Login
Contents x
Redis [IAP 2022.1.x - 2023.1.x]
  • 16 Apr 2024
  • Dark
    Light
  • PDF
Contents

Redis [IAP 2022.1.x - 2023.1.x]

  • Updated on 16 Apr 2024
  • Dark
    Light
  • PDF
Article summary

Dependency Requirements

This article summarizes the requirements to install Redis as an IAP dependency.

Also see: Configuring Redis Properties in IAP 2023.1

Installation

Please refer to the Redis documentation for details on Redis installation.

Post Installation

If Redis is running on a different server than IAP, the Redis process may bind to the localhost. If this occurs then Redis and IAP may not be able to communicate.

The example steps listed below allow Redis to communicate outside of localhost.

  1. Edit /etc/redis.conf on the Redis server.

  2. Comment out bind 127.0.0.1 so that it becomes #bind 127.0.0.1.

  3. Restart Redis.

    sudo systemctl restart redis
Note:

⚠ These instructions open the Redis TCP port externally, so security hardening should be considered.

Configuration

Apply the following recommended Redis configurations to a production or development environment. These recommendations are relevant where Redis is running in a virtual machine. However, many of these configurations may also apply to a bare metal installation.

Max Memory

By default, Redis will consume up to 80% of the memory available on the platform. Set the upper limit to 20% of the available memory so IAP may consume the remaining 80%.

Change the # maxmemory <bytes> value in the /etc/redis.conf file.

Restart Redis to allow the /etc/redis.conf changes to go into effect.

sudo systemctl restart redis
Note:

Further Redis configuration for a production environment can be found in the Redis Configuration documentation.

Requirements for Non-Default Users

In Redis 6.2 and higher, when authorization is enabled, non-default users must be granted specific permissions to the Redis capabilities used throughout IAP.

Redis Users

Redis 6.x has built-in access control, with a single defined user called default (this is the default configuration). You also have the option to configure additional Redis users during installation. Listed below are some suggested examples.

Username Description
admin The Redis administrative account.
itential The account used by IAP to connect to Redis.
repluser The account used by Redis to perform replication within a Redis cluster.
sentineluser The account used by Redis Sentinel to connect to Redis.

User Rules

Under the SECURITY section of the redis.conf file, the user rules should be defined as follows:

user default off

user admin on allkeys allchannels allcommands >admin

user itential on allkeys allchannels allcommands -asking -cluster -readonly -readwrite -acl|deluser -acl|load -acl|log -acl|list -acl|save -acl|setuser -acl|dryrun -bgrewriteaof -bgsave -config|resetstat -config|rewrite -config|set -failover -flushall -flushdb -psync -replconf -replicaof -save -shutdown -sync >itential

user repluser on allchannels +psync +replconf +ping >repluser

user sentineluser on allchannels +multi +slaveof +ping +exec +subscribe +config|rewrite +role +publish +info +client|setname +client|kill +script|kill >sentineluser

User Permissions

The following table outlines and briefly explains what each user line in the rules section above is accomplishing. For more complete information, please see the Related Reading.

Line Action
1 Disable the default user to block permissions to everything.
2 Add the admin user. Grant all privileges.
3 Add the itential user. Disallow all commands, and then add each command IAP requires (those with the +). The itential user should be configured in the IAP profile.
4 Add the repluser. Disallow all commands and then add each command that replication requires. If running a single Redis instance, the repluser is not required.
5 Add the sentineluser. Disallow all commands and then add each command that Redis Sentinel requires. If running a single Redis instance, the sentineluser is not required.

Excluded Commands

With the following Redis configuration command, the itential user is excluded (disallowed) from executing several cluster management and server management commands.

user itential on allkeys allchannels allcommands -asking -cluster -readonly -readwrite -acl|deluser -acl|load -acl|log -acl|list -acl|save -acl|setuser -acl|dryrun -bgrewriteaof -bgsave -config|resetstat -config|rewrite -config|set -failover -flushall -flushdb -psync -replconf -replicaof -save -shutdown -sync >itential

The set of commands the itential user cannot access (call) are listed below.

Cluster Management Calls

  • ASKING
  • CLUSTER ADDSLOTS
  • CLUSTER ADDSLOTSRANGE
  • CLUSTER BUMPEPOCH
  • CLUSTER COUNT-FAILURE-REPORTS
  • CLUSTER COUNTKEYSINSLOT
  • CLUSTER DELSLOTS
  • CLUSTER DELSLOTSRANGE
  • CLUSTER FAILOVER
  • CLUSTER FLUSHSLOTS
  • CLUSTER FORGET
  • CLUSTER GETKEYSINSLOT
  • CLUSTER INFO
  • CLUSTER KEYSLOT
  • CLUSTER LINKS
  • CLUSTER MEET
  • CLUSTER MYID
  • CLUSTER MYSHARDID
  • CLUSTER NODES
  • CLUSTER REPLICAS
  • CLUSTER REPLICATE
  • CLUSTER RESET
  • CLUSTER SAVECONFIG
  • CLUSTER SET-CONFIG-EPOCH
  • CLUSTER SETSLOT
  • CLUSTER SHARDS
  • CLUSTER SLAVES
  • CLUSTER SLOTS
  • READONLY
  • READWRITE

Server Management Calls

  • ACL DELUSER
  • ACL LOAD
  • ACL LOG
  • ACL LIST
  • ACL SAVE
  • ACL SETUSER
  • ACL DRYRUN
  • BGREWRITEAOF
  • BGSAVE
  • CONFIG RESETSTAT
  • CONFIG REWRITE
  • CONFIG SET
  • FAILOVER
  • FLUSHALL
  • FLUSHDB
  • PSYNC
  • REPLCONF
  • REPLICAOF
  • SAVE
  • SHUTDOWN
  • SYNC

Related Reading

For more information, refer to the following Redis sites:

Was this article helpful?
What's Next
Privacy Policy
Cookie Policy
Terms of Use
EULA
Copyright © 2024 Itential for Developers
Change password!
Changing your password will log you out immediately. Use the new password to log back in.
Change profile
Success!
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
Logout