Redis: Access Control List(ACL) – [Complex Permission for Users]

In this article, we are discussing all the aspects of Redis ACL(Access Control List). Redis ACL allows us to set permission for a user, in detail. Permission for all the parts(key, command, channel, etc.) can be set separately.

NOTES

  • We know that the default user in Redis is named “default“.
  • We have discussed the password-setting process for the “default” user, in a separate article. If you don’t need a complex permission setting for the “default” user, then check the link below-

In this article, we are discussing how we can create/update/delete new users, set passwords, and set complex permission for a Redis user. Let’s check Redis ACL in detail-

NOTES

  • ACL works on Redis version 6 and later. Versions before 6 do not have the option for ACL, only the default user can authenticate in that case.
  • A single user in Redis can have multiple passwords at the same time. All those passwords will work for the user at the same time, the user can use any of those passwords.
    Any number of passwords can be used. There is no limit on the length and/or number of the password.
  • Redis uses SHA256 for hashing passwords to store them internally.

Check User Access

Let’s check all the existing users in the Redis server-

127.0.0.1:6379> acl users
1) "default"
2) "bigboxuser"

To check who is the currently authenticated user, use the “acl whoami” command-

127.0.0.1:6379> acl whoami
"default"

To check the list of all users with full permission details, use the command “acl list“-

127.0.0.1:6379> acl list
1) "user default on nopass ~* &* +@all"
2) "user bigboxuser on #9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 ~s* -@all +get"

Here are what all the parts of the output mean-

CommandUser NameStatusPasswordPermission to access KeysPermission to access ChannelsPermission to access Commands
user default on nopass ~* &* +@alldefaulton => user is activeNo password used~* => has access to all keys&* => has access to all channels+@all => has permission to all command categories (so has access to all commands)
user bigboxuser on #9f86d081… resetchannels ~s* -@all +getbigboxuseron => user is activeSome password is used~s* => can access only the keys that start with “s”Does not have permission to access any channel, as the permission is not set for the channel part.-@all +get => Can use only the “get” command, nothing else

The following sections discuss the permission in detail. Keep reading, everything will be clear to you about ACL.

Permission Details

User permission and access information has the following parts-

  • User name
  • Status (active/inactive)
  • Password
  • Key permission (which keys can the user access)
  • Command permission (which commands can the user execute)
  • Channel permission (which channels can the user access)
  • Selector

Permission Parts/Sections

The most important parts of the permission are the password, key permission, command permission, and channels.

Each of these sections starts with a different symbol.

Here is how to identify which part is for which rule/permission-

Part of the ACLPermission/Rule part starts with the symbol
Password>
Key~
Command+
Channel&
Status(active/inactive)on/off (one of these will be used to define the status)

User Status

Here are the statuses that we can use for user in Redis-

StatusDescription
onUser is enabled. We can now authenticate as this user.
offUser is disabled. Can not authenticate as this user.
Already authenticated users will stay authenticated though.

User Password

A user can have multiple passwords for authentication.

User password control-

StatusDescription
>some*passwordSet password for the user. Setting this password will make this “some*password” as a valid password for the user.
<some*passwordRemove password for the user. This will remove this “some*password” from allowed password for the user.
nopassFlush all the passwords for the user. Also, remove “nopass” status.
User can be authenticated without(blank) password.
resetpassFlush all the passwords for the user. Also, remove the “nopass” status.
User can not be authenticated.

Key Pattern

The permission part for keys starts with “~” symbol.

The <pattern> used here follows the Glob pattern. So we need to set these patterns following all the rules that apply to Globbing.

Key PatternDescription
~<pattern>Allow the keys that match <pattern>.
Both “read” and “write” of those keys are allowed.
%R~<pattern>Allow “read” of the keys that match <pattern>
%W~<pattern>Allow “write” of the keys that match <pattern>
allkeysAllow “read” and “write” of all keys.
This is an alias of “~*
resetkeysReset all the allowed keys for the user.

For example: “~*” pattern means, we are allowing all the keys. Also “allkeys” is an alias of “~*“.

Channel Pattern

The permission part for channels starts with “&” symbol.

The <pattern> used here follows the Glob pattern. So we need to set these patterns following all the rules that apply to Globbing.

Key PatternDescription
&<pattern>Allow the channel that match <pattern>.
ie. &* (for all channels) or &my* (for all channels that start with “my”)
allchannelsAllow all channgels.
This is an alias of “&*
resetchannelsReset/remove/flush all permission for all channels for this user.

Command permission

Commands allow/disallow-

Pattern/ExpressionDescription
+<command>Allow execution of this command
-<command>Deny execution of this command
+@<category>Allow execution of all command that belongs to this category
-@<category>Deny all command execution of this category

To allow/deny a subcommand of a command we can use the “|” and write it like this –
+<command>|<subcommand> : to allow the subcommand
-<command>|<subcommand>: to deny/disallow the subcommand

For example, if we want to restrict a user to the “rewrite” subcommand of the “config” command, then we can use “-config|rewrite” for the command permission.

Command Category

Use the command below to get the list of command categories-

127.0.0.1:6379> acl cat
 1) "keyspace"
 2) "read"
 3) "write"
 4) "set"
 5) "sortedset"
 6) "list"
 7) "hash"
# .
# .
# .
# Lot more command categories are shown after this.
# We are not showing all to save space.
# The full list of commands are below.

To get the list of commands that belong to a category use the following Redis command-

# Here we are trying to get the commands that belong to "keyspace" category
127.0.0.1:6379> acl cat keyspace
 1) "expire"
 2) "rename"
 3) "migrate"
 4) "scan"
 5) "flushdb"
# .
# .
# .
# Lot more commands are shown after this.
# We are not showing all to save space.

