53e0065e3e
配置 SSOT(TOML + .env) 统一错误契约 Auth 与事务边界 Redis / Celery 可靠性:业务 Redis(DB/0)与 Celery broker/backend(DB/1)显式拆分;连接池、sync client 可观测性(OpenTelemetry + LGTM)
1.1 KiB
1.1 KiB
title, impact, impactDescription, tags, description, alwaysApply
| title | impact | impactDescription | tags | description | alwaysApply |
|---|---|---|---|---|---|
| Use ACLs for Fine-Grained Access Control | HIGH | Limits blast radius if credentials are compromised | security, acl, users, permissions, least-privilege | Use ACLs for Fine-Grained Access Control | true |
Use ACLs for Fine-Grained Access Control
Create users with only the permissions they need (principle of least privilege).
Correct: Create specific users with limited permissions.
# Read-only user for cache access
ACL SETUSER app_readonly on >password ~cache:* +get +mget +scan
# Writer that can't run dangerous commands
ACL SETUSER app_writer on >password ~* +@all -@dangerous
# Admin user (use sparingly)
ACL SETUSER admin on >strong-password ~* +@all
Incorrect: Using the default user for everything.
# Bad: Single password for all access
requirepass shared-password
ACL categories:
@read- Read commands@write- Write commands@dangerous- Commands like FLUSHALL, DEBUG@admin- Administrative commands
Reference: Redis ACL