Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When connecting using an ACL user (Redis 6), connection will fail unless the user has permissions to run the INFO command. #1211

Closed
simonprickett opened this issue Oct 19, 2020 · 2 comments
Closed

When connecting using an ACL user (Redis 6), connection will fail unless the user has permissions to run the INFO command. #1211

simonprickett opened this issue Oct 19, 2020 · 2 comments

Comments

@simonprickett
Copy link

simonprickett commented Oct 19, 2020
edited
Loading

Hi there,

I've been working with Redis 6 ACL users and ioredis, and I've noticed that a connection can't be made successfully unless the ACL user is given access to the INFO command. Consider this ACL user, who has access only to the GET command:

127.0.0.1:6379> acl getuser simon
1) "flags"
2) 1) "on"
   2) "allkeys"
3) "passwords"
4) 1) "34fb46c847bb9df96e5205a39d382f648a6e8dce1e014cd85b4ca6a88d88ed03"
5) "commands"
6) "-@all +get"
7) "keys"
8) 1) "*"

When I run this test code:

const Redis = require('ioredis');
const redis = new Redis({
  host: '127.0.0.1',
  port: 6379,
  username: 'simon',
  password: 'redis'
});

const redisDemo = async () => {
  const reply = await redis.get('foo');
  console.log(reply);
};

redisDemo();

I get the following error:

[ioredis] Unhandled error event: ReplyError: NOPERM this user has no permissions to run the 'info' command or its subcommand
...

Updating the ACL user's permissions to allow use of the INFO command fixes this with no code changes in my test program:

127.0.0.1:6379> acl getuser simon
1) "flags"
2) 1) "on"
   2) "allkeys"
3) "passwords"
4) 1) "34fb46c847bb9df96e5205a39d382f648a6e8dce1e014cd85b4ca6a88d88ed03"
5) "commands"
6) "-@all +get +info"
7) "keys"
8) 1) "*"

I think this should either be mentioned in the documentation, or handled in the code in a way that the connection is still made, but the INFO command is never run?

I am using ioredis 4.17.3 from npm.
@simonprickett simonprickett mentioned this issue Oct 20, 2020
Closed
@ejose19
Copy link

ejose19 commented Mar 4, 2021
edited
Loading

You can already disable the info call with enableReadyCheck: false on RedisOptions. However users may not want to opt-out completely, and after reviewing https://github.com/luin/ioredis/blob/ee294b6022b834f5d32c6b6e29abfe950c198beb/lib/redis/index.ts#L527-L563 I see only the Persistence section is being used, so we may want to change the default (or add another option) to use info persistence instead of just info, and users can grant +info|persistence limiting the information given to the client.

@ejose19 ejose19 mentioned this issue Mar 4, 2021
Closed
@Ajju2211 Ajju2211 mentioned this issue Jan 26, 2022
Closed
@luin luin mentioned this issue Feb 28, 2022
Merged
@luin
Copy link
Collaborator

luin commented Apr 4, 2022

Fixed in v5. Sorry for the late response.

@luin luin closed this as completed Apr 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@simonprickett @luin @ejose19