In this article, we are discussing all the aspects of Redis ACL(Access Control List). Redis ACL allows us to set permission for a user, in detail. Permission for all the parts(key, command, channel, etc.) can be set separately.
NOTES
- We know that the default user in Redis is named “default“.
- We have discussed the password-setting process for the “default” user, in a separate article. If you don’t need a complex permission setting for the “default” user, then check the link below-
In this article, we are discussing how we can create/update/delete new users, set passwords, and set complex permission for a Redis user. Let’s check Redis ACL in detail-
NOTES
- ACL works on Redis version 6 and later. Versions before 6 do not have the option for ACL, only the default user can authenticate in that case.
- A single user in Redis can have multiple passwords at the same time. All those passwords will work for the user at the same time, the user can use any of those passwords.
Any number of passwords can be used. There is no limit on the length and/or number of the password. - Redis uses SHA256 for hashing passwords to store them internally.
Check User Access
Let’s check all the existing users in the Redis server-
127.0.0.1:6379> acl users
1) "default"
2) "bigboxuser"To check who is the currently authenticated user, use the “acl whoami” command-
127.0.0.1:6379> acl whoami
"default"To check the list of all users with full permission details, use the command “acl list“-
127.0.0.1:6379> acl list
1) "user default on nopass ~* &* +@all"
2) "user bigboxuser on #9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08 ~s* -@all +get"Here are what all the parts of the output mean-
| Command | User Name | Status | Password | Permission to access Keys | Permission to access Channels | Permission to access Commands |
|---|---|---|---|---|---|---|
| user default on nopass ~* &* +@all | default | on => user is active | No password used | ~* => has access to all keys | &* => has access to all channels | +@all => has permission to all command categories (so has access to all commands) |
| user bigboxuser on #9f86d081… resetchannels ~s* -@all +get | bigboxuser | on => user is active | Some password is used | ~s* => can access only the keys that start with “s” | Does not have permission to access any channel, as the permission is not set for the channel part. | -@all +get => Can use only the “get” command, nothing else |
The following sections discuss the permission in detail. Keep reading, everything will be clear to you about ACL.
Permission Details
User permission and access information has the following parts-
- User name
- Status (active/inactive)
- Password
- Key permission (which keys can the user access)
- Command permission (which commands can the user execute)
- Channel permission (which channels can the user access)
- Selector
Permission Parts/Sections
The most important parts of the permission are the password, key permission, command permission, and channels.
Each of these sections starts with a different symbol.
Here is how to identify which part is for which rule/permission-
| Part of the ACL | Permission/Rule part starts with the symbol |
|---|---|
| Password | > |
| Key | ~ |
| Command | + |
| Channel | & |
| Status(active/inactive) | on/off (one of these will be used to define the status) |
User Status
Here are the statuses that we can use for user in Redis-
| Status | Description |
|---|---|
| on | User is enabled. We can now authenticate as this user. |
| off | User is disabled. Can not authenticate as this user. Already authenticated users will stay authenticated though. |
User Password
A user can have multiple passwords for authentication.
User password control-
| Status | Description |
|---|---|
| >some*password | Set password for the user. Setting this password will make this “some*password” as a valid password for the user. |
| <some*password | Remove password for the user. This will remove this “some*password” from allowed password for the user. |
| nopass | Flush all the passwords for the user. Also, remove “nopass” status. User can be authenticated without(blank) password. |
| resetpass | Flush all the passwords for the user. Also, remove the “nopass” status. User can not be authenticated. |
Key Pattern
The permission part for keys starts with “~” symbol.
The <pattern> used here follows the Glob pattern. So we need to set these patterns following all the rules that apply to Globbing.
| Key Pattern | Description |
|---|---|
| ~<pattern> | Allow the keys that match <pattern>. Both “read” and “write” of those keys are allowed. |
| %R~<pattern> | Allow “read” of the keys that match <pattern> |
| %W~<pattern> | Allow “write” of the keys that match <pattern> |
| allkeys | Allow “read” and “write” of all keys. This is an alias of “~*“ |
| resetkeys | Reset all the allowed keys for the user. |
For example: “~*” pattern means, we are allowing all the keys. Also “allkeys” is an alias of “~*“.
Channel Pattern
The permission part for channels starts with “&” symbol.
