Skip to content

Instantly share code, notes, and snippets.

@chooper

chooper/redis-multi-cred-proposal.md

Last active August 29, 2015 14:09
Show Gist options
  • Save chooper/146139817b6e066ef190 to your computer and use it in GitHub Desktop.
Save chooper/146139817b6e066ef190 to your computer and use it in GitHub Desktop.
Download ZIP
A proposal I'm working on for the redis mailing list to allow multiple configured passwords for the purpose of better supporting credrolls
Raw
redis-multi-cred-proposal.md

Greetings,

I am writing today to propose that redis should be able to support more than a single password. I know that many authentication and authorization schemes have been raised here before, but what makes this proposal different is that this is expressly for the purpose of supporting credrolls. This, I believe, will lead to a simpler implementation that will maintain many of the current behaviors.

Background

Credrolls, or credential rotations, are difficult with the "single password only" scheme today. Currently, consumers of the redis server must expect to have failed requests for a short window while Redis passwords are being changed or they must be extended to be able to try multiple passwords when making requests. Today a credroll works by:

  1. Changing the redis password: requirepass newpassword

  2. Updating all of the consumers to use the new password

You can of course do this in any order, but the time elapsed between #1 and #2 is a period where Redis commands are failing. Depending on your architecture, deployment size, and business needs this could be a non-trivial amount of time.

The proposed scheme is for Redis to support at least two passwords that it accepts. In this scheme, credrolls can be performed with zero downtime. So then a credroll looks like:

  1. Changing the Redis configuration to accept the old password and a new password: requirepass oldpassword newpassword

  2. Updating all of the consumers to use the new password

  3. Unsetting the old password when all consumers are updated: requirepass newpassword

Since the only use case being targeted here is the case of credrolls, all authenticated clients are assumed to be the same user and are treated the same. This proposal does not carry with it any new authorization or access control schemes.

Details

  • The AUTH command should accept any valid password

  • The config file should accept multiple arguments for the requirepass directive, e.g. requirepass password1 password2

  • CONFIG SET should allow multiple passwords. The easiest path is IIUC is to use the same syntax for CONFIG SET save, e.g. to pass a single string as a space-separated list of passwords, e.g. CONFIG SET requirepass "password1 password2"

  • CONFIG SET requirepass should unset all unspecified passwords, e.g. requirepass "foo bar" followed by requirepass bar means that only "bar" is a valid password and "foo" is not anymore

  • CONFIG GET requirepass returns all valid passwords.

Reference implementation

I have a branch on Github available as a reference implementation with tests. If this proposal is accepted, I will happily submit a pull request and make whatever changes deemed necessary.

https://github.com/chooper/redis/compare/antirez:unstable...credroll-support

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment