celery icon indicating copy to clipboard operation
celery copied to clipboard

Published 20 hours ago verified publisher icon celery

No indication of required permissions when using Redis ACL

Open jgrammen-agilitypr opened this issue 1 year ago • 3 comments

Checklist

  • [x ] I have checked the issues list for similar or identical bug reports.
  • [x ] I have checked the pull requests list for existing proposed fixes.
  • [x ] I have checked the commit log to find out if the bug was already fixed in the main branch.
  • [x ] I have included all related issues and possible duplicate issues in this issue (If there are none, check this box anyway).

Related Issues and Possible Duplicates

Related Issues

  • None

Possible Duplicates

  • None

Description

There is no documentation about what permissions are required by Celery. When using Redis ACL if a limited permission user is created celery throws errors:

kombu.exceptions.OperationalError: No permissions to access a channel

or

redis.exceptions.NoPermissionError: No permissions to access a key

user acl

user the_queue on ~the_queue:* &the_queue:* resetchannels +@all -@dangerous >redacted_password

I have a prefix declared for both broker and results backend

broker_transport_options = {'global_keyprefix': "the_queue"}
result_backend_transport_options = {'global_keyprefix': 'the_queue_results'}

so celery should have access to all the keys in the the_queue keyspace

Suggestions

There should be clear documentation on what permissions are required and example redis acl's

jgrammen-agilitypr avatar Dec 13 '23 18:12 jgrammen-agilitypr

Hey @jgrammen-agilitypr , did you able to find a workaround for this problem? I am also experiencing the same problem.

melihsunbul avatar Dec 14 '23 13:12 melihsunbul

I have not found a clean solution, but an currently messing around with just giving full permissions in the acl

user the_queue on allkeys allchannels allcommands >redacted_password

jgrammen-agilitypr avatar Dec 14 '23 13:12 jgrammen-agilitypr

I got this working, here is my broker config:

{
    "global_keyprefix": "celery.broker.",
    "fanout_prefix": "/celery{db}.",
}

Then I use this ACL:

user your_username on +@all -@dangerous ~celery.broker.* &celery.broker.* &celery.broker./celery0.celeryev/worker.* &celery.broker./celery0.celery.pidbox >YOUR_PASSWORD

Where my redis db number was 0 (default one).

You may need to extend that if you use redis also for the result store.

The patterns

  • &celery.broker.*
  • &celery.broker./celery0.celeryev/worker.*
  • &celery.broker./celery0.celery.pidbox

seem to be redundant but because fanout is implemented using PSUBSCRIBE (among other things) one must state the pattern used for PSUBSCRIBE explicitly.

If you want to use another fanout_prefix replace /celery. Make sure not to include a dot in there except for the trailing one (documentation bug).

All in all I do not feel super comfortable using this without it being clearly documented…

jannschu avatar Mar 22 '24 14:03 jannschu