.png?sv=2022-11-02&spr=https&st=2024-09-19T21%3A55%3A10Z&se=2024-09-19T22%3A05%3A10Z&sr=c&sp=r&sig=vRMUKnVQNfgjAILM7yVl%2BHEkab%2Bhb8HZR3lUxRRVOvE%3D){kind=logo}
Redis [IAP 2022.1.x - 2023.1.x]
- 16 Apr 2024
-
DarkLight
-
PDF
Redis [IAP 2022.1.x - 2023.1.x]
- Updated on 16 Apr 2024
-
DarkLight
-
PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Dependency Requirements
This article summarizes the requirements to install Redis as an IAP dependency.
Installation
Please refer to the Redis documentation for details on Redis installation.
Post Installation
If Redis is running on a different server than IAP, the Redis process may bind to the localhost. If this occurs then Redis and IAP may not be able to communicate.
The example steps listed below allow Redis to communicate outside of localhost.
-
Edit
/etc/redis.confon the Redis server. -
Comment out
bind 127.0.0.1so that it becomes#bind 127.0.0.1. -
Restart Redis.
sudo systemctl restart redis
Note:
⚠ These instructions open the Redis TCP port externally, so security hardening should be considered.
Configuration
Apply the following recommended Redis configurations to a production or development environment. These recommendations are relevant where Redis is running in a virtual machine. However, many of these configurations may also apply to a bare metal installation.
Max Memory
By default, Redis will consume up to 80% of the memory available on the platform. Set the upper limit to 20% of the available memory so IAP may consume the remaining 80%.
Change the # maxmemory <bytes> value in the /etc/redis.conf file.
Restart Redis to allow the /etc/redis.conf changes to go into effect.
sudo systemctl restart redis
Note:
Further Redis configuration for a production environment can be found in the Redis Configuration documentation.
Requirements for Non-Default Users
In Redis 6.2 and higher, when authorization is enabled, non-default users must be granted specific permissions to the Redis capabilities used throughout IAP.
Redis Users
Redis 6.x has built-in access control, with a single defined user called default (this is the default configuration). You also have the option to configure additional Redis users during installation. Listed below are some suggested examples.
| Username | Description |
|---|---|
admin |
The Redis administrative account. |
itential |
The account used by IAP to connect to Redis. |
repluser |
The account used by Redis to perform replication within a Redis cluster. |
sentineluser |
The account used by Redis Sentinel to connect to Redis. |
User Rules
Under the SECURITY section of the redis.conf file, the user rules should be defined as follows:
user default off
user admin on allkeys allchannels allcommands >admin
user itential on allkeys allchannels allcommands -asking -cluster -readonly -readwrite -acl|deluser -acl|load -acl|log -acl|list -acl|save -acl|setuser -acl|dryrun -bgrewriteaof -bgsave -config|resetstat -config|rewrite -config|set -failover -flushall -flushdb -psync -replconf -replicaof -save -shutdown -sync >itential
user repluser on allchannels +psync +replconf +ping >repluser
user sentineluser on allchannels +multi +slaveof +ping +exec +subscribe +config|rewrite +role +publish +info +client|setname +client|kill +script|kill >sentineluser
User Permissions
The following table outlines and briefly explains what each user line in the rules section above is accomplishing. For more complete information, please see the Related Reading.
| Line | Action |
|---|---|
| 1 | Disable the default user to block permissions to everything. |
| 2 | Add the admin user. Grant all privileges. |
| 3 | Add the itential user. Disallow all commands, and then add each command IAP requires (those with the +). The itential user should be configured in the IAP profile. |
| 4 | Add the repluser. Disallow all commands and then add each command that replication requires. If running a single Redis instance, the repluser is not required. |
| 5 | Add the sentineluser. Disallow all commands and then add each command that Redis Sentinel requires. If running a single Redis instance, the sentineluser is not required. |
Excluded Commands
With the following Redis configuration command, the itential user is excluded (disallowed) from executing several cluster management and server management commands.
user itential on allkeys allchannels allcommands -asking -cluster -readonly -readwrite -acl|deluser -acl|load -acl|log -acl|list -acl|save -acl|setuser -acl|dryrun -bgrewriteaof -bgsave -config|resetstat -config|rewrite -config|set -failover -flushall -flushdb -psync -replconf -replicaof -save -shutdown -sync >itential
The set of commands the itential user cannot access (call) are listed below.
Cluster Management Calls
- ASKING
- CLUSTER ADDSLOTS
- CLUSTER ADDSLOTSRANGE
- CLUSTER BUMPEPOCH
- CLUSTER COUNT-FAILURE-REPORTS
- CLUSTER COUNTKEYSINSLOT
- CLUSTER DELSLOTS
- CLUSTER DELSLOTSRANGE
- CLUSTER FAILOVER
- CLUSTER FLUSHSLOTS
- CLUSTER FORGET
- CLUSTER GETKEYSINSLOT
- CLUSTER INFO
- CLUSTER KEYSLOT
- CLUSTER LINKS
- CLUSTER MEET
- CLUSTER MYID
- CLUSTER MYSHARDID
- CLUSTER NODES
- CLUSTER REPLICAS
- CLUSTER REPLICATE
- CLUSTER RESET
- CLUSTER SAVECONFIG
- CLUSTER SET-CONFIG-EPOCH
- CLUSTER SETSLOT
- CLUSTER SHARDS
- CLUSTER SLAVES
- CLUSTER SLOTS
- READONLY
- READWRITE
Server Management Calls
- ACL DELUSER
- ACL LOAD
- ACL LOG
- ACL LIST
- ACL SAVE
- ACL SETUSER
- ACL DRYRUN
- BGREWRITEAOF
- BGSAVE
- CONFIG RESETSTAT
- CONFIG REWRITE
- CONFIG SET
- FAILOVER
- FLUSHALL
- FLUSHDB
- PSYNC
- REPLCONF
- REPLICAOF
- SAVE
- SHUTDOWN
- SYNC
Related Reading
For more information, refer to the following Redis sites:
Was this article helpful?
