如何在不停机的情况下更改 Redis 密码

huangapple go评论88阅读模式
英文:

How to change redis passwd without downtime

问题

为了安全起见,我们计划定期更改我们的Redis密码(例如每4周一次)。问题是如何在没有外部停机时间或仅有非常短暂的时间的情况下进行更改。

我的计划如下:

  1. 清除Redis服务器上的密码并重新启动。
  2. 由于不需要密码,客户端即使使用过时的密码仍然可以重新连接到Redis服务器。
  3. 客户端定期从配置中心重新加载新密码,很快所有客户端都将更新为新密码。
  4. 更改Redis服务器为新密码并重新启动。
  5. 客户端使用新密码重新连接到Redis服务器。

但是当我尝试时(我正在使用redigo),在第2步上我得到了ERR Client sent AUTH, but no password is set的错误。似乎如果Redis不需要密码,我们无法使用额外的密码连接到Redis。但是当我使用redis-cli时,可以做到!我想知道redis-cli是如何实现这一点的,以及如何在redigo中实现这一点?

英文:

for the safety concern, we plan to change our redis passwd periodically(like every 4weeks). The question is how to change it without external downtime or just a very short period of time.

My plans are:

  1. clear the passwd on redis server and restart.
  2. seeing as there's no passwd required, clients can still reconnect to redis server even with obsolete passwd
  3. clients reload new passwd from config center periodically, and soon after, all clients will have been updated to the new passwd.
  4. change the redis server to new passwd and restart.
  5. clients use new passwd to reconnect to redis server

But when I tried it(I'm using redigo), I got ERR Client sent AUTH, but no password is set on step 2. Seems like we can't connect to redis with extra passwd if it doesn't require passwd. But when I use redis-cli, it can! I want to know how redis-cli achieve this, and how can I do that with redigo?

答案1

得分: 2

密码轮换的常见解决方案是:

  • 在密码更换期间,配置提供者提供两个密码:当前密码和上一个密码。
  • 客户端首先尝试使用当前密码。
  • 如果失败,客户端会尝试使用上一个密码。

在密码更换期结束时,服务器会使用新密码重新启动,并从配置中删除旧密码。

英文:

A common solution to password rotation is:

  • During password rollover period, have the config provider supply two passwords: current and previous.
  • Client tries with the current password.
  • If that fails, it retries with the previous one.

At the end of the rollover period, the server is restarted with the new password and the old password is deleted from the config.

答案2

得分: 0

为什么不使用Redis ACLs https://redis.io/topics/acl

1)创建当前用户user1,密码为password1
2)在一段时间后创建user2/password2
3)留出宽限期供应用重新连接(一些客户端允许你在Go中设置MaxConnAge)
4)删除user1/password1

英文:

Why not use Redis ACLs https://redis.io/topics/acl

  1. create current user user1 with password1
  2. after time period create user2/password2
  3. leave grace period for Apps to reconnect (some clients allow you to set MaxConnAge in go)
  4. delete user1/password1

huangapple
  • 本文由 发表于 2021年6月22日 17:33:29
  • 转载请务必保留本文链接:https://go.coder-hub.com/68081075.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定