diff options
author | laodc <github@laodc.com> | 2023-08-21 15:45:58 +0700 |
---|---|---|
committer | laodc <github@laodc.com> | 2023-08-21 15:45:58 +0700 |
commit | 75fdc829bacbdc767b20d3f0e40b91215fce14fe (patch) | |
tree | 209d8d53e71cd5a92deb69fcb740bb2649bb66ee /lualib | |
parent | 1931487b17059d6c63adf2245c9632384657f89e (diff) | |
download | rspamd-75fdc829bacbdc767b20d3f0e40b91215fce14fe.tar.gz rspamd-75fdc829bacbdc767b20d3f0e40b91215fce14fe.zip |
Added support for Redis 6 ACL (username/password)
Diffstat (limited to 'lualib')
-rw-r--r-- | lualib/lua_redis.lua | 37 | ||||
-rw-r--r-- | lualib/rspamadm/configwizard.lua | 16 | ||||
-rw-r--r-- | lualib/rspamadm/fuzzy_convert.lua | 34 |
3 files changed, 73 insertions, 14 deletions
diff --git a/lualib/lua_redis.lua b/lualib/lua_redis.lua index b03160bb0..377541f87 100644 --- a/lualib/lua_redis.lua +++ b/lualib/lua_redis.lua @@ -30,12 +30,14 @@ local common_schema = { database = ts.string:is_optional():describe("Database number"), dbname = ts.string:is_optional():describe("Database number"), prefix = ts.string:is_optional():describe("Key prefix"), + username = ts.string:is_optional():describe("Username"), password = ts.string:is_optional():describe("Password"), expand_keys = ts.boolean:is_optional():describe("Expand keys"), sentinels = (ts.string + ts.array_of(ts.string)):is_optional():describe("Sentinel servers"), sentinel_watch_time = (ts.number + ts.string / lutil.parse_time_interval):is_optional():describe("Sentinel watch time"), sentinel_masters_pattern = ts.string:is_optional():describe("Sentinel masters pattern"), sentinel_master_maxerrors = (ts.number + ts.string / tonumber):is_optional():describe("Sentinel master max errors"), + sentinel_username = ts.string:is_optional():describe("sentinel username"), sentinel_password = ts.string:is_optional():describe("Sentinel password"), } @@ -153,6 +155,7 @@ local function redis_query_sentinel(ev_base, params, initialised) local ret = rspamd_redis.make_request { host = addr:get_addr(), timeout = params.timeout, + username = params.sentinel_username, password = params.sentinel_password, config = rspamd_config, ev_base = ev_base, @@ -184,6 +187,7 @@ local function redis_query_sentinel(ev_base, params, initialised) timeout = params.timeout, config = rspamd_config, ev_base = ev_base, + username = params.sentinel_username, password = params.sentinel_password, cmd = 'SENTINEL', args = { 'masters' }, @@ -366,6 +370,9 @@ local function process_redis_opts(options, redis_params) redis_params['db'] = tostring(options['database']) end end + if options['username'] and not redis_params['username'] then + redis_params['username'] = options['username'] + end if options['password'] and not redis_params['password'] then redis_params['password'] = options['password'] end @@ -996,6 +1003,10 @@ local function rspamd_redis_make_request(task, redis_params, key, is_write, end end + if redis_params['username'] then + options['username'] = redis_params['username'] + end + if redis_params['password'] then options['password'] = redis_params['password'] end @@ -1086,6 +1097,10 @@ local function redis_make_request_taskless(ev_base, cfg, redis_params, key, end end + if redis_params['username'] then + options['username'] = redis_params['username'] + end + if redis_params['password'] then options['password'] = redis_params['password'] end @@ -1157,6 +1172,10 @@ local function prepare_redis_call(script) upstream = s } + if script.redis_params['username'] then + cur_opts['username'] = script.redis_params['username'] + end + if script.redis_params['password'] then cur_opts['password'] = script.redis_params['password'] end @@ -1497,7 +1516,15 @@ local function redis_connect_sync(redis_params, is_write, key, cfg, ev_base) if conn then local need_exec = false - if redis_params['password'] then + if redis_params['username'] then + if redis_params['password'] then + conn:add_cmd('AUTH', { redis_params['username'], redis_params['password'] }) + need_exec = true + else + logger.errx('Redis requires a password when username is supplied') + return false, nil, addr + end + elseif redis_params['password'] then conn:add_cmd('AUTH', { redis_params['password'] }) need_exec = true end @@ -1602,6 +1629,10 @@ exports.request = function(redis_params, attrs, req) opts.args = req end + if redis_params.username then + opts.username = redis_params.username + end + if redis_params.password then opts.password = redis_params.password end @@ -1701,6 +1732,10 @@ exports.connect = function(redis_params, attrs) opts.host = addr:get_addr() opts.timeout = redis_params.timeout + if redis_params.username then + opts.username = redis_params.username + end + if redis_params.password then opts.password = redis_params.password