Redis Why when the username is default, the TLS connection requires a password, but when the username is other, TLS can log in directly without a password？[QUESTION]

redis_version:6.0.16

When redis.conf is configured as follows

port 6379
tls-port 6389

user default on #xxxxx   ~* +@all

redis-cli:

redis-cli -p 6389 --tls --cert redis.crt --key redis.key --cacert ca.crt  

127.0.0.1:6389> info  
NOAUTH Authentication required.  

After entering the password it works:

redis-cli -p 6389 -a <password> --tls --cert redis.crt --key redis.key --cacert ca.crt
or
redis-cli -p 6389 --user default --pass <password> --tls --cert redis.crt --key redis.key --cacert ca.crt

127.0.0.1:6389> info
# Server
redis_version:6.0.16
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:a0c09e90632ef9de
redis_mode:standalone
...

---

But when I change user default to other username:

port 6379
tls-port 6389

user user001 on #xxxxx   ~* +@all

Then don't specify user and password:

redis-cli -p 6389 --tls --cert redis.crt --key redis.key --cacert ca.crt
127.0.0.1:6389> info
# Server
redis_version:6.0.16
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:a0c09e90632ef9de
redis_mode:standalone
...

When using tls, do you still need a username and password for authentication?

Comment From: ranshid

@lsnan The "default" user is a special case in which when it is configured with "nopass" it does not require authentication. as described in the documentation:

Also, in the special case of the default user, having the nopass rule means that new connections are automatically authenticated with the default user without any explicit AUTH call needed.

The documentation also explain that the default user will always have a default ACL entry which is like:

By default there is a single user defined, called default. We can use the ACL LIST command in order to check the currently active ACLs and verify what the configuration of a freshly started, defaults-configured Redis instance is:

ACL LIST 1) "user default on nopass ~ & +@all"

In your question case 1 you provided the default user a password hence it required AUTH, in the second one the default user was operating with nopass hence no AUTH call was required

Comment From: lsne

Thanks ranshid for the answer. After I understand the cause of the problem, I added 'user default off' in the redis.conf file

Comment From: lsne

close