update sentinel doc for adding ACL authentication#1417
update sentinel doc for adding ACL authentication#1417itamarhaber merged 6 commits intoredis:masterfrom
Conversation
|
i tried to improve a bit, not sure if i did good. |
topics/sentinel.md
Outdated
|
|
||
| With Redis 6.2, Sentinel instances can be configured with ACL authentication, so clients need to provide both a user and a password. As with password-only authentication, the same ACL user is used to authenticate both incoming clients and outgoing Sentinel connections. You can create and manage the Sentinel ACL user on all instances with regular [ACL directives](/topics/acl), for example: | ||
|
|
||
| ACL SETUSER my-sentinel-user on >my-sentinel-password +@all |
There was a problem hiding this comment.
@hwware is this a good example? Perhaps something more restrictive?
There was a problem hiding this comment.
@itamarhaber oh yes, maybe give just enough permission for the sentinel user, let me test this.. thanks for catching up this.
|
Also tried improving - one pending question. |
that seems wrong to me.
although now that i think of it, it may be cumbersome to use (comparing to the old single field that controls all). so we should at least discourage the use of |
|
Hi @oranagra, I think the first point you mentioned make sense to me, since the sentinel-user and pass controls how this sentinel auth with others for the outbound traffic, and the inbound traffic will be controlled by acl or requirepass config in current sentinel. However since sentinels in a cluster need to talk with each other, normally they should be configured with the same acl user and same sentinel-user and pass settings. Maybe we should say something more specific on this. |
oranagra
left a comment
oranagra
left a comment
There was a problem hiding this comment.
Aren't we missing a mention about ACL in the top of the Sentinel and Redis authentication section? it looks like the auth-user option isn't documented at all!
topics/sentinel.md
Outdated
| * **ACL** This command manages the Sentinel Access Control List entries. For more information refer to the [ACL](/topics/acl) documentation page and the [_Configuring Sentinel instances with authentication_ section](#configuring-sentinel-instances-with-authentication). | ||
| * **AUTH** Authenticate a client connection. For more information refer to the `AUTH` command and the [_Configuring Sentinel instances with authentication_ section](#configuring-sentinel-instances-with-authentication). | ||
| * **CLIENT** This command manages client connections. For more information refer to the its subcommands' pages. | ||
| * **COMMAND** This command returns information about commands. For more information refer to the `COMMAND` command and its various subcommands. | ||
| * **HELLO** Switch the connection's protocol. For more information refer to the `HELLO` command. | ||
| * **INFO** Return information and statistics about the Sentinel server. For more information see the `INFO` command. | ||
| * **PING** This command simply returns PONG. | ||
| * **SENTINEL masters** Show a list of monitored masters and their state. | ||
| * **SENTINEL master `<master name>`** Show the state and info of the specified master. | ||
| * **SENTINEL replicas `<master name>`** Show a list of replicas for this master, and their state. | ||
| * **SENTINEL sentinels `<master name>`** Show a list of sentinel instances for this master, and their state. | ||
| * **SENTINEL get-master-addr-by-name `<master name>`** Return the ip and port number of the master with that name. If a failover is in progress or terminated successfully for this master it returns the address and port of the promoted replica. | ||
| * **SENTINEL reset `<pattern>`** This command will reset all the masters with matching name. The pattern argument is a glob-style pattern. The reset process clears any previous state in a master (including a failover in progress), and removes every replica and sentinel already discovered and associated with the master. | ||
| * **SENTINEL failover `<master name>`** Force a failover as if the master was not reachable, and without asking for agreement to other Sentinels (however a new version of the configuration will be published so that the other Sentinels will update their configurations). | ||
| * **SENTINEL ckquorum `<master name>`** Check if the current Sentinel configuration is able to reach the quorum needed to failover a master, and the majority needed to authorize the failover. This command should be used in monitoring systems to check if a Sentinel deployment is ok. | ||
| * **SENTINEL flushconfig** Force Sentinel to rewrite its configuration on disk, including the current Sentinel state. Normally Sentinel rewrites the configuration every time something changes in its state (in the context of the subset of the state which is persisted on disk across restart). However sometimes it is possible that the configuration file is lost because of operation errors, disk failures, package upgrade scripts or configuration managers. In those cases a way to to force Sentinel to rewrite the configuration file is handy. This command works even if the previous configuration file is completely missing. | ||
| * **ROLE** This command returns the string "sentinel" and a list of monitored masters. For more information refer to the `ROLE` command. | ||
| * **SHUTDOWN** Shut down the Sentinel instance. |
There was a problem hiding this comment.
was a little bit hard to review.
for some reason github shows that you changed all the lines about the SENTINEL commands.
but comparing them one by one i see they are unchanged, and all you did is add the section at the top with the generic management APIs.
I see you also added COMMAND which is not yet merged, but we can assume is gonna be soon.
i suppose we need a versioning paragraph here to mention that ACL and COMMAND are new to 6.2.
also, i see all the PUBSUB commands are missing from this list. they are documented below, but maybe this list should have some note and a link to the other section.
There was a problem hiding this comment.
I uppercased the subcommands in these lines, perhaps that's why.
WRT COMMAND - exactly.
Pub/Sub - as it is covered in another section I didn't put it in, but I also felt it was missing in terms of completeness. Will add.
topics/sentinel.md
Outdated
|
|
||
| Lastly, for authenticating incoming client connections, you can create a restricted Sentinel user like this: | ||
|
|
||
| 127.0.0.1:5000> ACL SETUSER sentinel-user ON >user-password -@all +@connection +SENTINEL|MASTERS +SENTINEL|MASTER +SENTINEL|GET-MASTER-ADDR-BY-NAME |
There was a problem hiding this comment.
can someone confirm that this line would be enough for sentinels to talk to each other and to their job?
There was a problem hiding this comment.
This is actually for incoming client connections and should be enough for discoverability, but an affirmation would be good.
|
You're totally right about auth-user - I saw it was missing and forgot to add it. Fixing. |
oranagra
left a comment
oranagra
left a comment
There was a problem hiding this comment.
LGTM..
i suppose someone needs to take another look at the live web version after this is merged to make sure the formatting works, and the reading flow and headers make sense.
3 participants
Note: This PR is for review only since In line 790 I left a placeholder for the redis version for releasing ACL on Sentinel. We can replace it with correct version once this is released.