Windows Users Rejoice! There’s a Native Redis With ACL and TSL Support Ready for Use Now | by Fernando Doglio | Apr, 2022

People having fun in front of a computer
Photo by Windows on Unsplash

The release of Memurai’s version 3.0 with full compatibility with Redis 6.0 marks a major breakthrough for Windows users looking to get the new security features included in the latter. Being a native Windows application, Memurai will provide these features out of the box without you having to work around limitations or incompatibility problems.

The two major updates are the incorporation of user management through ACLs and the added support for TLS 1.2.

Let’s analyze them to understand their actual reach.

Until this version of both, Memurai and Redis, there was no native way to support a secure connection between your database server and the multiple clients interacting with it.

The TLS protocol allows for the creation of a secured connection between client and server. The encrypted connection is impossible to sniff from outside, which makes it the ideal solution for applications with high-security requirements.

Such applications include platforms like banking solutions where information like credit card numbers, bank account information, and other details can’t be leaked in any way. Or even healthcare, where patient information needs to be kept secret to comply with regulations.

Up until now, using Redis for solutions within these (and similar) industries would be quite difficult, because adding it into their architectures would add a potential security hole.

Granted, the development team could put in place workarounds to ensure the security of the data, but the extra effort would not always be worth it.
Now, this extra layer of security makes it possible to talk again about Redis in these situations, bringing state-of-the-art technology to otherwise stale and outdated industries (consider how these industries need to think more about safety than tech most of the time).

Keeping up with the security theme, the addition of Access Control Lists (or ACLs) is another huge step towards providing an even more secure production environment where to store your data.

Up until now, the only security mechanism provided by Redis was a password you’d have to provide during the initial connection.

That of course implied that every client had the same authentication credentials with your server, and there was no real way to provide different access levels individually.

That is no longer the case, ACLs not only allow you to decide who gets access to your data but also, what kind of access they get.

Having read-only users, for instance, is something that you can easily do now with a single command:

The ACL SETUSERcommand will create (or update) a user with the given password and all privileges removed. Then Redis will start reading the list of permissions and only enable those that start with + . So, in the above example, the user “fernando” is created with the password “p4ssw0rd”, and it’s enabled thanks to the on in there.

Furthermore, the line is giving the new user only permissions to the GET command for all keys.

This user will never be able to write anything on the database.

This is a normal scenario with other database managers, using a read-only user is a good practice to reduce the security risk if the credentials were to be hacked.

Of course, you won’t need to perform this configuration manually. Redis can be configured to load the ACL directly from a file using the aclfile configuration option. Then simply using the ACL LOAD command will take care of the rest.

Limiting the access by type of command

Additionally, Redis also allows us to specify the category of the commands we want to enable for a user. That way, instead of specifying them one by one, you can select the right category and auto-assign access to multiple commands in a single line.

The command ACL CAT will list all those categories, but some worth noting are:

  • pubsub. These are all commands associated with Redis’ message bus capabilities. If you’re, for example, using Redis to interconnect microservices or as a Chat message bus, you might want to enable this category alone for one particular set of users.
  • fast. These are all O(1) commands, those that can either save data in a single operation or read data as fast, but not those that require iterating over multiple keys to fulfill their task. This is especially interesting if you’re looking to restrict the performance effects some users can have on your storage layer. Through this category, you only give them the ability to use the most performant
  • dangerous. This category contains commands that can cause some damage to your storage if the user isn’t careful. I’m talking about the likes of FLUSHALL , MIGRATE and CONFIG to name but a few. This is a great category to enable on admin or support users — but to leave disabled on regular users. Of course, you also have the `admin` category for that as well.
  • read/write. These categories include commands related to writing and reading from keys. If you’re using Redis for a use case like Session Storage or Caching, then having users with access to only these categories might be a good idea.

To use one of these categories, simply prepend the name with an @like so:

This command would create a new admin user with access to all the “interesting” commands they might need.

And there are other categories as well, you should really check out the full list of categories]to understand how they are classified.

They are a real time-saver when it comes to assigning multiple permissions to a single user.

Version 3.0 of Memurai is probably one of the biggest updates for Windows users to date. The two big features added to Memurai bring a whole new level of out-of-the-box security to the storage layer that really makes it very difficult to ignore.

Coupled with the flexibility provided by the ACL command, the possibilities are endless.

And on top of that, you have a very developer-friendly product that provides a host of powerful features for them to play with.

Memurai 3.0 enables you to build your solution and since it’s fully compatible with the Redis 6.0 API, any library on any supported programming language will be compatible.

Have you tried Memurai before? Or the ACL API? I can’t wait to try this on my next project!

Leave a Comment