I deleted all the user's passwords one by one, and then used empty passwords to auth. The structure prompted me that the auth failed.
redis version: use unstable branch compile
Reproduction steps:
-
ACL SETUSER user1 on >123create a usernow
ACL LISTshow1) "user default on nopass sanitize-payload ~* &* +@all" 2) "user user1 on sanitize-payload #a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3 resetchannels -@all"use commandAUTH user1 123OK -
ACL SETUSER user1 <123delete the user passwordnow
ACL LISTshow1) "user default on nopass sanitize-payload ~* &* +@all" 2) "user user1 on sanitize-payload resetchannels -@all"
At this time use AUTH user1 "" do auth, reply message is (error) WRONGPASS invalid username-password pair or user is disabled.
If I execute the ACL SETUSER user1 nopass command, I can use AUTH user1 "" to complete the authentication
Because after executing ACL SETUSER user1 nopass, the user will be set to nopass status.
So after deleting all the user's passwords, should we automatically set the user to nopass status?
If this is as expected, please ignore this issue.
If this needs fixing, I'd like to try to fix it.
Comment From: sundb
This should be normal behavior, please refer to the documentation: https://redis.io/docs/management/security/acl/
Note: if a user is not flagged with nopass and has no list of valid passwords, that user is effectively impossible to use because there will be no way to log in as that user.
Comment From: lqxhub
This should be normal behavior, please refer to the documentation: https://redis.io/docs/management/security/acl/
Note: if a user is not flagged with nopass and has no list of valid passwords, that user is effectively impossible to use because there will be no way to log in as that user.
I saw that paragraph, it was my oversight, thank you for your answer