end diff --git a/lualib/rspamadm/configwizard.lua b/lualib/rspamadm/configwizard.lua index 27c358e3b..7bcda5a01 100644 --- a/lualib/rspamadm/configwizard.lua +++ b/lualib/rspamadm/configwizard.lua @@ -249,7 +249,21 @@ local function setup_redis(cfg, changes) redis_params['write_servers'] = ws end - if ask_yes_no('Do you have any password set for your Redis?') then + if ask_yes_no('Do you have any username set for your Redis?') then + local usernm = readline_default("Enter Redis username:", nil) + + if usernm then + changes.l['redis.conf']['username'] = usernm + redis_params['username'] = usernm + end + + local passwd = readline_default("Enter Redis password:", nil) + + if passwd then + changes.l['redis.conf']['password'] = passwd + redis_params['password'] = passwd + end + elseif ask_yes_no('Do you have any password set for your Redis?') then local passwd = readline_default("Enter Redis password:", nil) if passwd then diff --git a/lualib/rspamadm/fuzzy_convert.lua b/lualib/rspamadm/fuzzy_convert.lua index a31baa4e2..67a2664bc 100644 --- a/lualib/rspamadm/fuzzy_convert.lua +++ b/lualib/rspamadm/fuzzy_convert.lua @@ -12,7 +12,16 @@ local function connect_redis(server, password, db) return nil, 'Cannot connect: ' .. err end - if password then + if username then + if password then + ret = conn:add_cmd('AUTH', { username, password }) + if not ret then + return nil, 'Cannot queue command' + end + else + return nil, 'Redis requires a password when username is supplied' + end + else if password then ret = conn:add_cmd('AUTH', { password }) if not ret then return nil, 'Cannot queue command' @@ -28,8 +37,8 @@ local function connect_redis(server, password, db) return conn, nil end -local function send_digests(digests, redis_host, redis_password, redis_db) - local conn, err = connect_redis(redis_host, redis_password, redis_db) +local function send_digests(digests, redis_host, redis_username, redis_password, redis_db) + local conn, err = connect_redis(redis_host, redis_username, redis_password, redis_db) if err then print(err) return false @@ -62,8 +71,8 @@ local function send_digests(digests, redis_host, redis_password, redis_db) return true end -local function send_shingles(shingles, redis_host, redis_password, redis_db) - local conn, err = connect_redis(redis_host, redis_password, redis_db) +local function send_shingles(shingles, redis_host, redis_username, redis_password, redis_db) + local conn, err = connect_redis(redis_host, redis_username, redis_password, redis_db) if err then print("Redis error: " .. err) return false @@ -95,8 +104,8 @@ local function send_shingles(shingles, redis_host, redis_password, redis_db) return true end -local function update_counters(total, redis_host, redis_password, redis_db) - local conn, err = connect_redis(redis_host, redis_password, redis_db) +local function update_counters(total, redis_host, redis_username, redis_password, redis_db) + local conn, err = connect_redis(redis_host, redis_username, redis_password, redis_db) if err then print(err) return false @@ -135,6 +144,7 @@ return function(_, res) local total_digests = 0 local total_shingles = 0 local lim_batch = 1000 -- Update each 1000 entries + local redis_username = res['redis_username'] local redis_password = res['redis_password'] local redis_db = nil @@ -162,14 +172,14 @@ return function(_, res) end end if num_batch_digests >= lim_batch then - if not send_digests(digests, res['redis_host'], redis_password, redis_db) then + if not send_digests(digests, res['redis_host'], redis_username, redis_password, redis_db) then return end num_batch_digests = 0 digests = {} end if num_batch_shingles >= lim_batch then - if not send_shingles(shingles, res['redis_host'], redis_password, redis_db) then + if not send_shingles(shingles, res['redis_host'], redis_username, redis_password, redis_db) then return end num_batch_shingles = 0 @@ -177,12 +187,12 @@ return function(_, res) end end if digests[1] then - if not send_digests(digests, res['redis_host'], redis_password, redis_db) then + if not send_digests(digests, res['redis_host'], redis_username, redis_password, redis_db) then return end end if shingles[1] then - if not send_shingles(shingles, res['redis_host'], redis_password, redis_db) then + if not send_shingles(shingles, res['redis_host'], redis_username, redis_password, redis_db) then return end end @@ -191,7 +201,7 @@ return function(_, res) 'Migrated %d digests and %d shingles', total_digests, total_shingles ) - if not update_counters(total_digests, res['redis_host'], redis_password, redis_db) then + if not update_counters(total_digests, res['redis_host'], redis_username, redis_password, redis_db) then message = message .. ' but failed to update counters' end print(message) |