The <pattern> used here follows the Glob pattern. So we need to set these patterns following all the rules that apply to Globbing.
| Key Pattern | Description |
|---|---|
| &<pattern> | Allow the channel that match <pattern>. ie. &* (for all channels) or &my* (for all channels that start with “my”) |
| allchannels | Allow all channgels. This is an alias of “&*“ |
| resetchannels | Reset/remove/flush all permission for all channels for this user. |
Command permission
Commands allow/disallow-
| Pattern/Expression | Description |
|---|---|
| +<command> | Allow execution of this command |
| -<command> | Deny execution of this command |
| +@<category> | Allow execution of all command that belongs to this category |
| -@<category> | Deny all command execution of this category |
To allow/deny a subcommand of a command we can use the “|” and write it like this –
+<command>|<subcommand> : to allow the subcommand
-<command>|<subcommand>: to deny/disallow the subcommand
For example, if we want to restrict a user to the “rewrite” subcommand of the “config” command, then we can use “-config|rewrite” for the command permission.
Command Category
Use the command below to get the list of command categories-
127.0.0.1:6379> acl cat
1) "keyspace"
2) "read"
3) "write"
4) "set"
5) "sortedset"
6) "list"
7) "hash"
# .
# .
# .
# Lot more command categories are shown after this.
# We are not showing all to save space.
# The full list of commands are below.To get the list of commands that belong to a category use the following Redis command-
# Here we are trying to get the commands that belong to "keyspace" category
127.0.0.1:6379> acl cat keyspace
1) "expire"
2) "rename"
3) "migrate"
4) "scan"
5) "flushdb"
# .
# .
# .
# Lot more commands are shown after this.
# We are not showing all to save space.Here is the list of command categories with descriptions and subcommands-
| Command Category | Description | Commands |
|---|---|---|
| keyspace | Commands for reading and writing from keys, databases, and metadata of those elements. | copy, dbsize, del, dump, exists, expire, expireat, expiretime, flushall, flushdb, keys, migrate, move, object|encoding, object|freq, object|help, object|idletime, object|refcount, persist, pexpire, pexpireat, pexpiretime, pttl, randomkey, rename, renamenx, restore, restore-asking, scan, swapdb, touch, ttl, type, unlink |
| read | Commands for reading value of keys. | bitcount, bitfield_ro, bitpos, dbsize, dump, exists, expiretime, geodist, geohash, geopos, georadius_ro, georadiusbymember_ro, geosearch, get, getbit, getrange, hexists, hget, hgetall, hkeys, hlen, hmget, hrandfield, hscan, hstrlen, hvals, keys, lcs, lindex, llen, lolwut, lpos, lrange, memory|usage, mget, object|encoding, object|freq, object|idletime, object|refcount, pexpiretime, pfcount, pttl, randomkey, scan, scard, sdiff, sinter, sintercard, sismember, smembers, smismember, sort_ro, srandmember, sscan, strlen, substr, sunion, touch, ttl, type, xinfo|consumers, xinfo|groups, xinfo|stream, xlen, xpending, xrange, xread, xrevrange, zcard, zcount, zdiff, zinter, zintercard, zlexcount, zmscore, zrandmember, zrange, zrangebylex, zrangebyscore, zrank, zrevrange, zrevrangebylex, zrevrangebyscore, zrevrank, zscan, zscore, zunion |
| write | Commands for writing value to keys. | append, bitfield, bitop, blmove, blmpop, blpop, brpop, brpoplpush, bzmpop, bzpopmax, bzpopmin, copy, decr, decrby, del, expire, expireat, flushall, flushdb, function|delete, function|flush, function|load, function|restore, geoadd, georadius, georadiusbymember, geosearchstore, getdel, getex, getset, hdel, hincrby, hincrbyfloat, hmset, hset, hsetnx, incr, incrby, incrbyfloat, linsert, lmove, lmpop, lpop, lpush, lpushx, lrem, lset, ltrim, migrate, move, mset, msetnx, persist, pexpire, pexpireat, pfadd, pfdebug, pfmerge, psetex, rename, renamenx, restore, restore-asking, rpop, rpoplpush, rpush, rpushx, sadd, sdiffstore, set, setbit, setex, setnx, setrange, sinterstore, smove, sort, spop, srem, sunionstore, swapdb, unlink, xack, xadd, xautoclaim, xclaim, xdel, xgroup|create, xgroup|createconsumer, xgroup|delconsumer, xgroup|destroy, xgroup|setid, xreadgroup, xsetid, xtrim, zadd, zdiffstore, zincrby, zinterstore, zmpop, zpopmax, zpopmin, zrangestore, zrem, zremrangebylex, zremrangebyrank, zremrangebyscore, zunionstore |
