Skip to content

Remove acl subcommand validation if fully added command exists. #8483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
oranagra merged 4 commits into from
Feb 22, 2021
Merged

Remove acl subcommand validation if fully added command exists. #8483

oranagra merged 4 commits into from
Feb 22, 2021

Conversation

@hpatro
Copy link
Contributor

@hpatro hpatro commented Feb 11, 2021

Currently there is a validation to disallow subcommand addition to a fully added command. This is to avoid if a customer has wrongly added it. Due to this there is a breaking change across versions, due to the addition of PFDEBUG into hyperloglog category.

// Redis 6.0.5
127.0.0.1:6379> acl setuser user1 +@hyperloglog +pfdebug|test
OK

// Redis 6.2
127.0.0.1:6379> acl setuser user1 +@hyperloglog +pfdebug|test
(error) ERR Error in ACL SETUSER modifier '+pfdebug|test': Adding a subcommand of a command already fully added is not allowed. Remove the command to start. Example: -DEBUG +DEBUG|DIGEST

However, we can ignore the subcommand instead of throwing the error.

Current behaviour:

127.0.0.1:6380> ACL SETUSER newuser +PFCOUNT +PFCOUNT|DEBUG
(error) ERR Error in ACL SETUSER modifier '+PFCOUNT|DEBUG': Adding a subcommand of a command already fully added is not allowed. Remove the command to start. Example: -DEBUG +DEBUG|DIGEST

Proposed changes:

127.0.0.1:6379> ACL SETUSER newuser +PFCOUNT +PFCOUNT|DEBUG
OK
127.0.0.1:6379> ACL LIST
1) "user default on nopass ~* &* +@all"
2) "user newuser off &* -@all +pfcount"

madolson
madolson reviewed Feb 14, 2021
View reviewed changes
madolson
madolson reviewed Feb 18, 2021
View reviewed changes
@madolson madolson added the state:major-decision Requires core team consensus label Feb 21, 2021
@madolson
Copy link
Contributor

madolson commented Feb 21, 2021

@redis/core-team I think this is a pretty low risk, but please take a look for Redis 6.2. The risk here is that a user might have an ACL file that loads on 6.0 but fails to load on 6.2 if they whitelist a subcommand that was implicitly added in it's entirety by a category. I think the likelihood of this is low, but given that we're just removing some validation, this seems okay.=

oranagra
oranagra previously approved these changes Feb 21, 2021
View reviewed changes
Copy link
Member

@oranagra oranagra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with this "fix" (to remove a validation).
I was initially hesitant to remove some validation that was purposely coded.
But I agree this validation is kinda silly, considering we did that only for sub-commands and not for commands.
i.e. these would have been valid (not produce any error)

ACL SETUSER bob +@all +client
ACL SETUSER bob +client +client

so no reason for this one to fail:

ACL SETUSER bob +client +client|id

tests/unit/acl.tcl Outdated
Comment on lines 221 to 223
r ACL setuser bob +pfcount|hll
set cmdstr [dict get [r ACL getuser bob] commands]
assert_equal {-@all +pfcount|hll} $cmdstr
Copy link
Member

@oranagra oranagra Feb 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't like the fact that this test uses hll as if it's a sub-command of pfcount
I would prefer to convert this test to check some command that really does have a sub-command.
how about OBJECT REFCOUNT or MEMORY USAGE?

yossigo
yossigo previously approved these changes Feb 22, 2021
View reviewed changes
@oranagra oranagra dismissed stale reviews from yossigo and themself via 2360031 February 22, 2021 13:07
@oranagra oranagra merged commit 4739131 into redis:unstable Feb 22, 2021
@oranagra oranagra mentioned this pull request Feb 22, 2021
Merged
JackieXie168 pushed a commit to JackieXie168/redis that referenced this pull request Mar 2, 2021
@hpatro @madolson @oranagra
Remove acl subcommand validation if fully added command exists. (redi…
00cb0d1 
…s#8483)

This validation was only done for sub-commands and not for commands.

These would have been valid (not produce any error)
ACL SETUSER bob +@ALL +client
ACL SETUSER bob +client +client

so no reason for this one to fail:
ACL SETUSER bob +client +client|id

One example why this is needed is that pfdebug wasn't part of the @hyperloglog
group and now it is. so something like:
acl setuser user1 +@hyperloglog +pfdebug|test
would have succeeded in early 6.0.x, and fail in 6.2 RC3

Co-authored-by: Harkrishn Patro <harkrisp@amazon.com>
Co-authored-by: Madelyn Olson <madelyneolson@gmail.com>
Co-authored-by: Oran Agra <oran@redislabs.com>
@oranagra oranagra mentioned this pull request Apr 18, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@oranagra oranagra oranagra approved these changes

@yossigo yossigo yossigo left review comments

+1 more reviewer

@madolson madolson madolson left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

state:major-decision Requires core team consensus

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@hpatro @madolson @yossigo @oranagra