Search code examples
redisredisjson

Add RedisJSON module commands to ACL

I am using RedisStack 6.2.6-v6.

I have the following user in my acl list:

user username on -@all +@read +@write +@connection ~prefix:* > somepassword

When try executing commands from the JSON module I receive the following error:

NOPERM this user has no permissions to run the 'json.set' command or its subcommand

how can I solve this without doing +@all?

Solution

  • The ACL documentation states that module commands aren't included in command groups, and provides some reasoning:

    "Note that command categories never include modules commands with the exception of +@all. If you say +@all, all the commands can be executed by the user, even future commands loaded via the modules system. However if you use the ACL rule +@read or any other, the modules commands are always excluded. This is very important because you should just trust the Redis internal command table. Modules may expose dangerous things and in the case of an ACL that is just additive, that is, in the form of +@all -... You should be absolutely sure that you'll never include what you did not mean to."

    So what you'll want to do is explicitly list the JSON.<whatever> commands that you want the user to run. Here's an example:

    Create a user that can only run json.set, json.get and json.arrpop on keys beginning jsondocs::

    127.0.0.1:6379> acl setuser justjson on >mypassword ~jsondocs:* -@all +json.set +json.get +json.arrpop
OK

    Login as that user:

    127.0.0.1:6379> auth justjson mypassword
OK

    Try a command we are not allowed to use:

    127.0.0.1:6379> sadd someset hello
(error) NOPERM this user has no permissions to run the 'sadd' command or its subcommand

    Try a command we are allowed to use but not on the keys we are allowed to operate on:

    127.0.0.1:6379> json.set nothere $ '{"hello": "world"}'
(error) NOPERM this user has no permissions to access one of the keys used as arguments

    Try a command we can use on the part of the keyspace we can operate on:

    127.0.0.1:6379> json.set jsondocs:shouldbeok $ '{"hello": [ "world", "welt", "monde"]}'
OK
127.0.0.1:6379> json.get jsondocs:shouldbeok $
"[{\"hello\":[\"world\",\"welt\",\"monde\"]}]"
127.0.0.1:6379> json.arrpop jsondocs:shouldbeok $.hello
1) "\"monde\""

    Try a JSON command we are not allowed to use on a part of the keyspace we are allowed to operate on - expect to fail:

    127.0.0.1:6379> json.numincrby jsondocs:shouldbeok $.counter 2
(error) NOPERM this user has no permissions to run the 'json.numincrby' command or its subcommand

    Redis ACL docs: https://redis.io/docs/management/security/acl/