chore(ACL): add general info for ACL #177
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
|
@kostasrim is attempting to deploy a commit to the DragonflyDB Team on Vercel. To accomplish this, @kostasrim needs to request access to the Team. Afterwards, an owner of the Team is required to accept their membership request. If you're already a member of the respective Vercel Team, make sure that your Personal Vercel Account is connected to your GitHub account. |
chakaz
reviewed
Nov 13, 2023
| @@ -16,12 +16,12 @@ import PageTitle from '@site/src/components/PageTitle'; | |||
|
|
|||
| **ACL categories:** @fast, @connection | |||
|
|
|||
| The AUTH command authenticates the current connection if the Dragonfly server is password protected via the `requirepass` option. Dragonfly will deny any command executed by the just | |||
| The AUTH command authenticates the current connection. If the `username` is omitted, it implies the user `default` from ACL. Dragonfly will deny any command executed by the just | |||
There was a problem hiding this comment.
Suggested change
| The AUTH command authenticates the current connection. If the `username` is omitted, it implies the user `default` from ACL. Dragonfly will deny any command executed by the just | |
| The `AUTH` command authenticates the current connection. If the `username` is omitted, it implies the user `default` from ACL. Dragonfly will deny any command executed by the already |
| connected clients, unless the connection gets authenticated via `AUTH`. | ||
|
|
||
| If the password provided via AUTH matches the configured password, the server replies with the `OK` status code and starts accepting commands. Otherwise, an error is returned and the clients needs to try a new password. | ||
|
|
||
| Additionally, `AUTH` can be used to authenticate users created by the `ACL SETUSER` command. | ||
| Note, that `requirepass` now also changes the ACL default user `password`. |
There was a problem hiding this comment.
Suggested change
| Note, that `requirepass` now also changes the ACL default user `password`. | |
| Note that `requirepass` also changes the ACL default user `password`. |
| @@ -63,7 +63,7 @@ Because `HELLO` replies with useful information, and given that protover is opti | |||
|
|
|||
| When called with the optional protover argument, this command switches the protocol to the specified version and also accepts the following options: | |||
|
|
|||
| `AUTH <username> <password>`: directly authenticates the connection in addition to switching to the specified protocol version. This makes calling `AUTH` before `HELLO` unnecessary when setting up a new connection. Note that the username must be set to "default" as Dragonfly does not support ACLs, but rather uses the requirepass mechanism. | |||
| `AUTH <username> <password>`: directly authenticates the connection in addition to switching to the specified protocol version. This makes calling `AUTH` before `HELLO` unnecessary when setting up a new connection. Note that the username default is "default" as Dragonfly has built in support for ACLs. | |||
There was a problem hiding this comment.
Suggested change
| `AUTH <username> <password>`: directly authenticates the connection in addition to switching to the specified protocol version. This makes calling `AUTH` before `HELLO` unnecessary when setting up a new connection. Note that the username default is "default" as Dragonfly has built in support for ACLs. | |
| `AUTH <username> <password>`: directly authenticates the connection in addition to switching to the specified protocol version. This makes calling `AUTH` before `HELLO` unnecessary when setting up a new connection. Note that the default username is "default". |
docs/managing-dragonfly/acl.md
Outdated
| @@ -0,0 +1,127 @@ | |||
| # Access Control Lists (ACL) | |||
|
|
|||
| Dragonfly has built in support for ACL. DF operators, get fine grained control on how and who accesses the datastore via the ACL family of commands. | |||
There was a problem hiding this comment.
Suggested change
| Dragonfly has built in support for ACL. DF operators, get fine grained control on how and who accesses the datastore via the ACL family of commands. | |
| Dragonfly has built in support for ACL. DF operators get fine grained control on how and who accesses the datastore via the ACL family of commands. |
docs/managing-dragonfly/acl.md
Outdated
| # Access Control Lists (ACL) | ||
|
|
||
| Dragonfly has built in support for ACL. DF operators, get fine grained control on how and who accesses the datastore via the ACL family of commands. | ||
| Since, DF is designed as a drop in replacement for Redis, you can expect the same API functionality for ACL as in Redis. |
There was a problem hiding this comment.
Suggested change
| Since, DF is designed as a drop in replacement for Redis, you can expect the same API functionality for ACL as in Redis. | |
| Since Dragonfly is designed as a drop in replacement for Redis, you can expect the same API functionality for ACL as in Redis. |
docs/managing-dragonfly/acl.md
Outdated
| ``` | ||
|
|
||
| This allows the user `John` to execute only the `SET` && `GET` commands and all of the commands associated with the group `FAST`. | ||
| Any attempt of user `John` to issue a command other than the above, will be rejected by the system. |
There was a problem hiding this comment.
Suggested change
| Any attempt of user `John` to issue a command other than the above, will be rejected by the system. | |
| Any attempt of user `John` to issue a command other than the above will be rejected by the system. |
docs/managing-dragonfly/acl.md
Outdated
| Note, that the `aclfile` file is compatible with Redis (however it must not contain any keys or | ||
| pub/sub DSL's because these yet are not supported so if you plan to migrate, just open the file and strip them away). | ||
|
|
||
| If you want the `aclfile` to be writable, that is, if you want `ACL SAVE` to work, we would advice against placing the `aclfile` |
There was a problem hiding this comment.
