Redis [QUESTION] ACLs does not stay sync with requirepass

Hi guys, I noticed that requirepass and ACLs' password does not stay sync with each other, which means: 1. when use config set mypassword, server.requirepass would be set and then modify default ACL user's password using ACLUpdateDefaultUserPassword(); 2. when set password through ACL using acl setuser default >mypassword, server.requirepass would not be changed.

Is this by design or could be improved? From the code I see that it might be a little complex to set requirepass configuration in ACL because of the macros.

Comment From: DarrenJiang13

Note: Note requirepass will stay in sync with ACLs, but ACLs don't stay in sync with requirepass.

find @madolson PR here #8557, which also mentioned about this(pasted above). Could you please help me clear up my confusion?

Comment From: oranagra

this is by design, or at least not something that was overlooked. have a look at the big comment that's deleted in the above mentioned PR. the ACL system doesn't keep the password in clear text, so it would be impossible to support CONFIG GET requirepass. instead, the CONFIG SET requirepass is an alias to an ACL command, and besides that it remembers the clear text password in order to support CONFIG GET.

the fact is that these two mechanisms are not meant to be used side by side. old deployments can still keep using the old way in a backwards compatible manner, and new ones (who use ACL) are expected to avoid using it completely. have a look at this doc: https://github.com/redis/redis/blob/61b7e5916dc9887f97e8c6f0c92af7509b29dbaf/redis.conf#L998-L999