core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon dotCMS

Redis implementation should support ACL (username + password) authentication

Open cobbg opened this issue 8 months ago • 2 comments

Parent Issue

No response

Problem Statement

The Redis implementation within dotCMS only support legacy authentication using a single password. It should also support Redis's more modern ACL authentication that uses usernames and passwords. This problem affects both cache storage and session sharing using Redis.

Because the supported environment variables for cache storage allow passing a complete connection string, this problem can be worked around because the connection string itself can contain the username and password. However, with the session sharing implementation, it appears that the accept parameters are specified individually and a connection string is then built in code instead. Passing a valid connection string (containing username and password) via the TOMCAT_REDIS_SESSION_HOST environment variable does not seem to work.

Will previously proposed making such a change, but it does not appear to have made into trunk. This is an important change not only to support Redis instances only allowing ACL auth, but to also address a potential security risk in using legacy authentication in a shared Redis environment where users could potentially access and exploit session information for other users or environments.

Steps to Reproduce

N/A

Acceptance Criteria

dotCMS should build a Redis connection string based on username and password environment variables when attempting to use ACL authentication vs. legacy authentication using a single password for all connections.

dotCMS Version

LTS versions and trunk

Proposed Objective

Cloud Engineering

Proposed Priority

Priority 2 - Important

External Links... Slack Conversations, Support Tickets, Figma Designs, etc.

https://dotcms.slack.com/archives/C068QFTU7KL/p1701896037691209 https://github.com/dotCMS/tomcat-redis-session-manager?tab=readme-ov-file#docker-setup

Assumptions & Initiation Needs

No response

Quality Assurance Notes & Workarounds

Tech doc on how to set this up locally: https://docs.google.com/document/d/1Tb_oxLfsOMU-QC4Ws9vUJWJptLhS83l3hB_NXN7KKxM/edit?usp=sharing

Sub-Tasks & Estimates

No response

cobbg avatar Jun 12 '24 17:06 cobbg