Open CJHarmath opened 8 years ago
enricogior
commented
8 years ago Hi @csharmath Redis has a very simplified approach to security. Redis on Windows doesn't change any thing about it, so there aren't Windows-specific authentication/authorization features.
CJHarmath
commented
8 years ago I saw that Redis on Azure supports password and SSL at least. Is it using this version ? Would you by any chance have some recommendation for someone to implement an auth proxy in front of Redis ? i.e. only expose the auth proxy which does it's auth(z) then passes non authenticated requests to Redis ? I get that it would require a client modification as well, were just wondering...
Thanks
CJHarmath
commented
8 years ago "Redis is designed to be accessed by trusted clients inside trusted environments" This is not going to fly everywhere. i.e. for certain scenarios you can't treat your whole intranet as trusted, also you would want to isolate your non-prod environment from prod and make sure they can't interfere. I get that that's not your choice, but Redis's but still Msft chose to discontinue AppFabric and recommends Redis on Windows with no proper authentication/authorization it seems.... So I wonder if you would be open to work out the auth(z) part even if that means to add an extra proxy layer as a windows only extension ?
Thanks
enricogior
commented
8 years ago @csharmath Azure uses its own customized version of Redis.
enricogior
commented
8 years ago @csharmath currently there are no plans to add any security feature to the community edition of Redis on Windows.
CJHarmath
commented
8 years ago @enricogior do you think that custom Azure version can be also made public ? It could be useful if it solved the auth problem.
Thanks for the quick responses btw! appreciate it!
enricogior
commented
8 years ago @csharmath currently the Azure version is not publicly available, it may be made public in the future but that is just a personal hypotheses. Also consider that it has been designed specifically for Azure, therefore there might be issues trying to run it in a different environment.
CJHarmath
commented
8 years ago @enricogior thanks for the clarification. If by any chance you can ask around and/or raise awareness of this topic, that could be interesting I suppose for a few enterprise folks Even if there are pointers to third party extensions not supported by Microsoft....
Thanks again
stevozilik
commented
8 years ago +1 Lack of authentication/authorization makes it unusable for enterprise on-prem
CJHarmath
commented
8 years ago I was thinking about this and have an idea to run by the minds of open source if I am lucky enough that they are watching
Do you think it could be an option to run Redis bound to localhost only ? i.e. make it only visible to localhost via the loopback adapter
TcpListener localOnlyListener = new TcpListener(IPAddress.Loopback, port);
Then we could have a Kerberized TCP Server proxy which does auth / authz and forwards requests to the unauthenticated redis on localhost.
Reference for NegotiateStream: https://msdn.microsoft.com/en-us/library/system.net.security.negotiatestream(v=vs.110).aspx
Let me know if you have a better idea please or if you would think this can be a good option for auth/authz for those enterprise folks who can't just run with unauthenticated services
Thanks
mountgellert
commented
7 years ago @enricogior , is there an update on this issue, a change in direction, a news on releasing the version mentioned above?
Hi,
If I were need to setup multiple instances of Redis on Windows with authentication and authorization, what are my options ?
Few questions in my mind which I didn't see in the docs:
Thank you!