Description
When configuring ACL permissions in a Redis cluster for use with Centrifugo v6.0.1, we encounter an issue where setting access to a specific key prefix does not work as expected.
Steps to Reproduce:
Assign ACL permissions as follows:
ACL SETUSER centrifugo on ~centrifugo* +@all
This results in an error when Centrifugo attempts to interact with Redis.
However, setting broader permissions resolves the issue:
ACL SETUSER centrifugo on ~* +@all
This works, but it grants permissions to all keys, which is undesirable.
Checking the Redis ACL log:
ACL LOG
The log shows an error related to missing permissions for the XRANGE command:
"reason": "key",
"context": "toplevel",
"object": "_",
"cmd": "xrange"
Attempting to explicitly grant XRANGE permission to the required prefix also fails:
ACL SETUSER centrifugo on ~centrifugo* +@all +xrange
This still results in a permission error.
Trying to explicitly allow access to XRANGE for all keys while limiting other permissions does not work:
ACL SETUSER centrifugo on ~centrifugo* +@all ~* +xrange
Redis automatically escalates this to:
ACL SETUSER centrifugo on ~* +@all +xrange
This defeats the purpose of restricting access to specific prefixes.
Expected Behavior:
Redis ACL should allow the assignment of permissions per key prefix while preserving fine-grained command access restrictions. It should be possible to grant XRANGE permissions only for centrifugo* keys without escalating permissions globally.
Actual Behavior:
Redis overrides the prefix-based ACL rule, forcing a broader scope than intended, which results in either excessive access or permission errors.
Environment:
- Redis Version: 7.2.0
- Centrifugo Version: v6.0.1
- Redis Cluster: Yes
Logs:
Example from ACL LOG:
127.0.0.1:6379> ACL LOG
1) 1) "count"
2) (integer) 2
3) "reason"
4) "key"
5) "context"
6) "toplevel"
7) "object"
8) "_"
9) "username"
10) "redisshake"
11) "age-seconds"
12) "4.446"
13) "client-info"
14) "id=32265 addr=10.193.34.112:44122 laddr=10.193.154.27:6379 fd=27 name= age=0 idle=0 flags=N db=0 sub=0 psub=0 ssub=0 multi=-1 watch=0 qbuf=41 qbuf-free=20433 argv-mem=13 multi-mem=0 rbs=16384 rbp=274 obl=0 oll=0 omem=0 tot-mem=37805 events=r cmd=xrange user=redisshake redir=-1 resp=3 lib-name=rueidis lib-ver=1.0.53"
15) "entry-id"
16) (integer) 13
17) "timestamp-created"
18) (integer) 1738261463618
19) "timestamp-last-updated"
20) (integer) 1738261465910
Potential Fix or Workaround:
Provide a way to enforce prefix-based ACL rules.
Additional Notes:
This issue prevents the use of Redis ACLs for properly isolating Centrifugo access in shared Redis clusters. The only working solution currently is to grant full access (~* +@all), which is not secure.
Would appreciate any guidance or a possible fix for this behavior!
Activity