Here is the list of command categories with descriptions and subcommands-

Command CategoryDescriptionCommands
keyspaceCommands for reading and writing from keys, databases, and metadata of those elements.copy, dbsize, del, dump, exists, expire, expireat, expiretime, flushall, flushdb, keys, migrate, move, object|encoding, object|freq, object|help, object|idletime, object|refcount, persist, pexpire, pexpireat, pexpiretime, pttl, randomkey, rename, renamenx, restore, restore-asking, scan, swapdb, touch, ttl, type, unlink
readCommands for reading value of keys.bitcount, bitfield_ro, bitpos, dbsize, dump, exists, expiretime, geodist, geohash, geopos, georadius_ro, georadiusbymember_ro, geosearch, get, getbit, getrange, hexists, hget, hgetall, hkeys, hlen, hmget, hrandfield, hscan, hstrlen, hvals, keys, lcs, lindex, llen, lolwut, lpos, lrange, memory|usage, mget, object|encoding, object|freq, object|idletime, object|refcount, pexpiretime, pfcount, pttl, randomkey, scan, scard, sdiff, sinter, sintercard, sismember, smembers, smismember, sort_ro, srandmember, sscan, strlen, substr, sunion, touch, ttl, type, xinfo|consumers, xinfo|groups, xinfo|stream, xlen, xpending, xrange, xread, xrevrange, zcard, zcount, zdiff, zinter, zintercard, zlexcount, zmscore, zrandmember, zrange, zrangebylex, zrangebyscore, zrank, zrevrange, zrevrangebylex, zrevrangebyscore, zrevrank, zscan, zscore, zunion
writeCommands for writing value to keys.append, bitfield, bitop, blmove, blmpop, blpop, brpop, brpoplpush, bzmpop, bzpopmax, bzpopmin, copy, decr, decrby, del, expire, expireat, flushall, flushdb, function|delete, function|flush, function|load, function|restore, geoadd, georadius, georadiusbymember, geosearchstore, getdel, getex, getset, hdel, hincrby, hincrbyfloat, hmset, hset, hsetnx, incr, incrby, incrbyfloat, linsert, lmove, lmpop, lpop, lpush, lpushx, lrem, lset, ltrim, migrate, move, mset, msetnx, persist, pexpire, pexpireat, pfadd, pfdebug, pfmerge, psetex, rename, renamenx, restore, restore-asking, rpop, rpoplpush, rpush, rpushx, sadd, sdiffstore, set, setbit, setex, setnx, setrange, sinterstore, smove, sort, spop, srem, sunionstore, swapdb, unlink, xack, xadd, xautoclaim, xclaim, xdel, xgroup|create, xgroup|createconsumer, xgroup|delconsumer, xgroup|destroy, xgroup|setid, xreadgroup, xsetid, xtrim, zadd, zdiffstore, zincrby, zinterstore, zmpop, zpopmax, zpopmin, zrangestore, zrem, zremrangebylex, zremrangebyrank, zremrangebyscore, zunionstore
adminCommands to administrate a Redis server.acl|deluser, acl|dryrun, acl|getuser, acl|list, acl|load, acl|log, acl|save, acl|setuser, bgrewriteaof, bgsave, client|kill, client|list, client|no-evict, client|pause, client|unblock, client|unpause, cluster|addslots, cluster|addslotsrange, cluster|bumpepoch, cluster|count-failure-reports, cluster|delslots, cluster|delslotsrange, cluster|failover, cluster|flushslots, cluster|forget, cluster|meet, cluster|replicas, cluster|replicate, cluster|reset, cluster|saveconfig, cluster|set-config-epoch, cluster|setslot, config|get, config|resetstat, config|rewrite, config|set,
dangerousPotentially dangerous commands.acl|deluser, acl|dryrun, acl|getuser, acl|list, acl|load, acl|log, acl|save, acl|setuser, bgrewriteaof, bgsave, client|kill, client|list, client|no-evict, client|pause, client|unblock, client|unpause, cluster|addslots, cluster|addslotsrange, cluster|bumpepoch, cluster|count-failure-reports, cluster|delslots, cluster|delslotsrange, cluster|failover, cluster|flushslots, cluster|forget, cluster|meet, cluster|replicas, cluster|replicate, cluster|reset, cluster|saveconfig, cluster|set-config-epoch, cluster|setslot, debug, failover, flushall, flushdb, info, keys, lastsave, latency|doctor, latency|graph, latency|histogram, latency|history, latency|latest, latency|reset, module|list, module|load, module|loadex, module|unload, migrate, psync, replicaof, replconf, restore, restore-asking, role, save, shutdown, sort, sort_ro, slowlog|get, slowlog|len, slowlog|reset, swapdb, sync
connectionConnection related commands.auth, asking, client|caching, client|getname, client|getredir, client|help, client|id, client|info, client|kill, client|list, client|no-evict, client|pause, client|reply, client|setname, client|tracking, client|trackinginfo, client|unblock, client|unpause, command, command|count, command|docs, command|getkeys, command|getkeysandflags, command|help, command|info, command|list, echo, hello, ping, quit, readonly, readwrite, reset, select, wait
blockingConnection blocking commands(until released by another command).blpop, blmove, blmpop, brpop, brpoplpush, bzpopmax, bzpopmin, bzmpop, xread, xreadgroup
fastFast O(1) commands.append, asking, auth, bitfield_ro, bzpopmax, bzpopmin, dbsize, decr, decrby, discard, echo, exists, expire, expireat, expiretime, get, getbit, getdel, getex, getset, hdel, hexists, hget, hincrby, hincrbyfloat, hlen, hmget, hmset, hset, hsetnx, hstrlen, incr, incrby, incrbyfloat, incrbyfloat, lastsave, llen, lolwut, lpop, lpush, lpushx, lpushx, lpushx, lpushx, move, mget, multi, persist, pexpire, pexpireat, pexpiretime, pfadd, ping, pttl, publish, quit, readwrite, readonly, renamenx, role, rpop, rpush, rpushx, scard, select, setnx, smismember, spop, spublish, srem, sadd, scard, select, setnx, smismember, spop, spublish, srem, swapdb, touch, ttl, type, unwatch, unlink, watch, xack, xadd, xautoclaim, xclaim, xdel, xlen, xread, xreadgroup, xsetid, zadd, zcard, zcount, zlexcount, zpopmax, zpopmin, zrank, zrem, zscore, zmscore, zpopmax, zpopmin, zrank, zrem, zscore, zmscore