| admin | Commands to administrate a Redis server. | acl|deluser, acl|dryrun, acl|getuser, acl|list, acl|load, acl|log, acl|save, acl|setuser, bgrewriteaof, bgsave, client|kill, client|list, client|no-evict, client|pause, client|unblock, client|unpause, cluster|addslots, cluster|addslotsrange, cluster|bumpepoch, cluster|count-failure-reports, cluster|delslots, cluster|delslotsrange, cluster|failover, cluster|flushslots, cluster|forget, cluster|meet, cluster|replicas, cluster|replicate, cluster|reset, cluster|saveconfig, cluster|set-config-epoch, cluster|setslot, config|get, config|resetstat, config|rewrite, config|set, |
| dangerous | Potentially dangerous commands. | acl|deluser, acl|dryrun, acl|getuser, acl|list, acl|load, acl|log, acl|save, acl|setuser, bgrewriteaof, bgsave, client|kill, client|list, client|no-evict, client|pause, client|unblock, client|unpause, cluster|addslots, cluster|addslotsrange, cluster|bumpepoch, cluster|count-failure-reports, cluster|delslots, cluster|delslotsrange, cluster|failover, cluster|flushslots, cluster|forget, cluster|meet, cluster|replicas, cluster|replicate, cluster|reset, cluster|saveconfig, cluster|set-config-epoch, cluster|setslot, debug, failover, flushall, flushdb, info, keys, lastsave, latency|doctor, latency|graph, latency|histogram, latency|history, latency|latest, latency|reset, module|list, module|load, module|loadex, module|unload, migrate, psync, replicaof, replconf, restore, restore-asking, role, save, shutdown, sort, sort_ro, slowlog|get, slowlog|len, slowlog|reset, swapdb, sync |
| connection | Connection related commands. | auth, asking, client|caching, client|getname, client|getredir, client|help, client|id, client|info, client|kill, client|list, client|no-evict, client|pause, client|reply, client|setname, client|tracking, client|trackinginfo, client|unblock, client|unpause, command, command|count, command|docs, command|getkeys, command|getkeysandflags, command|help, command|info, command|list, echo, hello, ping, quit, readonly, readwrite, reset, select, wait |
| blocking | Connection blocking commands(until released by another command). | blpop, blmove, blmpop, brpop, brpoplpush, bzpopmax, bzpopmin, bzmpop, xread, xreadgroup |
| fast | Fast O(1) commands. | append, asking, auth, bitfield_ro, bzpopmax, bzpopmin, dbsize, decr, decrby, discard, echo, exists, expire, expireat, expiretime, get, getbit, getdel, getex, getset, hdel, hexists, hget, hincrby, hincrbyfloat, hlen, hmget, hmset, hset, hsetnx, hstrlen, incr, incrby, incrbyfloat, incrbyfloat, lastsave, llen, lolwut, lpop, lpush, lpushx, lpushx, lpushx, lpushx, move, mget, multi, persist, pexpire, pexpireat, pexpiretime, pfadd, ping, pttl, publish, quit, readwrite, readonly, renamenx, role, rpop, rpush, rpushx, scard, select, setnx, smismember, spop, spublish, srem, sadd, scard, select, setnx, smismember, spop, spublish, srem, swapdb, touch, ttl, type, unwatch, unlink, watch, xack, xadd, xautoclaim, xclaim, xdel, xlen, xread, xreadgroup, xsetid, zadd, zcard, zcount, zlexcount, zpopmax, zpopmin, zrank, zrem, zscore, zmscore, zpopmax, zpopmin, zrank, zrem, zscore, zmscore |
