Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redis username support for icingadb feature #9536

Closed
aval13 opened this issue Oct 12, 2022 · 2 comments · Fixed by #10102
Closed

Redis username support for icingadb feature #9536

aval13 opened this issue Oct 12, 2022 · 2 comments · Fixed by #10102
Assignees
@oxzi
Labels
area/icingadb New backend enhancement New feature or request

Comments

@aval13
Copy link

aval13 commented Oct 12, 2022

Is your feature request related to a problem? Please describe.

The icingadb feature allows password to be specified for Redis.
However Redis since version 6 actually uses username/password/acls sets and (as stated here https://raw.githubusercontent.com/redis/redis/7.0/redis.conf ) the deprecated "requirepass" it is actually a compatibility layer which sets the password for the "default" user.
Which means from Icinga2 icingadb feature I can only connect to Redis using the "default" user.
icingadb-redis package is providing Redis 7 so if fully supports multiple users.

Describe the solution you'd like

I'd like to be able to specify a username in the icingadb feature configuration for Redis.

Describe alternatives you've considered

The alternative is to use only one user, the one called "default", with a password set by the deprecated "requirepass" configuration in Redis.

Additional context

Security wise, it would be good practice to setup in Redis a dedicated user for Icinga2 icingadb feature with write access, and a separate user for icingadb-web with only read access (which can also be used by icingadb for instance).

It is very possible I do not fully understand things about Icinga very well, so please correct me if I'm wrong.
@aval13 aval13 mentioned this issue Oct 12, 2022
Closed
@Al2Klimov Al2Klimov added the area/icingadb New backend label Jan 3, 2023
@Al2Klimov Al2Klimov added the enhancement New feature or request label May 2, 2023
@lonelyadmin
Copy link

lonelyadmin commented Jul 25, 2023
edited
Loading

Got mine to work with the following. Still testing:

add "user:" to redis in config.yml

index 38571e3..a3e4a31 100644
--- a/pkg/config/redis.go
+++ b/pkg/config/redis.go
@@ -22,6 +22,7 @@ type Redis struct {
        Host       string              `yaml:"host"`
        Port       int                 `yaml:"port" default:"6380"`
        Password   string              `yaml:"password"`
+       Username   string              `yaml:"user"`
        TlsOptions TLS                 `yaml:",inline"`
        Options    icingaredis.Options `yaml:"options"`
 }
@@ -47,6 +48,7 @@ func (r *Redis) NewClient(logger *logging.Logger) (*icingaredis.Client, error) {
 
        options := &redis.Options{
                Dialer:      dialWithLogging(dialer, logger),
+               Username:    r.Username,
                Password:    r.Password,
                DB:          0, // Use default DB,
                ReadTimeout: r.Options.Timeout,

oxzi added a commit that referenced this issue Jul 30, 2024
@oxzi
Icinga DB: Support Redis username authentication
acb8c79 
The Redis ACL system was introduced with Redis 6.0. It introduced users
with precisely granular permissions. This change allows Icinga 2 to use
the Icinga DB feature against a Redis with an ACL user.

This was reflected in the documentation, next to the already
implemented, but undocumented Redis database.

Closes #9536.
@oxzi oxzi mentioned this issue Jul 30, 2024
Merged
@oxzi oxzi self-assigned this Jul 30, 2024
@oxzi
Copy link
Member

oxzi commented Jul 30, 2024

Thanks for your request and your prototype in Icinga DB. I have implemented this change in Icinga/icinga-go-library#52 and #10102.

oxzi added a commit that referenced this issue Jul 31, 2024
@oxzi
Icinga DB: Support Redis username authentication
bc5e7ec 
The Redis ACL system was introduced with Redis 6.0. It introduced users
with precisely granular permissions. This change allows Icinga 2 to use
the Icinga DB feature against a Redis with an ACL user.

This was reflected in the documentation, next to the already
implemented, but undocumented Redis database.

Closes #9536.
@oxzi oxzi mentioned this issue Aug 8, 2024
Open
oxzi added a commit that referenced this issue Sep 19, 2024
@oxzi
Icinga DB: Support Redis username authentication
55b31a9 
The Redis ACL system was introduced with Redis 6.0. It introduced users
with precisely granular permissions. This change allows Icinga 2 to use
the Icinga DB feature against a Redis with an ACL user.

This was reflected in the documentation, next to the already
implemented, but undocumented Redis database.

Closes #9536.
oxzi added a commit that referenced this issue Sep 23, 2024
@oxzi
Icinga DB: Support Redis username authentication
34d4a42 
The Redis ACL system was introduced with Redis 6.0. It introduced users
with precisely granular permissions. This change allows Icinga 2 to use
the Icinga DB feature against a Redis with an ACL user.

This was reflected in the documentation, next to the already
implemented, but undocumented Redis database.

Closes #9536.
oxzi added a commit that referenced this issue Oct 4, 2024
@oxzi
Icinga DB: Support Redis username authentication
c86ce03 
The Redis ACL system was introduced with Redis 6.0. It introduced users
with precisely granular permissions. This change allows Icinga 2 to use
the Icinga DB feature against a Redis with an ACL user.

This was reflected in the documentation, next to the already
implemented, but undocumented Redis database.

Closes #9536.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oxzi oxzi

Labels
area/icingadb New backend enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Icinga DB: Config no_user_modify and Support Redis username authentication Icinga/icinga2
4 participants
@aval13 @Al2Klimov @oxzi @lonelyadmin