Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configuration for cluster using ACL #1054

Closed
Dralun opened this issue Jan 5, 2022 · 5 comments
Closed

Configuration for cluster using ACL #1054

Dralun opened this issue Jan 5, 2022 · 5 comments

Comments

@Dralun
Copy link

Dralun commented Jan 5, 2022

Basically I'm trying to move over to using ACL for clusters, but for the life of me I can't get the configuration to work. For some reason adding a username to the cluster seems to break the connection.
What I'm trying to do is the ruby equivalent to this redis-cli line redis-cli -c -h host_ip_here --user username --pass password, but I'm unable to reproduce that logic with redis-rb.

I've tried Redis.new(cluster: ["redis://username:password@redis_host:6379"]), Redis.new(cluster ["redis://redis_host:6379"], username: username, password: password) and all other possible combinations of passing user and password in URI or as separate parameters, but nothing manages to connect.

Redis.new(uri: "redis://username:password@redis_host:6379") works fine, but only connects to one node, which is not what I want to do.

Is it currently possible to connect to a cluster using ACL with redis-rb? I can't find any documentation or any references elsewhere.
@supercaracal
Copy link
Contributor

Is it currently possible to connect to a cluster using ACL with redis-rb?

Yes, it is.

Would you inform us of the followings?

  1. redis' version
  2. rerdis-rb's version
  3. stack trace

There might be a bug.

@Dralun
Copy link
Author

Dralun commented Jan 6, 2022

Curious, that was the syntax that I attempted to use.

  1. Redis version: 6.2.6
  2. Redis-rb version: 4.5.1 (also tried with 4.4.0)
  3. Stack trace:
irb(main):004:0> redis = Redis.new(cluster: ["redis://username:password@redis-cluster.clustername.svc.cluster.local:6379"])
/usr/local/bundle/gems/redis-4.5.1/lib/redis/cluster/slot_loader.rb:22:in `load': Redis client could not connect to any cluster nodes (Redis::CannotConnectError)
	from /usr/local/bundle/gems/redis-4.5.1/lib/redis/cluster.rb:116:in `fetch_cluster_info!'
	from /usr/local/bundle/gems/redis-4.5.1/lib/redis/cluster.rb:26:in `initialize'
	from /usr/local/bundle/gems/redis-4.5.1/lib/redis.rb:65:in `new'
	from /usr/local/bundle/gems/redis-4.5.1/lib/redis.rb:65:in `initialize'
	from (irb):4:in `new'
	from (irb):4:in `<main>'
	from /usr/local/lib/ruby/gems/3.0.0/gems/irb-1.3.5/exe/irb:11:in `<top (required)>'
	from /usr/local/bin/irb:23:in `load'
	from /usr/local/bin/irb:23:in `<main>'
irb(main):005:0>

The connection works fine with the credentials using redis-cli, but redis-rb always seems to fail at the same point. Connecting to another cluster without ACL works fine though.

@supercaracal
Copy link
Contributor

Thank you for your sharing. I've tried to check the feature with this repository on local. It seems that several permissions are needed for client user of cluster mode.

## git clone this repo
## bundle install

$ make start_all

$ ps x | grep redi[s]
  22180 ?        Ssl    0:07 tmp/cache/redis-6.2/src/redis-server *:6381
  22187 ?        Ssl    0:07 tmp/cache/redis-6.2/src/redis-server *:6382
  22202 ?        Ssl    0:11 tmp/cache/redis-6.2/src/redis-server *:6400 [sentinel]
  22211 ?        Ssl    0:11 tmp/cache/redis-6.2/src/redis-server *:6401 [sentinel]
  22215 ?        Ssl    0:11 tmp/cache/redis-6.2/src/redis-server *:6402 [sentinel]
  22459 ?        Ssl    0:06 tmp/cache/redis-6.2/src/redis-server *:7000 [cluster]
  22464 ?        Ssl    0:06 tmp/cache/redis-6.2/src/redis-server *:7001 [cluster]
  22470 ?        Ssl    0:06 tmp/cache/redis-6.2/src/redis-server *:7002 [cluster]
  22477 ?        Ssl    0:06 tmp/cache/redis-6.2/src/redis-server *:7003 [cluster]
  22489 ?        Ssl    0:06 tmp/cache/redis-6.2/src/redis-server *:7004 [cluster]
  22496 ?        Ssl    0:06 tmp/cache/redis-6.2/src/redis-server *:7005 [cluster]

$ bin/console
irb(main):001:0> r = Redis.new cluster: %w[redis://127.0.0.1:7000]
=> #<Redis client v4.5.1 for redis://127.0.0.1:7000/0 redis://127.0.0.1:7001/0 redis://127.0.0.1:7002/0>

irb(main):002:0> r.acl *%w[setuser foo on +ping +select +command +cluster|slots +cluster|nodes >mysecret]
=> "OK"

irb(main):003:0> r2 = Redis.new cluster: %w[redis://foo:mysecret@127.0.0.1:7000]
=> #<Redis client v4.5.1 for redis://127.0.0.1:7000/0 redis://127.0.0.1:7001/0 redis://127.0.0.1:7002/0>

irb(main):004:0> r2.ping
=> "PONG"

@supercaracal
Copy link
Contributor

It seems that redis-cli doesn't need to fetch cluster meta data because its implementation depends on redirection.

https://github.com/redis/redis/blob/b9669829c8bc067f8a472c3dafe52e867965393c/src/redis-cli.c#L1301-L1329

@Dralun
Copy link
Author

Dralun commented Jan 10, 2022

Ah, +cluster|slots +cluster|nodes were exactly the permissions I was lacking. After adding those everything works great! Thanks for the help!

@Dralun Dralun closed this as completed Jan 10, 2022
This was referenced Feb 17, 2022
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@supercaracal @Dralun