-
-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: ACL with username #796
base: master
Are you sure you want to change the base?
feat: ACL with username #796
Conversation
@wkd-woo Can you rebase the branch and resolve the conflict |
3a524c9
to
262c73d
Compare
@shubham-cmyk I did :) |
Signed-off-by: wkd-woo <wkdwoos@gmail.com>
Signed-off-by: wkd-woo <wkdwoos@gmail.com>
Signed-off-by: wkd-woo <wkdwoos@gmail.com>
Signed-off-by: wkd-woo <wkdwoos@gmail.com>
Signed-off-by: wkd-woo <wkdwoos@gmail.com>
262c73d
to
d6c2f46
Compare
Image string `json:"image"` | ||
ImagePullPolicy corev1.PullPolicy `json:"imagePullPolicy,omitempty"` | ||
Resources *corev1.ResourceRequirements `json:"resources,omitempty"` | ||
ExistingAuthSecret *ExistingAuthSecret `json:"redisSecret,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changing the field name would produce a breaking change here.
we are good with adding field but don't rename any field
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So... do you think this part needs to be modified?
@shubham-cmyk
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #796 +/- ##
==========================================
- Coverage 35.20% 35.16% -0.04%
==========================================
Files 19 19
Lines 3213 2724 -489
==========================================
- Hits 1131 958 -173
+ Misses 2015 1697 -318
- Partials 67 69 +2 ☔ View full report in Codecov by Sentry. |
Signed-off-by: Shubham Gupta <iamshubhamgupta2001@gmail.com>
@shubham-cmyk The rationale for my PR is that the operator should reconcile through a separate user with master-auth, not 'default user' in the redis-server. There are also environments where governance is established to prevent default users from having masterauth. |
For example, our organization has a default user policy as above. |
Description
When you apply ACLs to the from redis 6.0 and later, you can not only password the redis-server itself, but also fine-tune access permissions to users
However, there is currently no setting for acluser in redis-operator (v0.15+).
If you grant limited privileges to the default and set up an acluser with master-auth, the operator will fail to reconceal with NO AUTH.
User permissions have been added to resolve this issue.
implements(i.e. Fixes #123) -->
Fixes #ISSUE
#688
#749
Type of change
Checklist
Additional Context
In actual production environments, depending on the workload, there are times when all rights are not granted to the defunct user.
For example, I work as a red engineer at a cloud service provider company in Korea, and we limit to the application development team on commands that can change engine-level tuning or topology other than DML (e.g,
cluster add-node
)To that end, ACLs are used to separate accounts with master-auth, and the development team provides a redis operating environment so that it can be accessed with a default account.
However, the shape of the redis-operator currently only provides the function of locking the server itself with a 'requirepass' for the redis-server by setting only a pass word.
In the actual production operation environment, accounts with master-auth may be separately provided as in my case. (In fact, in the case of cloud service provider companies where I work, this separation of authority is also a guide to security requirements as a csp operator.)
However, in the current form of the operator, there is no function for the ACL user, so only the default user accesses the redis-server and fails reconiling due to the AUTH problem.
I am currently introducing this project into our operating environment, and I had to add the 'ACLuser' function to do so.
I hope the additional features I developed contribute to this project, and I make a pull request to constantly update the master branch on the redis-operator deployed in my operating environment.
One problem is that 'v1beta3' and 'crd' were not defined separately, but were modified to 'v1beta1' and 'v1beta2'.
I thought about declaring 'v1beta3' separately, but I made that choice because I felt burdened by rewriting the entire API specification. I will follow the opinion of the maintainers on this project.
TEST
before Failover
can approach with ACL user and password
after Failover
failover by sentinel(of course, they know master-auth and master-pass) and reconciled successfully