ACL
By default, Redis does not impose any restrictions on the commands that clients can execute. This lack of restrictions raises security concerns, especially when dealing with clients that may not be fully trusted. However, there is no need to worry as Redis offers a solution in the form of Access Control Lists (ACL).
ACL in Redis enables the establishment of limited access for connections to the server, specifying which commands they are allowed to execute. In Thalos, this feature is crucial for maintaining security, ensuring that clients can only access specific channels within Thalos.
The special account called default serves as the default account for unauthorized users, provided it is configured with a password. Connections can authenticate against this account without specifying a username. Thalos utilizes this account as the default user account.
Additionally, it is advisable to restrict the Thalos server account as an added precaution against any unauthorized actions it may inadvertently perform, although such occurrences are highly unlikely.
The ACL in thalos is simple and uses 2 accounts:
defaultaccount (user account, used by clients. only allowed to read from thalos specific channels)thalos-serveraccount (is allowed to publish to channels and also write to it's cache)
there is also the admin account that is use for redis mangement. has access to everything.
IMPORTANT
Make sure you replace the passwords with a secure ones.
It is recommended to use ACL GENPASS to generate strong passwords.
redis.conf
user default on >client_password resetchannels &ship::* +@connection +subscribe
user admin on >admin_password ~* &* +@all
user thalos on >server_password resetchannels &ship::* ~thalos::* +@connection +@read +@write +publish2
3
External file
It is possible to use external config files to define users in redis.
Just place the configuration above in an external file for example: /etc/redis/users.acl and then add this in /etc/redis/redis.conf
aclfile /etc/redis/users.aclThalos tools
There is also a tool to create the config lines for you.
$ thalos-tools redis-acl
Passwords
default: NgCseRB8QcxdHwcwmg43OOjxZW0YbngN
thalos: kmJIi1kP5bp2MHQeSj925otWnxTvfRe5
thalos-client: WBGP9mXuUIIv11KhLgbuaTcl1NnRmhWn
# Created by thalos-tools on Mon Feb 12 15:56:26 CET 2024
user default on #3c0745d926021292a521267d803b9c20f3570bee30697e401920151d2593d1e4 ~* &* +@all
user thalos on #cf2b3e36521b0e67cb50fcc1f931f577384bb84ad7d0492d00e07beb4660ff1d resetchannels ~ship::* &ship::* -@all +get +publish +set
user thalos-client on #06d88f1e91d8bc82a5074223fd380006395b80a7b41dcd1318be1dd288282e4a resetchannels &ship::* -@all +subscribe2
3
4
5
6
7
8
9
10
Test the accounts permissions
It is a good idea to test if the configuration works.
$ redis-cli --pass mypassword
127.0.0.1:6379> SUBSCRIBE some_channel
Reading messages... (press Ctrl-C to quit)
(error) NOPERM this user has no permissions to access one of the channels used as arguments
127.0.0.1:6379> SET random_key value
(error) NOPERM this user has no permissions to run the 'set' command or its subcommand
127.0.0.1:6379> SUBSCRIBE ship::1234
Reading messages... (press Ctrl-C to quit)
1) "subscribe"
2) "ship::1234"
3) (integer) 12
3
4
5
6
7
8
9
10
11
Thalos config
After you have setup ACL, make sure to update your config.yml with the account and password.
redis:
user: thalos
password: p4ssw0rd2
3
Other ACL Configurations
No user password
While not recommended, it is possible to have the default (user) account without password. that way the user does not need to authenticate (but still has limited access). just remove the password from user default line:
user default on resetchannels &ship::* +@connection +subscribeThalos users with a different account
It is also possible to provide a different account for users
user thalos-client on >client_password resetchannels &ship::* +@connection +subscribe