I am using RedisStack 6.2.6-v6.
I have the following user in my acl list:
user username on -@all +@read +@write +@connection ~prefix:* > somepassword
When try executing commands from the JSON module I receive the following error:
NOPERM this user has no permissions to run the 'json.set' command or its subcommand
how can I solve this without doing +@all?
The ACL documentation states that module commands aren't included in command groups, and provides some reasoning:
"Note that command categories never include modules commands with the exception of +@all. If you say +@all, all the commands can be executed by the user, even future commands loaded via the modules system. However if you use the ACL rule +@read or any other, the modules commands are always excluded. This is very important because you should just trust the Redis internal command table. Modules may expose dangerous things and in the case of an ACL that is just additive, that is, in the form of +@all -... You should be absolutely sure that you'll never include what you did not mean to."
So what you'll want to do is explicitly list the
JSON.<whatever>commands that you want the user to run. Here's an example:Create a user that can only run
json.set,json.getandjson.arrpopon keys beginningjsondocs::Login as that user:
Try a command we are not allowed to use:
Try a command we are allowed to use but not on the keys we are allowed to operate on:
Try a command we can use on the part of the keyspace we can operate on:
Try a JSON command we are not allowed to use on a part of the keyspace we are allowed to operate on - expect to fail:
Redis ACL docs: https://redis.io/docs/management/security/acl/