Hello I want to set the acls of the sentinel-user and replication-user via the acl files The documentation on https://redis.io/topics/acl writes about how to do it on command line, but when I transfer this to a users.acl file I get "Unknown command or category name in ACL." users.acl looks like
user default on XXX ~* &* +@all
user sentinel-user on XXX allchannels +multi +slaveof +ping +exec +subscribe +config|rewrite +role +publish +info +client|setname +client|kill +script|kill
user replica-user on XXX +psync +replconf +ping
Am I missing something or is something different when using the categories in files ?
Comment From: itamarhaber
Hello @ptulpen
You can generate an aclfile that loads correctly by:
- Create an empty file, e.g.
touch myaclfile - Start the server with the file, e.g.
redis-server --aclfile myaclfile - From the CLI, set up your ACL rules with
ACL SETUSER - Issue an
ACL SAVEto persist the rules to the aclfile
It could be, in your case, that the XXX isn't a valid password directive. Note that password directives need to start with one of these (depending on type and action): >, <, # or !. So, your example should work if you prefix your passwords likeso: >XXX.
I hope this solves the issue for you, but please let us know if there's something amiss.
Comment From: ptulpen
Hello, first thanks for your answer. The XXX in original had the > I now tried your method, even with the password from the documentation, which gives me this line user sentinel-user on #42a9798b99d4afcec9995e47a1d246b98ebc96be7a732323eee39d924006ee1d &* -@all +role +ping +client|setname +client|kill +script|kill +info +subscribe +slaveof +config|rewrite +multi +publish +exec but I still get Aborting Redis startup because of ACL errors: /etc/redis/users.acl:2: Unknown command or category name in ACL.
Comment From: itamarhaber
Alrighty, I believe I know the problem: you're using Redis v6.0, whereas the documentation is about v6.2 (yes, I know, there's a lot to be desired with the documentation).
In v6.2 we've introduced a breaking change to ACL, namely the support for Pub/Sub patterns. The break is the addition of the new "verb" &*, which isn't compatible w/ v6.0.
I recommend that you upgrade to the latest stable version (and not only because of this), but if you want to keep using the older version, just don't use that verb, i.e.:
user sentinel-user on #42a9798b99d4afcec9995e47a1d246b98ebc96be7a732323eee39d924006ee1d -@all +role +ping +client|setname +client|kill +script|kill +info +subscribe +slaveof +config|rewrite +multi +publish +exec
Comment From: ptulpen
Hello, I have installed 6.2.5 from remi repo Nevertheless, I tried your line, but it still gives me Aborting Redis startup because of ACL errors: /etc/redis/users.acl:2: Unknown command or category name
Comment From: itamarhaber
Then I'm sorry to say that I can't reproduce it - the aclfile you've posted literally "works on my laptop" with unstable and v6.2.5.
The error you're getting is very specific and the source code seems straightforward in that area. It means one (or more) of the + or - directives refers to a non-command/category. Could you, perhaps, find the offending command/category via trial and error? Sorry for the lame suggestion but I'm running out of ideas :)
Comment From: ptulpen
So, via trial and error I found out that this works: user sentinel-user on #42a9798b99d4afcec9995e47a1d246b98ebc96be7a732323eee39d924006ee1d -@all +role +ping +client|setname +client|kill +info +subscribe
and this commands dont +slaveof +script|kill +config|rewrite +multi +exec
But would that work as a proper sentinel cluster?
Comment From: itamarhaber
Ok, I see what's happening here. You're attempting to use the Redis server's ACL rules on a Sentinel instance. The docs are about configuring the server to allow Sentinel's user to perform its operations. Sentinel also supports ACL, but only for its commands (15 or so). There are no formal recommendations on how to set up your Sentinel ACL rules as it depends on your deployment.
Comment From: ptulpen
Hello, yes you are right. I have had the aclfile parameter hinting to the same file in redis and sentinel Thanks for your help