itamarhaber/acl-app-profile.md

## acl-app-profile.md

      
    Raw
  

              acl-app-profile.md
            
          
    ACL v6RC1 default app profile

The purpose of this exercise is to define a "default" application ACL profile that can access the all the data without being able to cause too much harm.
Additive ("future-proof") profile

Required extra permissions:

All functional categories
CLIENT ID|GETNAME|REPLY|SETNAME|TRACKING|GETREDIR: must for modern clients
CLUSTER COUNTKEYSINSLOT|GETKEYSINSLOT|INFO|KEYSLOT|MYID|NODES|SLOTS: must for cluster-aware clients
ACL WHOAMI: may be needed by ACL-aware clients
ROLE: may be in use by some clients
INFO: there are clients that handshake with it
TIME: part of the API
POST, HOST:: security measures that should not be disabled
LOLWUT: can be included, no reason not to anyway
SORT: part of the API, use with caution but may be needed

redis> ACL SETUSER foo allkeys -@all +@string +@list +@set +@hash +@sortedset +@stream +@bitmap +@geo +@hyperloglog +@connection +@keyspace +@transaction +@scripting +@pubsub -@admin -@dangerous +client|id +client|getname +client|reply +client|setname +client|tracking +client|getredir +cluster|countkeysinslot +cluster|getkeysinslot +cluster|info +cluster|keyslot +cluster|myid +cluster|nodes +cluster|slots +acl|whoami +role +info +time +post +host: +lolwut +sort

redis> ACL GETUSER foo
...
-@all +@keyspace +@read +@write +@set +@sortedset +@list +@hash +@string +@bitmap +@hyperloglog +@geo +@stream +@pubsub +@fast +@slow +@blocking +@connection +@transaction +@scripting -flushall -lastsave -acl +acl|whoami -bgsave -bgrewriteaof -monitor -pfselftest -client +client|id +client|getname +client|reply +client|setname +client|tracking +client|getredir -psync -migrate -slaveof -flushdb -slowlog -save -replconf -sync -latency -memory -restore-asking -debug -module -shutdown -restore -cluster +cluster|countkeysinslot +cluster|getkeysinslot +cluster|info +cluster|keyslot +cluster|myid +cluster|nodes +cluster|slots -replicaof -keys -config -pfdebug -swapdb
Adding modules

Required extra permissions:

MODULE LIST: some module clients may rely on that
Any module commands

redis> ACL SETUSER foo +module|list +module.command1 [...]
Restrictive profile

Required extra restrictions:

MEMORY: can be a dangerous command

redis> ACL SETUSER foo allkeys +@all -@admin -@dangerous +client|id +client|getname +client|reply +client|setname +client|tracking +client|getredir +cluster|countkeysinslot +cluster|getkeysinslot +cluster|info +cluster|keyslot +cluster|myid +cluster|nodes +cluster|slots +acl|whoami +role +info +lolwut +sort +module|list -memory

redis> ACL GETUSER foo
...
+@all -@admin -@dangerous +acl|whoami +sort +client|id +client|getname +client|reply +client|setname +client|tracking +client|getredir +info -memory +role +module|list +cluster|countkeysinslot +cluster|getkeysinslot +cluster|info +cluster|keyslot +cluster|myid +cluster|nodes +cluster|slots +keys
Thoughts


KEYS is excluded, good, but will generate errors in some apps.
The following commands are only @fast/@slow && @read, so they fall through some cracks. This can possibly be addressed by assigning them to categories:

TIME: can be in the @connection/@keyspace category (or make a new one)
HOST:, POST: should belong to the @connection category
MEMORY: should be put in @dangerous
LOLWUT: probably like TIME


It is a lot of work (for a Redis DBA) to define a profile - this is WIP and may contain errors that result in security "flaws".
It may be good to provide sample .acl files with similar profiles