Security Commands
ACL-LIST-&-ACL-SETUSER
Redis ACL (Access Control Lists) lets you create users with specific permissions. Restrict commands, limit key access, and follow the principle of least privilege.
You'll Learn
- Creating and managing users
- Setting command permissions
- Restricting key access patterns
- Security best practices
Free Download
See Your Data, Not Terminal Text
Redimo visualizes every Redis data type beautifully. Edit inline, undo mistakes, stay safe in production.
1. Why ACL?
Before Redis 6, authentication was a single password (AUTH password). Anyone with the password had full access to everything. ACL adds proper user management.
Without ACL
- • Single shared password
- • All or nothing access
- • No audit trail per user
- • One compromised password = full access
With ACL
- • Multiple users with passwords
- • Per-user command restrictions
- • Per-user key pattern restrictions
- • Principle of least privilege
2. ACL LIST: View Users
ACL LIST shows all configured users and their permissions.
ACL LIST
127.0.0.1:6379> ACL LIST
1) "user default on nopass ~* &* +@all"
2) "user readonly on >secretpass ~cache:* -@all +@read"
3) "user webapp on >apppass ~app:* ~session:* +@all -@dangerous"Syntax Breakdown
on/off- User enabled/disablednopass- No password required>password- Password (hashed in storage)~pattern- Allowed key patterns&channel- Allowed pub/sub channels+command- Allow command-command- Deny command+@category- Allow category
3. ACL SETUSER: Create Users
ACL SETUSER creates or modifies a user. Build permissions incrementally.
Creating Users
# Create a read-only user for cache keys
ACL SETUSER cache-reader on >secret123 ~cache:* +@read
# Create an app user with write access to specific keys
ACL SETUSER webapp on >apppassword ~app:* ~session:* +@all -FLUSHALL -FLUSHDB -DEBUG
# Create admin user
ACL SETUSER admin on >adminpass ~* +@all
# Disable a user
ACL SETUSER olduser off
# Delete a user
ACL DELUSER olduserIncremental Permissions
# Start with minimal permissions
ACL SETUSER myuser on >pass
# Add key pattern access
ACL SETUSER myuser ~myapp:*
# Add read commands
ACL SETUSER myuser +@read
# Add specific write commands
ACL SETUSER myuser +SET +DEL +EXPIRE
# Remove a permission
ACL SETUSER myuser -KEYS4. Command Categories
Commands are grouped into categories for easier permission management.
ACL CAT
# List all categories
ACL CAT
1) "keyspace"
2) "read"
3) "write"
4) "set"
5) "sortedset"
6) "list"
7) "hash"
8) "string"
9) "bitmap"
10) "hyperloglog"
11) "geo"
12) "stream"
13) "pubsub"
14) "admin"
15) "fast"
16) "slow"
17) "blocking"
18) "dangerous"
19) "connection"
20) "transaction"
21) "scripting"
# List commands in a category
ACL CAT dangerous
1) "flushall"
2) "flushdb"
3) "keys"
4) "debug"
...Dangerous Category
The
@dangerous category includes commands that can harm your server: FLUSHALL, FLUSHDB, DEBUG, KEYS, etc. For most application users, +@all -@dangerous is a good starting point.5. Key Patterns
Restrict users to specific key patterns. Essential for multi-tenant setups.
Key Pattern Examples
# Access all keys (admin only!)
ACL SETUSER admin ~*
# Access keys with specific prefix
ACL SETUSER tenant1 ~tenant1:*
# Multiple patterns
ACL SETUSER webapp ~session:* ~cache:* ~app:*
# Pattern with any character
ACL SETUSER analytics ~stats:*:2024:*
# Reset key patterns (start fresh)
ACL SETUSER myuser resetkeys ~newpattern:*6. Authentication
Connecting as User
# Traditional AUTH (uses default user)
AUTH password
# AUTH with username (Redis 6+)
AUTH username password
# Check current user
ACL WHOAMI
"webapp"
# Client library example (ioredis)
const redis = new Redis({
host: 'localhost',
port: 6379,
username: 'webapp',
password: 'apppassword'
});7. Common User Patterns
Read-Only User
# For dashboards, monitoring, debugging
ACL SETUSER readonly on >readpass \
~* \
+@read \
+INFO +DBSIZE +SCAN \
-@dangerousApplication User
# For your web/api application
ACL SETUSER webapp on >apppass \
~app:* ~session:* ~cache:* \
+@all \
-@admin -@dangerous \
-CONFIG -SHUTDOWN -BGSAVEQueue Worker
# For job queue processors
ACL SETUSER worker on >workerpass \
~bull:* ~sidekiq:* \
+@list +@read +@write +@connection \
+BRPOPLPUSH +BLPOP +BRPOP \
-@dangerousPub/Sub User
# For real-time messaging
ACL SETUSER pubsub on >pubsubpass \
¬ifications:* &events:* \
+SUBSCRIBE +PUBLISH +PSUBSCRIBE +UNSUBSCRIBE8. Security Best Practices
1. Disable Default User (or secure it)
# Option A: Disable entirely ACL SETUSER default off # Option B: Require password ACL SETUSER default on >strongpassword
2. Least Privilege
Start with no permissions, add only what's needed. Don't use +@all unless necessary.
3. Separate Users Per Service
webapp, worker, cache-service, analytics - each gets its own user with minimal permissions.
4. Persist ACL Configuration
# Save to ACL file ACL SAVE # In redis.conf aclfile /etc/redis/users.acl
9. ACL Logging
Track denied commands for security auditing.
ACL LOG
# View recent ACL denials
ACL LOG
1) 1) "count"
2) (integer) 1
3) "reason"
4) "command"
5) "context"
6) "toplevel"
7) "object"
8) "FLUSHALL"
9) "username"
10) "webapp"
11) "age-seconds"
12) "3.5"
# Reset log
ACL LOG RESETQuick Reference
| Command | Purpose |
|---|---|
ACL LIST | List all users and permissions |
ACL SETUSER | Create/modify user |
ACL DELUSER | Delete user |
ACL GETUSER | Get user details |
ACL WHOAMI | Current authenticated user |
ACL CAT | List command categories |
ACL LOG | View denied commands |
ACL SAVE | Save ACL to file |
Secure Your Redis
ACL brings proper access control to Redis. Manage your data with appropriate permissions - and visualize it with Redimo.
Download Redimo - It's Free