redis.conf文件解析之SECURITY安全配置

目录

SECURITY安全配置

总结： 

1.Redis ACL用户的定义格式如下：

2.描述用户可以做什么的ACL规则如下：

3.ACL规则可以按任何顺序指定

4.ACL日志

5.使用外部ACL文件

6.常用命令

扩展：

key

string

hash

set

zset

---

SECURITY安全配置

#############################SECURITY#################################

# Warning: since Redis is pretty fast an outside user can try up to

# 1 million passwords per second against a modern box. This means that you

# should use very strong passwords, otherwise they will be very easy to break.

# Note that because the password is really a shared secret between the client

# and the server, and should not be memorized by any human, the password

# can be easily a long string from /dev/urandom or whatever, so by using a

# long and unguessable password no brute force attack will be possible.

#警告：由于Redis速度非常快，外部用户每秒可以在一个现代化的盒子上尝试多达100万个密码。这意味着你应该使用非常强的密码，否则它们很容易被破解。
请注意，由于密码实际上是客户机和服务器之间的共享秘密，任何人都不应该记住，因此密码可以很容易地从/dev/uradom或其他任何地方变成一个长字符串，因此通过使用长且不可用的密码，就不可能进行暴力攻击。

# Redis ACL users are defined in the following format:

#Redis ACL用户的定义格式如下：

#

#   user <username> ... acl rules ...

#

# For example:

#

#   user worker +@list +@connection ~jobs:* on >ffa9203c493aa99

#

# The special username "default" is used for new connections. If this user

# has the "nopass" rule, then new connections will be immediately authenticated

# as the "default" user without the need of any password provided via the

# AUTH command. Otherwise if the "default" user is not flagged with "nopass"

# the connections will start in not authenticated state, and will require

# AUTH (or the HELLO command AUTH option) in order to be authenticated and

# start to work.

#特殊用户名“default”用于新连接。如果该用户具有“nopass”规则，则新连接将立即作为“默认”用户进行身份验证，而无需通过AUTH命令提供任何密码。否则，如果“默认”用户未标记为“nopass”，则连接将在未验证状态下启动，并需要AUTH（或HELLO命令AUTH选项）才能进行验证并开始工作。

#

# The ACL rules that describe what an user can do are the following:

#描述用户可以做什么的ACL规则如下：

#

#  on           Enable the user: it is possible to authenticate as this user. 

#on             启用用户：可以作为该用户进行身份验证。

#  off          Disable the user: it's no longer possible to authenticate

#off            禁用用户：无法再进行身份验证

#               with this user, however the already authenticated connections

#               will still work.

#然而，对于这个用户，已经通过身份验证的连接仍然可以工作。

#  +<command>   Allow the execution of that command

#+<command> 允许执行该命令

#  -<command>   Disallow the execution of that command

#-<command> 禁止执行该命令

#  +@<category> Allow the execution of all the commands in such category

#               with valid categories are like @admin, @set, @sortedset, ...

#               and so forth, see the full list in the server.c file where

#               the Redis command table is described and defined.

#               The special category @all means all the commands, but currently

#               present in the server, and that will be loaded in the future

#               via modules.

#+@<category>   允许执行此类类别中的所有命令，有效类别包括@admin、@set、@sortedset...以此类推，查看服务器中的完整列表。描述和定义Redis命令表的server.c文件。特殊类别@all表示所有命令，但当前存在于服务器中，将来将通过模块加载这些命令

#  +<command>|subcommand    Allow a specific subcommand of an otherwise

#                           disabled command. Note that this form is not

#                           allowed as negative like -DEBUG|SEGFAULT, but

#                           only additive starting with "+".

#+<command>|subcommand   允许以其他方式禁用命令的特定子命令。请注意，这种形式不允许像-DEBUG | SEGFAULT一样为负数，而只允许以“+”开头的加法。

#  allcommands  Alias for +@all. Note that it implies the ability to execute

#               all the future commands loaded via the modules system.