Today, Redis supports basic authentication with the requirepass configuration and AUTH command. However, some production environments require password rotation at regular intervals (for example, every N months) for compliance and security reasons. Other databases provide the concept of "user accounts" with varying levels of access. This allows password rotation with steps 1) create a new user/password pair in the database 2) reconfigure clients to use the new user/password pair instead of the old one 3) remove the old user/password pair from the database.

Achieving password rotation in Redis does not require user accounts, necessarily. One option: allow a list of accepted passwords, instead of a single password. Steps to rotate a password would be 1) modify redis.conf to add new password to passwords list & perform rolling restart of Redis instances 2) reconfigure clients to use the new password 3) modify redis.conf to remove old password from passwords list & perform rolling restart of Redis instances.

Thoughts, questions and comments welcome.

Thanks, Ryan

Comment From: slumos

I really like what Microsoft Azure does. Services that use API-key like secrets always have a primary and secondary key. At the start of the rotation, all clients are on the primary key. Then you just click a button to regenerate the secondary key (technically optional), switch all clients to the secondary key, then click the button to regenerate the primary key. Clearly, "primary" and "secondary" are not ideal names... Anyway, I've found that this system works very well in practice.

Comment From: itamarhaber

I love the idea, and IMO it should be fairly simple to implement without breaking the current configuration API or the authentication mechanisms. Basically, the requirepass directive could be made to accept multiple values (a-la save style), each being a valid password.

@boxluecke btw, the same can be achieved w/o a rolling restart with the CONFIG SET command.

Comment From: itamarhaber

With the introduction of ACL in v6, each user may have zero, one or more passwords. This seems to resolve this issue so it will be closed - please feel free to reopen or create a new one if needed.