Redis Weird output of acl list when excluding the slow category

Example:

127.0.0.1:6379> acl list
1) "user default on nopass ~* +@all"
127.0.0.1:6379> acl setuser test on nopass ~* +@all -@slow
OK
127.0.0.1:6379> acl list
1) "user default on nopass ~* +@all"
2) "user test on nopass ~* +@all -@read -@set -@list -@bitmap -@hyperloglog -@geo -@stream -@pubsub -@admin -@slow -@blocking -@dangerous -@scripting +hget +zlexcount +hmget +zrank +lastsave +echo +mget +bzpopmin +time +zcard +xdel +zrevrank +get +lpush +bzpopmax +spop +rpush +rpop +touch +xadd +exists +srem +xsetid +sadd +lpushx +lolwut +strlen +pttl +publish +lpop +hlen +dbsize +xclaim +rpushx +scard +xack +hstrlen +ttl +pfadd +llen +zcount +hexists +xlen +type +getbit +smove +zscore +sismember +swapdb +role"

Comment From: itamarhaber

Hi @galcohen-redislabs

This expected by design even if not immediately intuitive. The definition of ACL rules isn't very rigid, but ACL LIST reports the effective permissions for that user (as managed internally).

Comment From: oranagra

i looked into it, the reason it works like that for slow, and works as expected for all other categories, is that apparently there's no command marked as slow.

@antirez did you mean to implicitly mark as slow all the commands that are not marked as fast? or intended to mark some commands with that category explicitly?

btw, i can't find anywhere that documents the meaning of each category, we have a list, but nothing that document what each one is intended to cover, and without that we can interpret them differently each time we edit them.

p.s. i saw that some commands were recently marked as read-only, even ones that don't actually read from the database, like TIME, LASTSAVE, ECHO, ROLE.

Comment From: hwware

@oranagra I think @itamarhaber already created a chart for commands in different ACL categories in his Tweets, https://twitter.com/itamarhaber/status/1217182037414752259, @itamarhaber can you share the chart somewhere in the docs in Redis? this is very useful information, thanks!

Comment From: oranagra

Thanks, but what I was referring to is not a chart, and not necessarily even a documentation for users, i was looking for some description of the purpose of each flag (possibly inside the source code), so that it is clear what's its purpose when editing the command table and checking for consistency.

For instance, one can argue that the read flag is the inverse of the write flag, or or alternatively that it should exist only when reading from the keyspace (i.e. not in INFO and TIME). Other examples are a possible confusion between write and oom flags, or slow and fast, admin and dangerous, etc.

Comment From: hwware

@oranagra thanks for the clarification, I think the only place I can find these information is in the comment here, describing the meaning of the command flags, and the specific note of ACL category: https://github.com/antirez/redis/blob/unstable/src/server.c#L113 https://github.com/antirez/redis/blob/unstable/src/server.c#L170, we need to combine them together to read, but I am not sure whether this is sufficient for describing the whole thing though..

Comment From: galcohen-redislabs

Here is another weird example: ACL SETUSER user:2 on +@read ~* Then ACL LIST gives: "user user:2 on ~* -@all +@read +@hash +@geo -hincrby -hmset -hdel -georadius -hincrbyfloat -geoadd -georadiusbymember -hsetnx -hset"