Skip to content

Support module API for global block list #10819

Description

@madolson

We have an internal use case at AWS which wants to build a module that blocks all write access to a defined set of keys, but still allows read access. Basically we want to inject some data and add a guard rail to prevent unintended modification.

One option is to extend the existing ACLs to support deny permissions, but I think that is wrong for two reasons. The first is that is that the module need to manipulate all existing users to remove the permission. The second is that it will show up in stuff like ACL errors, which some folks may monitor against. Instead I will propose the following two simple APIs.

int RedisModule_RestrictKeyPattern(RedisModule *ctx, char *key_pattern, int flags);
int RedisModule_UnrestrictKeyPattern(RedisModule *ctx, char *key_pattern);

When a key pattern is restricted, it will be checked by all users except the super user (admin/aof), and if a key matches any of the restricted patterns with the provided flags it will be denied by a custom MODULE RESTRICTED reason. This will require some minor tweaks to the ACL code.

Note with flags, a module may restrict both Read and write permissions. (Or just READ permissions I suppose)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    To Do

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions