The problem/use-case that the feature addresses
applications will restart after password change. during the restart, "old" application will get "no auth" error from the redis. if redis can verify both old and new password, the ”old“ application will continue to work.
Description of the feature
new config: password-protect-time 0
after password change, during protect time(in seconds), new connections use both old and new password will success. after protect time. only connections which use new password will success.
value 0 to disable this feature.
Comment From: itamarhaber
Hi @opt-m and thanks for making this suggestion.
As of Redis 6, ACL supports having multiple passwords for a user to enable password rotation. In fact, your suggestion could be implemented as an external script that applies the new password, waits for some time, and then removes the old password using the ACL operations.
Personally, I don't believe a time-based approach is common enough to merit being added to the project, as I believe that in most cases, the removal of the old password depends on an external event (i.e. redeploying the clients to use the new password). I'd be happy if more community members add their thoughts though :)
Comment From: opt-m
@itamarhaber make sense to me. thank you very much