global password rotation

[romange]

We should be able to rotate global password in such way that we will allow gradual updates of the clients connecting to Dragonfly.

The flow is as follows:

1. Allow Dragonfly to accept multiple passwords
2. Gradually update all the clients connecting to Dragonfly
3. Remove the old password from Dragonfly.

In addition, we should be able to persist the passwords change to provide consistency during restarts.

One way to achieve is to update "default" user via ACLS.

ACL SETUSER format should support multiple passwords (see https://redis.io/commands/acl-setuser/). However our implementation does not support this today (https://www.dragonflydb.io/docs/command-reference/acl/setuser)

Once we fix this, we also should support it in the ACL "SAVE/LOAD" flows. Finally, to make sure that if acl-file argument is set to some path but the file is missing, Dragonfly should still start (with warning).

[kostasrim]

I think this is something that was mentioned in that past by @ashotland

[romange]

Yes, it was something we discussed today. I think extending our ACL implementation to Valkey spec will solve the issue.

[romange]

@adiholden could be nice if we can implement it in July.

@ashotland FYI.

[kostasrim]

@romange I can take care of this on the side :)

[romange]

Thanks!

[kostasrim]

@romange once my PR is merged it should work fine.

P.s. We already issue a warning when we fail to load an aclfile. Remember, it's always a two-step dance when you do it dynamically (that is config set aclfile) followed by acl load.

Persistence of multiple passwords should also work via ACL SAVE :)