Current behavior - drop active connections. Need to carefully compare rights and drop only users where rights changed, better - only if new rights set not include whole old. If the replication made with separate user, replica disconnected too on acl load. Also make acl list sorted and presented in the deterministic way, now it sometimes have different order of rights
Comment From: enjoy-binbin
look like #12171 is handling this @slavak FYI
Comment From: slavak
This issue is a duplicate of https://github.com/redis/redis/issues/11986.
Comment From: oranagra
regarding dropping the connections, note that it was eventually decided to only drop a connection of a user that no longer exists. i.e. once a connection is authenticated, the connection remains even if the rights changed. if you wanna argue about it, let's do it in the other issue, and close this one.
regarding the sorting, please explain what you mean in more detail. i think that nowadays the permissions inside each user should be quite deterministic (some in a hard coded order, and others according to the order the user provided). the in which users are emitted is random due to the nature of the dict in which they're saved, if you think it's critical to sort them, please explain why.
didn't understand the comment about replication. same as we don't delete keys added by a user retroactively, i don't think we should revert config changes either.
Comment From: gzivdo
Ok, not dropping connection is fine for me. But the right way - as I described, drop only connection with lowered rights (even better configurable way: to not drop at all, or only with lowered rights). As for replication, currently it drop connection on acl load with replica. I mean that. But if it will not, its fine. Hope it will be in next release.