slowAll slow commands.acl, acl|cat, acl|deluser, acl|dryrun, acl|getuser, acl|help, acl|list, acl|load, acl|log, acl|save, acl|setuser, acl|whoami, append, asking, auth, bgrewriteaof, bgsave, bitcount, bitfield, bitop, bitpos, blmpop, blpop, brpop, brpoplpush, bzmpop, bzpopmax, bzpopmin, client, client|caching, client|getname, client|getredir, client|help, client|id, client|info, client|kill, client|list, client|no-evict, client|pause, client|reply, client|setname, client|tracking, client|trackinginfo, client|unblock, client|unpause, cluster, cluster|addslots, cluster|addslotsrange, cluster|bumpepoch, cluster|count-failure-reports, cluster|countkeysinslot, cluster|delslots, cluster|delslotsrange, cluster|destroy, cluster|flushslots, cluster|forget, cluster|getkeysinslot, cluster|help, cluster|keyslot, cluster|links, cluster|meet, cluster|myid, cluster|nodes, cluster|replicate, cluster|replicas, cluster|reset, cluster|saveconfig, cluster|set-config-epoch, cluster|setslot, cluster|shards, cluster|slots, cluster|slaveof, command, command|count, command|docs, command|getkeys, command|getkeysandflags, command|help, command|info, command|list, config, config|get, config|help, config|resetstat, config|rewrite, config|set, copy, dbsize, debug, decr, decrby, del, discard, dump, echo, eval, eval_ro, evalsha, evalsha_ro, exists, expire, expireat, expiretime, flushall, flushdb, function, function|delete, function|dump, function|flush, function|help, function|kill, function|list, function|load, function|restore, geodist, geoadd, geohash, geointersectstore, georadius, georadiusbymember, georadiusbymember_ro, geosearch, geosearchstore, get, getbit, getdel, getex, getrange, getset, hdel, hexists, hget, hgetall, hincrby, hincrbyfloat, hkeys, hlen, hmget, hmset, hscan, hset, hsetnx, hstrlen, hvals, incr, incrby, incrbyfloat, info, keys, lcs, lindex, linsert, lmove, lmpop, lpop, lpos, lpush, lpushx, lrange, lrem, lset, ltrim, lolwut, mget, migrate, module, module|help, module|list, module|load, module|loadex, module|unload, mset, msetnx, multi, object, object|encoding, object|freq, object|help, object|idletime, object|refcount, persist, pfadd, pfcount, pfdebug, pfmerge, psetex, psync, pubsub, pubsub|channels, pubsub|help, pubsub|numsub, pubsub|numpat, pubsub|shardchannels, pubsub|shardnumsub, punsubscribe, randomkey, readwrite, readonly, rename, replicaof, replconf, restore, restore-asking, role, rpop, rpoplpush, rpush, rpushx, sadd, save, scan, script, script|debug, script|exists, script|flush, script|help, script|kill, script|load, sdiff, sdiffstore, select, set, setbit, setex, setnx, setrange, shutdown, sinter, sintercard, sinterstore, sismember, slowlog, slowlog|get, slowlog|len, slowlog|reset, sort, sort_ro, sscan, strlen, subscribe, sunsubscribe, swapdb, sync, time, touch, ttl, type, unsubscribe, unwatch, wait, watch, xack, xadd, xautoclaim, xclaim, xdel, xgroup, xgroup|create, xgroup|createconsumer, xgroup|delconsumer, xgroup|destroy, xgroup|help, xgroup|setid, xinfo, xinfo|consumers, xinfo|groups, xinfo|help, xinfo|stream, xlen, xpending, xrange, xread, xreadgroup, xsetid, xtrim, zadd, zcard, zcount, zdiff, zdiffstore, zinter, zintercard, zinterstore, zlexcount, zpopmax, zpopmin, zrandmember, zrange, zrangebylex, zrangebyscore, zrangestore, zrank, zrem, zremrangebylex, zremrangebyrank, zremrangebyscore, zrevrange, zrevrangebylex, zrevrangebyscore, zrevrank, zscore, zunion, zunionstore, zdiff, zdiffstore, zinter, zinterstore, zunion, zunionstore, zpopmax, zpopmin, zpopmax, zpopmin, zpopmax, zpopmin
pubsubPublish/Subscribe related commands.psubscribe, publish, pubsub|channels, pubsub|numsub, pubsub|numpat, pubsub|shardnumsub, pubsub|shardchannels, spublish, ssubscribe, sunsubscribe, subscribe, unsubscribe
transactionTransaction related commands – WATCH / MULTI / EXEC.discard, exec, multi, unwatch, watch
scriptingScripting related commands.eval, eval_ro, evalsha, evalsha_ro, fcall, fcall_ro, function|delete, function|dump, function|flush, function|help, function|kill, function|list, function|load, function|restore, function|stats, function|flush, function|kill, function|load, function|list, function|restore, function|delete, function|dump, function|help, function|stats, script|debug, script|exists, script|flush, script|help, script|kill, script|load
setSet data type related commands.scard, sdiff, sdiffstore, sinter, sintercard, sinterstore, sismember, smembers, smismember, smove, spop, srandmember, srem, sunion, sunionstore, sscan, sort, sort_ro, suNionstore
sortedsetSortedset data type related commands(zsets).bzmpop, bzpopmax, bzpopmin, sort, sort_ro, zadd, zcard, zcount, zdiff, zdiffstore, zincrby, zinter, zintercard, zinterstore, zlexcount, zpopmax, zpopmin, zrange, zrangebylex, zrangebyscore, zrangestore, zrank, zrem, zremrangebyrank, zremrangebylex, zremrangebyscore, zrevrange, zrevrangebylex, zrevrangebyscore, zrevrank, zscan, zscore, zunion, zunionstore, zmpop
listList data type related commands.blmpop, blpop, brpop, brpoplpush, lindex, linsert, llen, lmove, lmpop, lpop, lpos, lpush, lpushx, lrange, lrem, lset, ltrim, rpop, rpoplpush, rpush, rpushx, sort, sort_ro
hashHash data type related commands.hdel, hexists, hget, hgetall, hincrby, hincrbyfloat, hkeys, hlen, hmget, hmset, hrandfield, hscan, hset, hsetnx, hstrlen, hvals
stringStrings data type related commands.append, decr, decrby, get, getdel, getrange, getex, getset, incr, incrby, incrbyfloat, lcs, mget, mset, msetnx, psetex, set, setex, setnx, setrange, strlen, substr
bitmapBitmap data type related commands.bitcount, bitfield, bitfield_ro, bitop, bitpos, getbit, setbit
hyperloglogHyperloglog data type related commands.pfadd, pfcount, pfdebug, pfmerge, pfselftest
geoGeo data type related commands.geoadd, geodist, geohash, geopos, georadius, georadius_ro, georadiusbymember, georadiusbymember_ro, geosearch, geosearchstore
streamStreams data type related commands.xack, xadd, xautoclaim, xclaim, xdel, xgroup|create, xgroup|createconsumer, xgroup|delconsumer, xgroup|destroy, xgroup|help, xgroup|setid, xinfo|consumers, xinfo|groups, xinfo|help, xinfo|stream, xlen, xpending, xrange, xread, xreadgroup, xrevrange, xsetid, xtrim

