Home / server / Questions / 743019
Accepted
Nathan Basanese
Asked: 2015-12-15 14:17:34 +0800 CST

Can I change the MASTERAUTH value on a running Redis instance in a Redis Cluster?

  • 772

According to http://redis.io/topics/security, I can set a requirepass value, for example, requirepass foobared, in the Redis configuration files.

However, I don't want this in my configuration files.

Basically, I want to keep this password out of the .conf files, and set it using redis-cli.

################################## SECURITY ###################################

# Require clients to issue AUTH <PASSWORD> before processing any other
# commands.  This might be useful in environments in which you do not trust
# others with access to the host running redis-server.
#
# This should stay commented out for backward compatibility and because most
# people do not need auth (e.g. they run their own servers).
#
# Warning: since Redis is pretty fast an outside user can try up to
# 150k passwords per second against a good box. This means that you should
# use a very strong password otherwise it will be very easy to break.
#
# 2015.12.14 nbasanes: Although I prefer enabling this, I'm not 
# sure it buys us much, since a clear password in a config 
# file is bad for security:
# requirepass foobared

# 2015.12.14  nbasanes: This could be interesting, although 
#   I don't put much weight in security-by-obscurity:
# Command renaming.
#
# It is possible to change the name of dangerous commands in a shared
# environment. For instance the CONFIG command may be renamed into something
# hard to guess so that it will still be available for internal-use tools
# but not available for general clients.
#
# Example:
#
# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
#
# It is also possible to completely kill a command by renaming it into
# an empty string:
#
# rename-command CONFIG ""
#
# Please note that changing the name of commands that are logged into the
# AOF file or transmitted to slaves may cause problems.
security

2 Answers

  1. Yes, can change auth at runtime. (Refer to Nathan Basanese's answer).

    In addition, make sure to fire the config rewrite command for authentication to persist. It can otherwise be lost if the Redis instance restarts

    CONFIG REWRITE

    You can obtain a list of all the parameters that can be changed at run time by running CONFIG GET * against your Redis instance

      127.0.0.1:6379> CONFIG GET *
  1) "dbfilename"
  2) "dump.rdb"
  3) "requirepass"
  4) ""
  5) "masterauth"
  6) ""
  7) "unixsocket"
  8) ""
    • 2
  2. Best Answer

    Yes, you can indeed set the requirepass value on a live Redis instance.

    This example shows me setting it on a Redis slave: 

    [nbasanes@SLAVEONE ~]$ redis-cli -h $(facter ipaddress)
101.222.222.222:6379> CONFIG SET REQUIREPASS FOOBARED
OK
101.222.222.222:6379> CONFIG SET REQUIREPA FOOBARED
(error) NOAUTH Authentication required.
101.222.222.222:6379> AUTH FOOBARED
OK
101.222.222.222:6379> CONFIG SET REQUIREPA FOOBARED
(error) ERR Unsupported CONFIG parameter: REQUIREPA
10.252.226.179:6379> ROLE
1) "slave"
2) "101.102.94.22"
3) (integer) 6379
4) "connected"
5) (integer) 702567
101.222.222.222:6379>
    • 1