42 lines
1.1 KiB
Markdown
42 lines
1.1 KiB
Markdown
|
---
|
||
|
|
title: Use ACLs for Fine-Grained Access Control
|
||
|
|
impact: HIGH
|
||
|
|
impactDescription: Limits blast radius if credentials are compromised
|
||
|
|
tags: security, acl, users, permissions, least-privilege
|
||
|
|
description: Use ACLs for Fine-Grained Access Control
|
||
|
|
alwaysApply: true
|
||
|
|
---
|
||
|
|
|
||
|
|
## Use ACLs for Fine-Grained Access Control
|
||
|
|
|
||
|
|
Create users with only the permissions they need (principle of least privilege).
|
||
|
|
|
||
|
|
**Correct:** Create specific users with limited permissions.
|
||
|
|
|
||
|
|
```
|
||
|
|
# Read-only user for cache access
|
||
|
|
ACL SETUSER app_readonly on >password ~cache:* +get +mget +scan
|
||
|
|
|
||
|
|
# Writer that can't run dangerous commands
|
||
|
|
ACL SETUSER app_writer on >password ~* +@all -@dangerous
|
||
|
|
|
||
|
|
# Admin user (use sparingly)
|
||
|
|
ACL SETUSER admin on >strong-password ~* +@all
|
||
|
|
```
|
||
|
|
|
||
|
|
**Incorrect:** Using the default user for everything.
|
||
|
|
|
||
|
|
```
|
||
|
|
# Bad: Single password for all access
|
||
|
|
requirepass shared-password
|
||
|
|
```
|
||
|
|
|
||
|
|
**ACL categories:**
|
||
|
|
- `@read` - Read commands
|
||
|
|
- `@write` - Write commands
|
||
|
|
- `@dangerous` - Commands like FLUSHALL, DEBUG
|
||
|
|
- `@admin` - Administrative commands
|
||
|
|
|
||
|
|
Reference: [Redis ACL](https://redis.io/docs/latest/operate/oss_and_stack/management/security/acl/)
|
||
|
|
|