with selectors in ACL, a client doesn't have to set channel rules everytime and by default
the value will be `resetchannels`.

Before this change
```
127.0.0.1:6379> acl list
1) "user default on nopass ~* &* +@all"
127.0.0.1:6379>  acl setuser hp on nopass +@all ~*
OK
127.0.0.1:6379> acl list
1) "user default on nopass ~* &* +@all"
2) "user hp on nopass ~* &* +@all"
127.0.0.1:6379>  acl setuser hp1 on nopass -@all (%R~sales*)
OK
127.0.0.1:6379> acl list
1) "user default on nopass ~* &* +@all"
2) "user hp on nopass ~* &* +@all"
3) "user hp1 on nopass &* -@all (%R~sales* &* -@all)"
```

After this change
```
127.0.0.1:6379> acl list
1) "user default on nopass ~* &* +@all"
127.0.0.1:6379> acl setuser hp on nopass +@all ~*
OK
127.0.0.1:6379> acl list
1) "user default on nopass ~* &* +@all"
2) "user hp on nopass ~* resetchannels +@all"
127.0.0.1:6379> acl setuser hp1 on nopass -@all (%R~sales*)
OK
127.0.0.1:6379> acl list
1) "user default on nopass ~* &* +@all"
2) "user hp on nopass ~* resetchannels +@all"
3) "user hp1 on nopass resetchannels -@all (%R~sales* resetchannels -@all)"
```
---
 redis.conf | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

(limited to 'redis.conf')

diff --git a/redis.conf b/redis.conf
index b1b775358..ad37bbe33 100644
--- a/redis.conf
+++ b/redis.conf
@@ -1007,15 +1007,7 @@ acllog-max-len 128
 # allchannels: grants access to all Pub/Sub channels
 # resetchannels: revokes access to all Pub/Sub channels
 #
-# To ensure backward compatibility while upgrading Redis 6.0, acl-pubsub-default
-# defaults to the 'allchannels' permission.
-#
-# Future compatibility note: it is very likely that in a future version of Redis
-# the directive's default of 'allchannels' will be changed to 'resetchannels' in
-# order to provide better out-of-the-box Pub/Sub security. Therefore, it is
-# recommended that you explicitly define Pub/Sub permissions for all users
-# rather then rely on implicit default values. Once you've set explicit
-# Pub/Sub for all existing users, you should uncomment the following line.
+# From Redis 7.0, acl-pubsub-default defaults to 'resetchannels' permission.
 #
 # acl-pubsub-default resetchannels
 
-- 
cgit v1.2.1