3

In Redis there is an authentication feature and also different databases are possible, but can these feature be combined in a secure way?

From MySQL I know that there is a user management with and multiple users can have multiple passwords and can have permissions for only one database.

For security reasons I'd like to have it similar in Redis, because currently I can use requirepass, but I have to add it to every application, which wants to connect to redis anyway. (Is there at least a way to use multiple passwords for requirepass?
And I can connect to one database with an application, but AFAIK this application could also just switch to another database. (Can I at least prevent this switch somehow?)

For performance reasons I want to avoid running multiple instances of redis in parallel.

am70
  • 591
  • 6
  • 8
rugk
  • 4,755
  • 2
  • 28
  • 55

3 Answers3

5

I'll start at the end:

For performance reasons I want to avoid running multiple instances of redis in parallel.

Just the opposite in fact - since Redis is (mostly) single threaded, running multiple instances parallel is exactly how you get better server utilization and increased performance.

The Redis notion of databases (also known as shared databases or numbered databases) is different from than that of the SQL domain. Redis' databases are more like namespaces, and besides sharing the same thread they also share all the configuration - the authentication password included.

So the answer is no, you can't set a different password for each database. For more details on why you should prefer dedicated Redis databases refer to: https://redislabs.com/blog/benchmark-shared-vs-dedicated-redis-instances

Itamar Haber
  • 47,336
  • 7
  • 91
  • 117
  • Okay, so just another question. When executing redis under another user I assume it can't be a single thread anymore. Is that right? – rugk May 16 '16 at 20:30
  • Every Redis process (server) that you launch is (again, mostly [disk io is offloaded]) single threaded. You can launch them under the same user or different ones - that is irrelevant unless the server enforces resource quotas per user. – Itamar Haber May 16 '16 at 20:32
0

No, but redis is so lightweight that you just start different instances on different ports. You said you don't want to "for performance reasons", but that is moot - an empty redis takes almost no memory and almost no cpu.

court3nay
  • 2,215
  • 1
  • 10
  • 15
0

From redis 6.0 we can achieve this with the help of ACL

ACL SETUSER user1 on >password +@all ~* -select +select|1
  • Notice here user has access only to database-1
  • -select is restricting user to switch database.

Further, you can use same command to be more restrictive, such as giving permission to certain prefix etc.

ACL SETUSER user1 on >password ~prefix.:* +@all
Prince Bhanwra
  • 153
  • 1
  • 6