| slow | All slow commands. | acl, acl|cat, acl|deluser, acl|dryrun, acl|getuser, acl|help, acl|list, acl|load, acl|log, acl|save, acl|setuser, acl|whoami, append, asking, auth, bgrewriteaof, bgsave, bitcount, bitfield, bitop, bitpos, blmpop, blpop, brpop, brpoplpush, bzmpop, bzpopmax, bzpopmin, client, client|caching, client|getname, client|getredir, client|help, client|id, client|info, client|kill, client|list, client|no-evict, client|pause, client|reply, client|setname, client|tracking, client|trackinginfo, client|unblock, client|unpause, cluster, cluster|addslots, cluster|addslotsrange, cluster|bumpepoch, cluster|count-failure-reports, cluster|countkeysinslot, cluster|delslots, cluster|delslotsrange, cluster|destroy, cluster|flushslots, cluster|forget, cluster|getkeysinslot, cluster|help, cluster|keyslot, cluster|links, cluster|meet, cluster|myid, cluster|nodes, cluster|replicate, cluster|replicas, cluster|reset, cluster|saveconfig, cluster|set-config-epoch, cluster|setslot, cluster|shards, cluster|slots, cluster|slaveof, command, command|count, command|docs, command|getkeys, command|getkeysandflags, command|help, command|info, command|list, config, config|get, config|help, config|resetstat, config|rewrite, config|set, copy, dbsize, debug, decr, decrby, del, discard, dump, echo, eval, eval_ro, evalsha, evalsha_ro, exists, expire, expireat, expiretime, flushall, flushdb, function, function|delete, function|dump, function|flush, function|help, function|kill, function|list, function|load, function|restore, geodist, geoadd, geohash, geointersectstore, georadius, georadiusbymember, georadiusbymember_ro, geosearch, geosearchstore, get, getbit, getdel, getex, getrange, getset, hdel, hexists, hget, hgetall, hincrby, hincrbyfloat, hkeys, hlen, hmget, hmset, hscan, hset, hsetnx, hstrlen, hvals, incr, incrby, incrbyfloat, info, keys, lcs, lindex, linsert, lmove, lmpop, lpop, lpos, lpush, lpushx, lrange, lrem, lset, ltrim, lolwut, mget, migrate, module, module|help, module|list, module|load, module|loadex, module|unload, mset, msetnx, multi, object, object|encoding, object|freq, object|help, object|idletime, object|refcount, persist, pfadd, pfcount, pfdebug, pfmerge, psetex, psync, pubsub, pubsub|channels, pubsub|help, pubsub|numsub, pubsub|numpat, pubsub|shardchannels, pubsub|shardnumsub, punsubscribe, randomkey, readwrite, readonly, rename, replicaof, replconf, restore, restore-asking, role, rpop, rpoplpush, rpush, rpushx, sadd, save, scan, script, script|debug, script|exists, script|flush, script|help, script|kill, script|load, sdiff, sdiffstore, select, set, setbit, setex, setnx, setrange, shutdown, sinter, sintercard, sinterstore, sismember, slowlog, slowlog|get, slowlog|len, slowlog|reset, sort, sort_ro, sscan, strlen, subscribe, sunsubscribe, swapdb, sync, time, touch, ttl, type, unsubscribe, unwatch, wait, watch, xack, xadd, xautoclaim, xclaim, xdel, xgroup, xgroup|create, xgroup|createconsumer, xgroup|delconsumer, xgroup|destroy, xgroup|help, xgroup|setid, xinfo, xinfo|consumers, xinfo|groups, xinfo|help, xinfo|stream, xlen, xpending, xrange, xread, xreadgroup, xsetid, xtrim, zadd, zcard, zcount, zdiff, zdiffstore, zinter, zintercard, zinterstore, zlexcount, zpopmax, zpopmin, zrandmember, zrange, zrangebylex, zrangebyscore, zrangestore, zrank, zrem, zremrangebylex, zremrangebyrank, zremrangebyscore, zrevrange, zrevrangebylex, zrevrangebyscore, zrevrank, zscore, zunion, zunionstore, zdiff, zdiffstore, zinter, zinterstore, zunion, zunionstore, zpopmax, zpopmin, zpopmax, zpopmin, zpopmax, zpopmin |
| pubsub | Publish/Subscribe related commands. | psubscribe, publish, pubsub|channels, pubsub|numsub, pubsub|numpat, pubsub|shardnumsub, pubsub|shardchannels, spublish, ssubscribe, sunsubscribe, subscribe, unsubscribe |
| transaction | Transaction related commands – WATCH / MULTI / EXEC. | discard, exec, multi, unwatch, watch |
| scripting | Scripting related commands. | eval, eval_ro, evalsha, evalsha_ro, fcall, fcall_ro, function|delete, function|dump, function|flush, function|help, function|kill, function|list, function|load, function|restore, function|stats, function|flush, function|kill, function|load, function|list, function|restore, function|delete, function|dump, function|help, function|stats, script|debug, script|exists, script|flush, script|help, script|kill, script|load |