Suggested change
| If you want the `aclfile` to be writable, that is, if you want `ACL SAVE` to work, we would advice against placing the `aclfile` | |
| If you want the `aclfile` to be writable, that is, if you want `ACL SAVE` to work, we would advise against placing the `aclfile` |
docs/managing-dragonfly/acl.md
Outdated
| pub/sub DSL's because these yet are not supported so if you plan to migrate, just open the file and strip them away). | ||
|
|
||
| If you want the `aclfile` to be writable, that is, if you want `ACL SAVE` to work, we would advice against placing the `aclfile` | ||
| under `/etc` directory because the folder is only accesible by Dragonfly as `readonly`. You change this behaviour, by editing |
There was a problem hiding this comment.
Suggested change
| under `/etc` directory because the folder is only accesible by Dragonfly as `readonly`. You change this behaviour, by editing | |
| under `/etc` directory because usually that directory is only accessible by Dragonfly as `readonly`. You change this behavior, by editing |
docs/managing-dragonfly/acl.md
Outdated
| under `/etc` directory because the folder is only accesible by Dragonfly as `readonly`. You change this behaviour, by editing | ||
| the systemd service file located in `/lib/systemd/system/dragonfly.service`. | ||
|
|
||
| For convenience, we suggest to place `acl` files in `/var/lib/dragonfly/`. |
There was a problem hiding this comment.
Suggested change
| For convenience, we suggest to place `acl` files in `/var/lib/dragonfly/`. | |
| For convenience, we suggest to place acl files in `/var/lib/dragonfly/`. |
docs/managing-dragonfly/acl.md
Outdated
| of their permissions) are stored in a log. The size of the log can be configured by the option `--acllog_max_len`. | ||
| This flag, operates a little bit differently from Redis. Specifically, because Dragonfly uses a shared nothing thread per core architecture, | ||
| each thread of execution has its own log. Therefore, the total size of the log entries, is the flag number multiplied | ||
| by the available number of cores in the system. So for example, if you are running on a 4 core machine with `--acllog_max_len=8` |
There was a problem hiding this comment.
Suggested change
| by the available number of cores in the system. So for example, if you are running on a 4 core machine with `--acllog_max_len=8` | |
| by the available number of Dragonfly threads. So for example, if you are running Dragonfly with 4 threads with `--acllog_max_len=8` |
chakaz
approved these changes
Nov 14, 2023
Niennienzz
reviewed
Nov 15, 2023
docs/managing-dragonfly/acl.md
Outdated
| @@ -0,0 +1,128 @@ | |||
| # Access Control Lists (ACL) | |||
|
|
|||
| Dragonfly has built in support for ACL. Dragonfly operators get fine grained control on how and who accesses the datastore via the ACL family of commands. | |||
There was a problem hiding this comment.
Suggested change
| Dragonfly has built in support for ACL. Dragonfly operators get fine grained control on how and who accesses the datastore via the ACL family of commands. | |
| Dragonfly has built-in support for ACL. Dragonfly operators get fine-grained control over how and who accesses the datastore via the ACL family of commands. |
docs/managing-dragonfly/acl.md
Outdated
| # Access Control Lists (ACL) | ||
|
|
||
| Dragonfly has built in support for ACL. Dragonfly operators get fine grained control on how and who accesses the datastore via the ACL family of commands. | ||
| Since, Dragonfly is designed as a drop in replacement for Redis, you can expect the same API functionality for ACL as in Redis. |
There was a problem hiding this comment.
Suggested change
| Since, Dragonfly is designed as a drop in replacement for Redis, you can expect the same API functionality for ACL as in Redis. | |
| Since Dragonfly is designed as a drop-in replacement for Redis, you can expect the same API functionality for ACL as in Redis. |
docs/managing-dragonfly/acl.md
Outdated
| All connections in Dragofnly default to the user `default` (unless that user is disabled). By default, user `default` can `AUTH` in Dragonfly using any password, | ||
| and is allowed to execute any command and is part of all the available ACL groups. | ||
|
|
||
| Permissions for a given user are controlled via a domain specific language (DSP) and are divided into 4 categories: |
There was a problem hiding this comment.
Suggested change
| Permissions for a given user are controlled via a domain specific language (DSP) and are divided into 4 categories: | |
| Permissions for a given user are controlled via a domain-specific language (DSL) and are divided into 4 categories: |
docs/managing-dragonfly/acl.md
Outdated
| will abide by the user's specified permissions. Changing the `default` user's status to `OFF` or password, will require all incoming connections | ||
| to authenticate. | ||
|
|
||
| Note that, if the password is changed and a user has already `authenticated` then they don't need to re-authenticate until they reconnect. |
There was a problem hiding this comment.
Suggested change
| Note that, if the password is changed and a user has already `authenticated` then they don't need to re-authenticate until they reconnect. | |
| Note that if the password is changed and a user has already `authenticated` then they don't need to re-authenticate until they reconnect. |
docs/managing-dragonfly/acl.md
Outdated
| then their connection is killed by the system. Furthermore, any change to a user's permission list with `ACL SETUSER` will propagate to the already | ||
| active and authenticated connections. | ||
|
|
||
| Also note, that the flag `--requirepass` also changes the `default` user password. So, if during Dragonfly startup the flag `requirepass` is set, |
There was a problem hiding this comment.
Suggested change
| Also note, that the flag `--requirepass` also changes the `default` user password. So, if during Dragonfly startup the flag `requirepass` is set, | |
| Also note that the flag `--requirepass` also changes the `default` user password. So, if during Dragonfly startup the flag `requirepass` is set, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
resolves #173 and #155
requirepassandauthdocs