From 04831c2433377bc32efbb03c33cf385e05bf03fd Mon Sep 17 00:00:00 2001 From: Justin Sievenpiper Date: Sat, 30 Oct 2021 17:49:27 -0700 Subject: [PATCH] feat(session): add support for acl-based sentinel auth against redis (#2516) Implements the sentinel username parameter which can be different to the redis username. --- docs/configuration/session/redis.md | 22 +++++++++++++++++++--- internal/configuration/schema/session.go | 1 + internal/session/provider_config.go | 1 + 3 files changed, 21 insertions(+), 3 deletions(-) diff --git a/docs/configuration/session/redis.md b/docs/configuration/session/redis.md index ced765f91..a8b438b47 100644 --- a/docs/configuration/session/redis.md +++ b/docs/configuration/session/redis.md @@ -30,6 +30,9 @@ session: minimum_version: TLS1.2 high_availability: sentinel_name: mysentinel + # If `sentinel_username` is supplied, Authelia will connect using ACL-based + # authentication. Otherwise, it will use traditional `requirepass` auth. + sentinel_username: sentinel_user sentinel_password: sentinel_specific_pass nodes: - host: sentinel-node1 @@ -148,7 +151,7 @@ required: yes The [redis sentinel] master name. This is defined in your [redis sentinel] configuration, it is not a hostname. This must be defined currently for a high availability configuration. -#### sentinel_password +#### sentinel_username
type: string {: .label .label-config .label-purple } @@ -156,8 +159,21 @@ required: no {: .label .label-config .label-green }
-The password for the [redis sentinel] connection. A [redis sentinel] username is not supported at this time due to the -upstream library not supporting it. +The username for the [redis sentinel] connection. If this is provided, it will be used along with the sentinel_password +for ACL-based authentication to the Redis Sentinel. If only a password is provided, the [redis sentinel] connection will +be authenticated with traditional requirepass authentication. + +#### sentinel_password +
+type: string +{: .label .label-config .label-purple } +required: no (yes if sentinel_username is supplied) +{: .label .label-config .label-green } +
+ +The password for the [redis sentinel] connection. If specified with sentinel_username, configures Authelia to +authenticate to the Redis Sentinel with ACL-based authentication. Otherwise, this is used for requirepass +authentication. #### nodes diff --git a/internal/configuration/schema/session.go b/internal/configuration/schema/session.go index ca9aac6c5..e82004ee9 100644 --- a/internal/configuration/schema/session.go +++ b/internal/configuration/schema/session.go @@ -9,6 +9,7 @@ type RedisNode struct { // RedisHighAvailabilityConfiguration holds configuration variables for Redis Cluster/Sentinel. type RedisHighAvailabilityConfiguration struct { SentinelName string `koanf:"sentinel_name"` + SentinelUsername string `koanf:"sentinel_username"` SentinelPassword string `koanf:"sentinel_password"` Nodes []RedisNode `koanf:"nodes"` RouteByLatency bool `koanf:"route_by_latency"` diff --git a/internal/session/provider_config.go b/internal/session/provider_config.go index 24d9cd727..ea7c7f74b 100644 --- a/internal/session/provider_config.go +++ b/internal/session/provider_config.go @@ -88,6 +88,7 @@ func NewProviderConfig(configuration schema.SessionConfiguration, certPool *x509 Logger: &redisLogger{logger: logging.Logger()}, MasterName: configuration.Redis.HighAvailability.SentinelName, SentinelAddrs: addrs, + SentinelUsername: configuration.Redis.HighAvailability.SentinelUsername, SentinelPassword: configuration.Redis.HighAvailability.SentinelPassword, RouteByLatency: configuration.Redis.HighAvailability.RouteByLatency, RouteRandomly: configuration.Redis.HighAvailability.RouteRandomly,