| set | Set data type related commands. | scard, sdiff, sdiffstore, sinter, sintercard, sinterstore, sismember, smembers, smismember, smove, spop, srandmember, srem, sunion, sunionstore, sscan, sort, sort_ro, suNionstore |
| sortedset | Sortedset data type related commands(zsets). | bzmpop, bzpopmax, bzpopmin, sort, sort_ro, zadd, zcard, zcount, zdiff, zdiffstore, zincrby, zinter, zintercard, zinterstore, zlexcount, zpopmax, zpopmin, zrange, zrangebylex, zrangebyscore, zrangestore, zrank, zrem, zremrangebyrank, zremrangebylex, zremrangebyscore, zrevrange, zrevrangebylex, zrevrangebyscore, zrevrank, zscan, zscore, zunion, zunionstore, zmpop |
| list | List data type related commands. | blmpop, blpop, brpop, brpoplpush, lindex, linsert, llen, lmove, lmpop, lpop, lpos, lpush, lpushx, lrange, lrem, lset, ltrim, rpop, rpoplpush, rpush, rpushx, sort, sort_ro |
| hash | Hash data type related commands. | hdel, hexists, hget, hgetall, hincrby, hincrbyfloat, hkeys, hlen, hmget, hmset, hrandfield, hscan, hset, hsetnx, hstrlen, hvals |
| string | Strings data type related commands. | append, decr, decrby, get, getdel, getrange, getex, getset, incr, incrby, incrbyfloat, lcs, mget, mset, msetnx, psetex, set, setex, setnx, setrange, strlen, substr |
| bitmap | Bitmap data type related commands. | bitcount, bitfield, bitfield_ro, bitop, bitpos, getbit, setbit |
| hyperloglog | Hyperloglog data type related commands. | pfadd, pfcount, pfdebug, pfmerge, pfselftest |
| geo | Geo data type related commands. | geoadd, geodist, geohash, geopos, georadius, georadius_ro, georadiusbymember, georadiusbymember_ro, geosearch, geosearchstore |
| stream | Streams data type related commands. | xack, xadd, xautoclaim, xclaim, xdel, xgroup|create, xgroup|createconsumer, xgroup|delconsumer, xgroup|destroy, xgroup|help, xgroup|setid, xinfo|consumers, xinfo|groups, xinfo|help, xinfo|stream, xlen, xpending, xrange, xread, xreadgroup, xrevrange, xsetid, xtrim |
Redis Command: ACL SETUSER – Set User Access
ACL SETUSER commands are not logged and kept in history. This is done to avoid security issues(like showing passwords and/or other sensitive info in the log).
Let’s create a user and set access for that user-
acl setuser bigboxuser on >bigboxpass ~* +@all &*| Purpose | Value | Note |
|---|---|---|
| user name | bigboxuser | |
| status | on | User is active |
| password | bigboxpass | |
| keys | ~* | Can access all keys |
| commands | +@all | Can execute all commands |
| channels | &* | Can access all channels |
Let’s create another user with limited access-
acl setuser bigboxuser2 on >somecomplexpass ~product:* +@read +@write| Purpose | Value | Note |
|---|---|---|
| user name | bigboxuser2 | |
| status | on | User is active |
| password | somecomplexpass | |
| keys | ~product:* | Can only access keys that starts with “product:” |
| commands | +@read +@write | Can only execute commands related to read and write of the keys |
| channels | Can not access any channel |
To reset all allowed keys for the user, use the following command-
acl setuser bigboxuser resetkeysThis will reset the allowed key parts only. Other permissions (for command, channel, etc.) will be as it is.
Let’s add permission to allow access key that starts with “user:” and “customer:”
acl setuser bigboxuser ~user:* ~customer:*Let’s remove user access to all commands-
acl setuser bigboxuser -@all
# or the following command can be used, these are exactly same commands
# acl setuser bigboxuser nocommandsLet’s create another password for the user-
acl setuser bigboxuser >anotherpassAfter execution of this command, 2 passwords will be enabled for the user “bigboxuser”. Any one of those passwords can be used to authenticate.
