gdelvaldi opened a new issue, #13463: URL: https://github.com/apache/apisix/issues/13463
### Description ### Description When using the redis-cluster policy in limit-count or equivalent plugins, APISIX can only authenticate against Redis using the default user and there is no way to configure a named ACL user to limit its privileges. This is a security gap in environments that follow the principle of least privilege. What makes this more visible is the existing inconsistency in APISIX itself since the standalone redis policy already supports redis_username . The redis-cluster policy has no equivalent field, leaving cluster users with a weaker security posture than standalone users with no documented reason for the difference. ### Proposal - Add a new optional variable 'redis_username' for redis cluster (on apisix/utils/redis-schema.lua and apisix/utils/rediscluster.lua) - Implement the possibility to use a username in resty.rediscluster library (dependency) so another MR on https://github.com/steve0511/resty-redis-cluster will be necessary to complete this issue -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
