英文:
Add RedisJSON module commands to ACL
问题
我正在使用 RedisStack 6.2.6-v6。
我的acl列表中有以下用户:
user username on -@all +@read +@write +@connection ~prefix:* > somepassword
尝试执行JSON模块命令时,我收到以下错误:
NOPERM 此用户无权运行 'json.set' 命令或其子命令
如何解决这个问题,而不添加 +@all?
英文:
I am using RedisStack 6.2.6-v6.
I have the following user in my acl list:
user username on -@all +@read +@write +@connection ~prefix:* > somepassword
When try executing commands from the JSON module I receive the following error:
NOPERM this user has no permissions to run the 'json.set' command or its subcommand
how can I solve this without doing +@all?
答案1
得分: 3
ACL文档指出模块命令不包括在命令组中,并提供了一些理由:
"请注意,命令类别从不包括模块命令,唯一的例外是+@all。如果您使用+@all,用户可以执行所有命令,甚至通过模块系统加载的未来命令。但是,如果您使用ACL规则+@read或其他规则,模块命令始终被排除。这非常重要,因为您应该只信任Redis内部命令表。模块可能会暴露危险的功能,在ACL的情况下,它只是添加的,即以+@all的形式 - ... 您必须确保绝对不包括您不想包括的内容。"
所以您想要做的是明确列出您希望用户运行的JSON.<whatever>命令。以下是一个示例:
创建一个只能在以jsondocs:开头的键上运行json.set、json.get和json.arrpop的用户:
127.0.0.1:6379> acl setuser justjson on >mypassword ~jsondocs:* -@all +json.set +json.get +json.arrpop
OK
以该用户身份登录:
127.0.0.1:6379> auth justjson mypassword
OK
尝试一个我们不被允许使用的命令:
127.0.0.1:6379> sadd someset hello
(error) NOPERM this user has no permissions to run the 'sadd' command or its subcommand
尝试一个我们被允许使用但不允许在我们被允许操作的键上操作的命令:
127.0.0.1:6379> json.set nothere $ '{ "hello": "world"}'
(error) NOPERM this user has no permissions to access one of the keys used as arguments
尝试一个我们可以在键空间的一部分上操作的命令:
127.0.0.1:6379> json.set jsondocs:shouldbeok $ '{ "hello": [ "world", "welt", "monde"]}'
OK
127.0.0.1:6379> json.get jsondocs:shouldbeok $
"[{"hello":["world","welt","monde"]}]"
127.0.0.1:6379> json.arrpop jsondocs:shouldbeok $.hello
1) "\"monde\""
尝试一个我们不被允许在我们被允许操作的键空间的一部分上使用的JSON命令 - 期望失败:
127.0.0.1:6379> json.numincrby jsondocs:shouldbeok $.counter 2
(error) NOPERM this user has no permissions to run the 'json.numincrby' command or its subcommand
Redis ACL文档:https://redis.io/docs/management/security/acl/
英文:
The ACL documentation states that module commands aren't included in command groups, and provides some reasoning:
"Note that command categories never include modules commands with the exception of +@all. If you say +@all, all the commands can be executed by the user, even future commands loaded via the modules system. However if you use the ACL rule +@read or any other, the modules commands are always excluded. This is very important because you should just trust the Redis internal command table. Modules may expose dangerous things and in the case of an ACL that is just additive, that is, in the form of +@all -... You should be absolutely sure that you'll never include what you did not mean to."
So what you'll want to do is explicitly list the JSON.<whatever> commands that you want the user to run. Here's an example:
Create a user that can only run json.set, json.get and json.arrpop on keys beginning jsondocs::
127.0.0.1:6379> acl setuser justjson on >mypassword ~jsondocs:* -@all +json.set +json.get +json.arrpop
OK
Login as that user:
127.0.0.1:6379> auth justjson mypassword
OK
Try a command we are not allowed to use:
127.0.0.1:6379> sadd someset hello
(error) NOPERM this user has no permissions to run the 'sadd' command or its subcommand
Try a command we are allowed to use but not on the keys we are allowed to operate on:
127.0.0.1:6379> json.set nothere $ '{"hello": "world"}'
(error) NOPERM this user has no permissions to access one of the keys used as arguments
Try a command we can use on the part of the keyspace we can operate on:
127.0.0.1:6379> json.set jsondocs:shouldbeok $ '{"hello": [ "world", "welt", "monde"]}'
OK
127.0.0.1:6379> json.get jsondocs:shouldbeok $
"[{\"hello\":[\"world\",\"welt\",\"monde\"]}]"
127.0.0.1:6379> json.arrpop jsondocs:shouldbeok $.hello
1) "\"monde\""
Try a JSON command we are not allowed to use on a part of the keyspace we are allowed to operate on - expect to fail:
127.0.0.1:6379> json.numincrby jsondocs:shouldbeok $.counter 2
(error) NOPERM this user has no permissions to run the 'json.numincrby' command or its subcommand
Redis ACL docs: https://redis.io/docs/management/security/acl/
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论