search

oliver006 / redis_exporter

Prometheus Exporter for ValKey & Redis Metrics. Supports ValKey and Redis 2.x, 3.x, 4.x, 5.x, 6.x, and 7.x
https://github.com/oliver006/redis_exporter
MIT License
3.04k stars 860 forks source link

with redis auth and --is-cluster "NOPERM this user has no permissions to run the 'cluster' command or its subcommand" #785

Closed gzivdo closed 2 months ago

gzivdo commented 1 year ago

acl user rights: +client +ping +info +config|get +cluster|info +slowlog +latency +memory +select +get +scan +xinfo +type +pfcount +strlen +llen +scard +zcard +hlen +xlen +eval allkeys

I am able to run cluster info from redis-cli authorized with that user In the log i see redis_exporter[11745]: time="2023-04-12T13:26:41+03:00" level=error msg="Cluster refresh failed: redisc: all nodes failed\nNOPERM this user has no permissions to run the 'cluster' command or its subcommand" If I do "acl setuser +cluster", message dissapear, if do again "acl setuser -cluster +cluster|info" message appears again. Without --is-cluster flag there is no such message in the log.

gzivdo commented 1 year ago

ACL LOG doesn't contain anything about this, also i see in the code if "CLUSTER", "INFO" is failed will be other log message.

oliver006 commented 1 year ago

Ah, interesting. How do you run the exporter? What's the full cmd line? (strip passwords or other sensitive information)

gzivdo commented 1 year ago

/etc/default/redis_exporter: REDIS_EXPORTER_OPTS="--is-cluster --check-streams=somestream1,... systemd service with Environment=REDIS_USER=redis-exporter Environment=REDIS_PASSWORD=somepw EnvironmentFile=-/etc/default/redis_exporter ExecStart=/usr/bin/redis_exporter $REDIS_EXPORTER_OPTS

oliver006 commented 1 year ago

And the rights are correctly set for the user "redis-exporter" ? (Not obvious from your original post as I don't think that includes the user name)

gzivdo commented 1 year ago 
11:18:51.323388 IP 127.0.0.1.43904 > 127.0.0.1.6379: Flags [P.], seq 1:58, ack 1, win 342, options [nop,nop,TS val 797427001 ecr 797427001], length 57: RESP "AUTH" "redis-exporter" "somepass"
11:18:51.323397 IP 127.0.0.1.6379 > 127.0.0.1.43904: Flags [.], ack 58, win 342, options [nop,nop,TS val 797427001 ecr 797427001], length 0
11:18:51.323427 IP 127.0.0.1.6379 > 127.0.0.1.43904: Flags [P.], seq 1:6, ack 58, win 342, options [nop,nop,TS val 797427001 ecr 797427001], length 5: RESP "OK"
11:18:51.323432 IP 127.0.0.1.43904 > 127.0.0.1.6379: Flags [.], ack 6, win 342, options [nop,nop,TS val 797427001 ecr 797427001], length 0
11:18:51.323461 IP 127.0.0.1.43904 > 127.0.0.1.6379: Flags [P.], seq 58:86, ack 6, win 342, options [nop,nop,TS val 797427001 ecr 797427001], length 28: RESP "CLUSTER" "SLOTS"
11:18:51.323495 IP 127.0.0.1.6379 > 127.0.0.1.43904: Flags [P.], seq 6:91, ack 86, win 342, options [nop,nop,TS val 797427001 ecr 797427001], length 85: RESP "NOPERM this user has no permissions to run the 'cluster' command or its subcommand"

Somehow it doing cluster slots, but in the code i see cluser info only I think it do go redis lib, we need adjust rights and just add +cluster|slots