GitHub user jihuayu edited a discussion: ACL Proposal
# ACL Design Proposal for Kvrocks
## Overview
This document proposes an Access Control List (ACL) feature for Kvrocks
## Namespace-Based User Management
- **Namespaces:** Users are managed under namespaces. Only the admin user can
manager ACL.
- To prevent the auth command from failing to locate the user's corresponding
namespace, different namespaces cannot have users with the same name. If a user
with the same name exists in another namespace, an error will be returned.
## ACL Persistence
- **Storage:** ACL data is persisted in a dedicated column family, considering
use `PropagateColumnFamily`.
- Each user’s ACL information is stored under a unique key (this key begins
with string 'acl'), containing namespace and both password and permissions
using redis ACL SETUSER commands string.
```
+-------------+-------------+----------------------------------+
acl|user name => | ns size | namespace | redis ACL SETUSER commands
string|
| (1byte: X) | (Xbyte) | (Nbyte)
|
+-------------+-------------+----------------------------------+
```
- This column family will be actively synchronized to the replica nodes. When a
replica node receives a key that starts with "acl", it will automatically
generate the corresponding data for it.
## Permission Structure
- The overall structure of permissions closely follows Redis’s ACL bitmap index
approach.
- Each user's permissions on commands are represented by bitmaps, enabling
efficient checks and updates.
### Core Data Structure
```c++
struct aclSelector {
uint32_t flags; // SELECTOR_FLAG_ALLKEYS, ALLCHANNELS, ALLCOMMANDS, etc.
std::vector<uint64_t> allowed_commands; // Command permission bitmap, size
= USER_COMMAND_BITS_COUNT / 64
std::vector<uint32_t> allowed_categories; // Command category permission
bitmap, size = USER_CATEGORY_BITS_COUNT / 32
std::vector<std::string> patterns; // List of key patterns
std::vector<std::string> channels; // List of channel patterns
};
struct aclUser {
bool enabled; // Whether the user is enabled
std::vector<aclSelector> allowed_commands; // The first is the root
selector, the rest are regular selectors
std::set<std::string> passwords; // Set of passwords, stored as sha256
hashes. Nopass if set is empty
};
```
- **Flags:** Indicate global permissions such as access to all keys, channels,
or commands.
- **allowed_commands:** Bitmap representing allowed commands for the user.
- **allowed_categories:** Bitmap representing allowed categories for the user.
- **patterns:** List of allowed key patterns, supporting fine-grained key
access control.
- **channels:** List of allowed channel patterns for pub/sub permissions.
## Subcommand Permissions
- Redis supports blocking individual subcommands. In Kvrocks, we need a unified
method to collect and control subcommand permissions.
- **\*\*NEED HELP\*\* Required to design a robust and maintainable subcommand
permission system.**
## Compatibility Notes
- We do **not** support the deprecated Redis 7.0 feature: [Allow the first arg
of a blocked
command](https://redis.io/docs/latest/operate/oss_and_stack/management/security/acl/#allow-the-first-arg-of-a-blocked-command).
## Development Plan
1. **Core Data Structures**
- Design and implement the ACL selector and user permission structures.
2. **User Password & Authentication**
- Implement password storage and authentication logic.
3. **Basic Permission Control & Selectors**
- Implement bitmaps and selectors for basic command permission checks.
4. **Command Category Restrictions**
- Support command category restrictions per [Redis ACL documentation
(Command
Categories)](https://redis.io/docs/latest/operate/oss_and_stack/management/security/acl/#command-categories).
5. **Key Permissions**
- Support key pattern-based access control per [Redis ACL documentation (Key
Permissions)](https://redis.io/docs/latest/operate/oss_and_stack/management/security/acl/#key-permissions).
6. **Other Related Command Implementations**
- Complete additional ACL-related command implementations as needed.
GitHub link: https://github.com/apache/kvrocks/discussions/3234
----
This is an automatically sent email for [email protected].
To unsubscribe, please send an email to: [email protected]