Redis Command: AUTH – Authenticate user
To authenticate the user “bigboxuser” we can use the “AUTH” command like below-
auth bigboxuser bigboxpassThe “AUTH” command has signature – “AUTH [username] [password]“
Redis Command: ACL GETUSER – Get User Access Details
Use the command “acl getuser [username]” to get the details of user access-
127.0.0.1:6379> acl getuser default
1) "flags"
2) 1) "on"
2) "nopass"
3) "passwords"
4) (empty array)
5) "commands"
6) "+@all"
7) "keys"
8) "~*"
9) "channels"
10) "&*"
11) "selectors"
12) (empty array)Here are the detail meaning of the output-
| Key | Value | Description |
|---|---|---|
| flags | on | User active |
| passwords | (empty array) | No password set |
| commands | +@all | All commands allowed |
| keys | ~* | All keys allowed |
| channels | &* | All channels are allowed |
| selectors | (empty array) | Selectors (introduced in Redis 7) |
Redis Command: ACL DELUSER – Delete User
Use the command “acl deluser [username]” to delete the user, like below-
127.0.0.1:6379> ACL DELUSER bigboxuser
(integer) 1 The default user (user name “default”) can not be deleted.
Deleting a user does not reflect immediately, just after the command is applied. The user will see the change after logout from the current session.
Redis Command: ACL DRYRUN– Simulate Execution
Signature:
ACL DRYRUN <username> <command> <args….>
Usage:
Simulate a command execution, and used to check if the user can execute certain commands or not.
This command only checks the permission, the command is not actually executed.
Return Type:
| Return value | Case for the return value |
|---|---|
| OK | Command can be executed successfully. |
| error | Permission related error message |
Examples:
Use this command to simulate a command execution on behalf of a user, without actually executing the command. Check the example commands below-
# We are authenticated as the default user
127.0.0.1:6379> get site:name
"bigboxcode"
# Let's remove all command psermission for user bigboxuser
127.0.0.1:6379> acl setuser bigboxuser nocommands
OK
# Check if user can execute a command, "get" command for eample in this case
127.0.0.1:6379> acl dryrun bigboxuser get site:name
"This user has no permissions to run the 'get' command"
# User can not execute this command as he does not have any permission
# Let's give only get command permission
127.0.0.1:6379> acl setuser bigboxuser +get
OK
# Now let's check with acl dryrun
127.0.0.1:6379> acl dryrun bigboxuser get site:name
OK
# Let's check if set command can be used - it gives error
127.0.0.1:6379> acl dryrun bigboxuser set site:name "change name"
"This user has no permissions to run the 'set' command"
# Give write permission to user
127.0.0.1:6379> acl setuser bigboxuser +@write
OK
# Check if user can execute the set comand.
127.0.0.1:6379> acl dryrun bigboxuser set site:name "change site name"
OK
# now user can execute set command
# Check if the original value is changed (should not change as acl dryrun only simulates the command
127.0.0.1:6379> get site:name
"bigboxcode"Methods for Managing ACL
There are 3 ways we can set the access permission of a user-
- From “redis-cli” using the ACL commands.
- In “redis.conf” file directly.
- In a separate ACL file.
Let’s take a look at the each of the methods-
Method #1: Using ACL commands from “redis-cli”
We have already discussed the process of how to set ACL from “redis-cli”. All the above commands can be used to manage ACL in the Redis server.
ACL data may be lost on server restart if set using redis-cli.
Method #2: In “redis.conf” file directly
We can directly set the permission by adding lines like “user ………” in the redis config file.
For example, we can add the following lines-
user firstuser on >somepass12 ~* +@all &*
user seconduser on >someotherpass1122 ~cus* +getMethod #3: In a separate ACL file
We can use a separate file for ACL. For that, we have to enable the external file for ACL in the Redis config file. In Redis config file (redis.conf) look for the following line-
aclfile /etc/redis/users.acl
# The file path can be anything. Just look for the "aclfile" part.If the line is commented, then remove the comment symbol and enable the line. Then change the file path if required.
Create the file in the correct path and then add lines like below-
user firstuser on >somepass ~* +@all &*
user seconduser on >someotherpass ~user* +getExamples
| ACL Command | Description |
|---|---|
| ACL SETUSER bigboxuser on >bigboxpass allkeys allcommands | all key all command |
| ACL SETUSER bigboxuser on >bigboxpass ~* +@all | all key all command categories (that means all commands) |
| ACL SETUSER bigboxuser on >bigboxpass ~product* | only key that starts with “product” |
| ACL SETUSER bigboxuser on >bigboxpass nocommands | can not use any command, similar to -@all |
| ACL SETUSER bigboxuser +@list +@connection ~product:* on >bigboxpass | allow keys that start with “product:”. Allow commands from category “list” and “connection” |
| ACL SETUSER bigboxuser resetkeys | Reset all the keys allowed for the user. |