Redis Command: ACL SETUSERSet User Access

ACL SETUSER commands are not logged and kept in history. This is done to avoid security issues(like showing passwords and/or other sensitive info in the log).

Let’s create a user and set access for that user-

acl setuser bigboxuser on >bigboxpass ~* +@all &*
PurposeValueNote
user namebigboxuser
statusonUser is active
passwordbigboxpass
keys~*Can access all keys
commands+@allCan execute all commands
channels&*Can access all channels

Let’s create another user with limited access-

 acl setuser bigboxuser2 on >somecomplexpass ~product:* +@read +@write
PurposeValueNote
user namebigboxuser2
statusonUser is active
passwordsomecomplexpass
keys~product:*Can only access keys that starts with “product:”
commands+@read +@writeCan only execute commands related to read and write of the keys
channelsCan not access any channel

To reset all allowed keys for the user, use the following command-

acl setuser bigboxuser resetkeys

This will reset the allowed key parts only. Other permissions (for command, channel, etc.) will be as it is.

Let’s add permission to allow access key that starts with “user:” and “customer:”

acl setuser bigboxuser ~user:* ~customer:*

Let’s remove user access to all commands-

acl setuser bigboxuser -@all

# or the following command can be used, these are exactly same commands
# acl setuser bigboxuser nocommands

Let’s create another password for the user-

acl setuser bigboxuser >anotherpass

After execution of this command, 2 passwords will be enabled for the user “bigboxuser”. Any one of those passwords can be used to authenticate.

Redis Command: AUTHAuthenticate user

To authenticate the user “bigboxuser” we can use the “AUTH” command like below-

auth bigboxuser bigboxpass

The “AUTH” command has signature – “AUTH [username] [password]

Redis Command: ACL GETUSERGet User Access Details

Use the command “acl getuser [username]” to get the details of user access-

127.0.0.1:6379> acl getuser default
 1) "flags"
 2) 1) "on"
    2) "nopass"
 3) "passwords"
 4) (empty array)
 5) "commands"
 6) "+@all"
 7) "keys"
 8) "~*"
 9) "channels"
10) "&*"
11) "selectors"
12) (empty array)

Here are the details meaning of the output-

KeyValueDescription
flagsonUser active
passwords(empty array)No password set
commands+@allAll commands allowed
keys~*All keys allowed
channels&*All channels are allowed
selectors(empty array)Selectors (introduced in Redis 7)

Redis Command: ACL DELUSERDelete User

Use the command “acl deluser [username]” to delete the user, like below-

127.0.0.1:6379> ACL DELUSER bigboxuser
(integer) 1

The default user (user name “default”) can not be deleted.

Deleting a user does not reflect immediately, just after the command is applied. The user will see the change after logout from the current session.

Redis Command: ACL DRYRUNSimulate Execution

Signature:

ACL DRYRUN <username> <command> <args….>

Usage:

Simulate a command execution, and used to check if the user can execute certain commands or not.

This command only checks the permission, the command is not actually executed.

Return Type:

Return valueCase for the return value
OKCommand can be executed successfully.
errorPermission related error message

Examples:

Use this command to simulate a command execution on behalf of a user, without actually executing the command. Check the example commands below-

# We are authenticated as the default user

127.0.0.1:6379> get site:name
"bigboxcode"

# Let's remove all command psermission for user bigboxuser 
127.0.0.1:6379> acl setuser bigboxuser nocommands
OK

# Check if user can execute a command, "get" command for eample in this case
127.0.0.1:6379> acl dryrun bigboxuser get site:name
"This user has no permissions to run the 'get' command"

# User can not execute this command as he does not have any permission

# Let's give only get command permission
127.0.0.1:6379> acl setuser bigboxuser +get
OK

# Now let's check with acl dryrun
127.0.0.1:6379> acl dryrun bigboxuser get site:name
OK

# Let's check if set command can be used - it gives error
127.0.0.1:6379> acl dryrun bigboxuser set site:name "change name"
"This user has no permissions to run the 'set' command"

# Give write permission to user
127.0.0.1:6379> acl setuser bigboxuser +@write
OK

# Check if user can execute the set comand.
127.0.0.1:6379> acl dryrun bigboxuser set site:name "change site name"
OK
# now user can execute set command

# Check if the original value is changed (should not change as acl dryrun only simulates the command
127.0.0.1:6379> get site:name
"bigboxcode"

Methods for Managing ACL

There are 3 ways we can set the access permission of a user-

  • From “redis-cli” using the ACL commands.
  • In “redis.conf” file directly.
  • In a separate ACL file.

Let’s take a look at the each of the methods-

Method #1: Using ACL commands from “redis-cli”

We have already discussed the process of how to set ACL from “redis-cli”. All the above commands can be used to manage ACL in Redis server.

ACL data may be lost on server restart if set using redis-cli.

Method #2: In “redis.conf” file directly

We can directly set the permission by adding lines like “user ………” in the redis config file.

For example, we can add the following lines-

user firstuser on >somepass12 ~* +@all &*
user seconduser on >someotherpass1122 ~cus* +get

Method #3: In a separate ACL file

We can use a separate file for ACL. For that, we have to enable the external file for ACL in the Redis config file. In Redis config file (redis.conf) look for the following line-

aclfile /etc/redis/users.acl

# The file path can be anything. Just look for the "aclfile" part.

If the line is commented, then remove the comment symbol and enable the line. Then change the file path if required.

Create the file in the correct path and then add lines like below-

user firstuser on >somepass ~* +@all &*
user seconduser on >someotherpass ~user* +get

Examples

ACL CommandDescription
ACL SETUSER bigboxuser on >bigboxpass allkeys allcommandsall key
all command
ACL SETUSER bigboxuser on >bigboxpass ~* +@allall key
all command categories (that means all commands)
ACL SETUSER bigboxuser on >bigboxpass ~product* only key that starts with “product”
ACL SETUSER bigboxuser on >bigboxpass nocommandscan not use any command, similar to -@all
ACL SETUSER bigboxuser +@list +@connection ~product:* on >bigboxpassallow keys that start with “product:”.
Allow commands from category “list” and “connection”
ACL SETUSER bigboxuser resetkeysReset all the keys allowed for the user.

Leave a Comment


The reCAPTCHA verification period has expired. Please reload the page.