refactor(api): TOML 配置 SSOT、统一错误契约、Auth/事务加固与可观测性 (#33)

配置 SSOT(TOML + .env)
统一错误契约
Auth 与事务边界
Redis / Celery 可靠性:业务 Redis(DB/0)与 Celery broker/backend(DB/1)显式拆分;连接池、sync client
可观测性(OpenTelemetry + LGTM)
This commit is contained in:
Sully
2026-05-22 13:44:50 +08:00
committed by GitHub
parent f09ae248f9
commit 53e0065e3e
298 changed files with 15247 additions and 4344 deletions

View File

@@ -0,0 +1,41 @@
---
title: Use ACLs for Fine-Grained Access Control
impact: HIGH
impactDescription: Limits blast radius if credentials are compromised
tags: security, acl, users, permissions, least-privilege
description: Use ACLs for Fine-Grained Access Control
alwaysApply: true
---
## Use ACLs for Fine-Grained Access Control
Create users with only the permissions they need (principle of least privilege).
**Correct:** Create specific users with limited permissions.
```
# Read-only user for cache access
ACL SETUSER app_readonly on >password ~cache:* +get +mget +scan
# Writer that can't run dangerous commands
ACL SETUSER app_writer on >password ~* +@all -@dangerous
# Admin user (use sparingly)
ACL SETUSER admin on >strong-password ~* +@all
```
**Incorrect:** Using the default user for everything.
```
# Bad: Single password for all access
requirepass shared-password
```
**ACL categories:**
- `@read` - Read commands
- `@write` - Write commands
- `@dangerous` - Commands like FLUSHALL, DEBUG
- `@admin` - Administrative commands
Reference: [Redis ACL](https://redis.io/docs/latest/operate/oss_and_stack/management/security/acl/)