dragonflydb / dragonfly

A modern replacement for Redis and Memcached
https://www.dragonflydb.io/
Other
26.08k stars 964 forks source link

global password rotation #2817

Closed romange closed 5 months ago

romange commented 8 months ago

We should be able to rotate global password in such way that we will allow gradual updates of the clients connecting to Dragonfly.

The flow is as follows:

  1. Allow Dragonfly to accept multiple passwords
  2. Gradually update all the clients connecting to Dragonfly
  3. Remove the old password from Dragonfly.

In addition, we should be able to persist the passwords change to provide consistency during restarts.

One way to achieve is to update "default" user via ACLS.

ACL SETUSER format should support multiple passwords (see https://valkey.io/commands/acl-setuser/). However our implementation does not support this today (https://www.dragonflydb.io/docs/command-reference/acl/setuser)

Once we fix this, we also should support it in the ACL "SAVE/LOAD" flows. Finally, to make sure that if acl-file argument is set to some path but the file is missing, Dragonfly should still start (with warning).

kostasrim commented 8 months ago

I think this is something that was mentioned in that past by @ashotland

romange commented 8 months ago

Yes, it was something we discussed today. I think extending our ACL implementation to Valkey spec will solve the issue.

romange commented 5 months ago

@adiholden could be nice if we can implement it in July.

@ashotland FYI.

kostasrim commented 5 months ago

@romange I can take care of this on the side :)

romange commented 5 months ago

Thanks!

kostasrim commented 5 months ago

@romange once my PR is merged it should work fine.

P.s. We already issue a warning when we fail to load an aclfile. Remember, it's always a two-step dance when you do it dynamically (that is config set aclfile) followed by acl load.

Persistence of multiple passwords should also work via ACL SAVE :)