Redis supports a single password through property requirepass. If we had to change it for some reasons, it will create issues for restarting client applications and currently running client applications that create new connections. If we supported a second property named requirepass_alt, then we can change the password easily on the server and client teams will have sufficient time to change their password. This decoupling is very useful in practice.
Password change on server will involve moving value from requirepass to requirepass_alt and setting requirepass to a new value. Server implementation always checks match against requirepass first. On failure, it will also check against requirepass_alt. It is also good to emit stats on match against requirepass and requirepass_alt. When number of clients is large and geographically distributed, these stats let the server administrator know if all clients have switched over to new password. At that point, old password from requirepass_alt can be removed.
We will create a PR soon for this feature.
Comment From: itamarhaber
See #4300 - possible duplicate.
Comment From: vkasar
Thanks Itamar for pointing us to existing feature request? Do you know what was the reason why the old PR was not accepted? This is a super useful feature needed when you run redis at large scale. My colleague has a new PR here: https://github.com/antirez/redis/pull/4944. This PR is pretty straight forward and also deals with counting the number of hits against old and new password. Let us know the best way to get this merged in to 5.0.
Comment From: itamarhaber
I think that historically speaking, this feature was not merged/implemented as it was intended to be addressed in the scope of the larger RCP1.
Comment From: itamarhaber
With the introduction of ACL (RCP1) in v6, each user may have zero, one or more passwords. This seems to resolve this issue so it will be closed - please feel free to reopen or create a new one if needed.