refactor(api): TOML 配置 SSOT、统一错误契约、Auth/事务加固与可观测性 (#33)
配置 SSOT(TOML + .env) 统一错误契约 Auth 与事务边界 Redis / Celery 可靠性:业务 Redis(DB/0)与 Celery broker/backend(DB/1)显式拆分;连接池、sync client 可观测性(OpenTelemetry + LGTM)
This commit is contained in:
41
api/.agents/skills/redis-development/rules/security-acls.md
Normal file
41
api/.agents/skills/redis-development/rules/security-acls.md
Normal file
@@ -0,0 +1,41 @@
|
||||
---
|
||||
title: Use ACLs for Fine-Grained Access Control
|
||||
impact: HIGH
|
||||
impactDescription: Limits blast radius if credentials are compromised
|
||||
tags: security, acl, users, permissions, least-privilege
|
||||
description: Use ACLs for Fine-Grained Access Control
|
||||
alwaysApply: true
|
||||
---
|
||||
|
||||
## Use ACLs for Fine-Grained Access Control
|
||||
|
||||
Create users with only the permissions they need (principle of least privilege).
|
||||
|
||||
**Correct:** Create specific users with limited permissions.
|
||||
|
||||
```
|
||||
# Read-only user for cache access
|
||||
ACL SETUSER app_readonly on >password ~cache:* +get +mget +scan
|
||||
|
||||
# Writer that can't run dangerous commands
|
||||
ACL SETUSER app_writer on >password ~* +@all -@dangerous
|
||||
|
||||
# Admin user (use sparingly)
|
||||
ACL SETUSER admin on >strong-password ~* +@all
|
||||
```
|
||||
|
||||
**Incorrect:** Using the default user for everything.
|
||||
|
||||
```
|
||||
# Bad: Single password for all access
|
||||
requirepass shared-password
|
||||
```
|
||||
|
||||
**ACL categories:**
|
||||
- `@read` - Read commands
|
||||
- `@write` - Write commands
|
||||
- `@dangerous` - Commands like FLUSHALL, DEBUG
|
||||
- `@admin` - Administrative commands
|
||||
|
||||
Reference: [Redis ACL](https://redis.io/docs/latest/operate/oss_and_stack/management/security/acl/)
|
||||
|
||||
Reference in New Issue
Block a user