Files
life-echo/api/.agents/skills/redis-development/rules/security-acls.md
Sully 53e0065e3e refactor(api): TOML 配置 SSOT、统一错误契约、Auth/事务加固与可观测性 (#33)
配置 SSOT(TOML + .env)
统一错误契约
Auth 与事务边界
Redis / Celery 可靠性:业务 Redis(DB/0)与 Celery broker/backend(DB/1)显式拆分;连接池、sync client
可观测性(OpenTelemetry + LGTM)
2026-05-22 13:44:50 +08:00

42 lines
1.1 KiB
Markdown

---
title: Use ACLs for Fine-Grained Access Control
impact: HIGH
impactDescription: Limits blast radius if credentials are compromised
tags: security, acl, users, permissions, least-privilege
description: Use ACLs for Fine-Grained Access Control
alwaysApply: true
---
## Use ACLs for Fine-Grained Access Control
Create users with only the permissions they need (principle of least privilege).
**Correct:** Create specific users with limited permissions.
```
# Read-only user for cache access
ACL SETUSER app_readonly on >password ~cache:* +get +mget +scan
# Writer that can't run dangerous commands
ACL SETUSER app_writer on >password ~* +@all -@dangerous
# Admin user (use sparingly)
ACL SETUSER admin on >strong-password ~* +@all
```
**Incorrect:** Using the default user for everything.
```
# Bad: Single password for all access
requirepass shared-password
```
**ACL categories:**
- `@read` - Read commands
- `@write` - Write commands
- `@dangerous` - Commands like FLUSHALL, DEBUG
- `@admin` - Administrative commands
Reference: [Redis ACL](https://redis.io/docs/latest/operate/oss_and_stack/management/security/acl/)