Redis 6版本之后:提供ACL的功能对用户进行更细粒度的权限控制 :(1)接入权限:用户名和密码(2)可以执行的命令(3)可以操作的 KEY
ACL常用规则介绍:
+指令列表 //增加可操作指令列表, 比如:select auth
+@指令类别 //增加可操作指令类别,比如@admin @set
acl cat //查看所有指令类别
~
redis数据库默认是0~15,可通过databases参数调整

redis多租户的几种实现方式:
1.redis6 之后可以通过acl 进行多租户隔离,每个用户一个db
2.基于容器,每个用户一个redis实例。
以下代码测试版本为 redis 7.0
ACL SETUSER username on >password +@all ~* -@admin -select +select|5 // +@all 增加所有权限 ~*允许所有键 移除@admin权限 只允许select切换db5
auth username 123456
select 1 //切换db1 会提示没有权限:(error) NOPERM this user has no permissions to run the 'select' command or its subcommand
select 5
ACL DELUSER username //删除用户
redis-cli --user username --pass 123456 -n 1 # 以db1 连接
- async function createUser(){
-
- const redis = new Redis({
- password: redisPassword,
- host: redisHost,
- port: redisPort
- });
- try{
- const db = genNumber(); //此db 需自动生成递增数字
-
- const username = `${serviceName}_ecmaster`,
- password = uuid.v4().replaceAll("-",""),
- rules = [
- '+@all',
- '~*',
- '-@admin',
- '-select',
- `+select|${db}`,
- ];
-
-
- // 创建用户
- await redis.acl(
- 'SETUSER',
- username, 'on', `>${password}`,
- ...rules
- );
-
- console.log(`User ${username} created successfully.`);
-
- dockerSetting.dataSource.redis = {
- username,
- password,
- "host": redisHost,
- "port": redisPort,
- db
- }
- }catch(e){
- throw e;
- }finally{
- redis.disconnect();
- }
- }
-
- async function deleteUser(){
- const redis = new Redis({
- password: redisPassword,
- host: redisHost,
- port: redisPort
- });
- try{
- const username = `${serviceName}_ecmaster`;
- // 删除用户
- await redis.call('ACL', 'DELUSER', username);
- console.log(`User ${username} deleted successfully.`);
- }catch(e){
- throw e;
- }finally{
- redis.disconnect();
- }
- }
redisInsight可视化工具测试,无法在非授权db上操作key了:
