Home > other >  How to (dis)allow RediSearch index through Access Control List rules?
How to (dis)allow RediSearch index through Access Control List rules?

Time:10-25

Usually, specific Redis commands for keys matching specific key patterns can (dis)allowed through the ACL List.

For example, in a database with hashes following a myKeyN pattern (i.e. myKey1 : [ myField : myVal1 ], myKey2 : [ myField : myVal2 ] and so forth), configuing a user to only be able to get those keys can be configured with i.e. user myUser -@all hget ~myKey*, which is simple yet quite powerful and flexible.

However, when using the RediSearch module for full-text search through the database (FT.SEARCH command), an issue appears. The key pattern of the search results seemingly doesn't matter to the search command's ACL.

In the above example, if the rule is expanded to include the search command (i.e. user myUser -@all hget ft.search ~myKey*), and a search index is made with FT.CREATE mySearch ON HASH PREFIX 1 myKey SCHEMA myField TEXT, searching for keys containing myVal*, like so FT.SEARCH mySearch "myVal", will return an access control error NOPERM this user has no permissions to access one of the keys used as arguments, even though all the search results would be following the allowed key pattern myKey*.

How can a search be configured to only allow specific users to search for specific key patterns?

CodePudding user response:

After searching for a long time, and not finding any info on the official Redis and RediSearch documentation, as well as anywhere else, trying different options made me realize this:

Search index names (not search index key prefixes, and not search result key patterns) are treated as "keys" in the ACL rule for RediSeach commands, despite not being key names, but index names. For the example ACL in the question to work correctly, it needs to be forumlated like so: user myUser -@all hget ~myKey* ft.search ~mySearch*, because the index is called mySearch, and the index name is the first argument of the FT.SEARCH command.

So, the ACL rule ~<pattern> statement, which is called a "key pattern" in the documentation, is more of a "pattern for any first command argument ". So, a separate "key pattern" needs to be defined for any needed ft.* commands, which will match the search index name.

  • Related