@hwware please have a look at #6835
let me know what you think

@oranagra Hello Oran, thanks for linking with this discussion. my understanding of this is if we configured the requirepass, the user is expecting the default user password is being set, if the acl file doesn't have default user configuration. Since in normal case, user may doesn't configure the default user explicitly in acl file especially when server starting at first time. They may configure the requirepass option only. However if default user has been set in acl file, I agree with Salvatore the user is expecting default user should be set the same as acl file specified.

Then if we considered the following scenario:

1. User defined RequirePass and not defined default user in acl file.
2. User defined RequirePass and defined default user in acl file.

for the 1 scenario I would think current implementation is not correct, since the requirepass should take effect if default user has not been set in acl file, that's the reason for this fix. The second case for both current and this pr, it make sure the acl file will take effect for default user setting. Please let me know how you think this, thanks!

@hwware but what if a user re-loads a new ACL file.
i'm not sure if we always know if the user intend for the previous default user's password to be reset or kept.
i.e. the requirepass currently generates an ACL rule and is not really used later. only use for it is for old CONFIG GET compatibility.

What bothered me at the time is that if the ACL rules are embedded inside the config file, then they are additive on top of the one generated by requirepass, but if we load an acl file, it resets that and doesn't build on top of what's defined by requirepass

so beyond the 1 and 2 in your post above we also need to distinguish between:
3. server startup with ACL rules embedded in the config file, vs loading of an acl file.
4. what happens later with ACL LOAD command, how can it decide if it needs to respect the current DefaultUser->passwords, or the startup server.requirepass.

i.e. for 4 maybe the password was initially set by a requirepass then replaced by an ACL file, then overwritten by an ACL SETUSER command, and now we need to decide what to do on ACL LOAD command.

i'm not sure that's solvable.
I tend to agree with Salvatore that if ACL files are used (either at startup or later on by ACL LOAD), then requirepass must not be used.
If only a config file is used and CONFIG SET / ACL SETUSER commands are used, then they can be mixed (although not advised).

thanks @oranagra , if user reloads the acl file, my opinion is the default user password should be reset with requirepass one and not keeping the current changes, the reason I think this make sense is if user really want to keep current configuration, they should explicitly issue a ACL SAVE command, otherwise it will load the acl file from scratch. This is similar to CONFIG REWRITE command behavior, if the user doesn't execute the config rewrite, the current config status will be missing if they restart the server and load the config file again. But if you think keeping Salvatore's design make sense, I would suggest we update Redis conf documentation which mentioning the requirepass and aclfile are not compatible with each other, otherwise user might be confused.

@hwware imagine this case:

1. redis is started from a config file with requirepass and an ACL file (that does not touch the default user). with your change (and with mine), the requirepass will work.
2. user uses the ACL commands to replace the default user's password. (the password that was set with requirepeass is no longer valid).
3. user replaces the ACL file and uses ACL LOAD to load the new file.

The change in this PR will revive the default password that is long gone.
This despite the fact that it wasn't valid before the ACL LOAD, and wasn't mentioned in the ACL file.

With the current code, the result of 1 above is that requirepass is completely ignored, and there are no surprises later on (after that initial surprise). no inconsistencies.

i'm in favour of documenting that these are not compatible (i.e. requirepass should only be used when ACL features are not used).

One thing that bothered me and would still be odd is that if someone uses a config file with requirepass and a bunch of USER lines in it, the requirepass is respected.
but if the USER line are moved to an independent ACL file which is referred to by the config file, the requirepass isn't respected.

I think it's really best if we discourage people from mixing these.

@oranagra thanks Oran for the suggestions, i will close this PR then and open a fix for the documentation.