redis_exporter icon indicating copy to clipboard operation
redis_exporter copied to clipboard

Published 20 hours ago verified publisher icon oliver006

with redis auth and --is-cluster "NOPERM this user has no permissions to run the 'cluster' command or its subcommand"

Open gzivdo opened this issue 1 year ago • 5 comments

acl user rights: +client +ping +info +config|get +cluster|info +slowlog +latency +memory +select +get +scan +xinfo +type +pfcount +strlen +llen +scard +zcard +hlen +xlen +eval allkeys

I am able to run cluster info from redis-cli authorized with that user In the log i see redis_exporter[11745]: time="2023-04-12T13:26:41+03:00" level=error msg="Cluster refresh failed: redisc: all nodes failed\nNOPERM this user has no permissions to run the 'cluster' command or its subcommand" If I do "acl setuser +cluster", message dissapear, if do again "acl setuser -cluster +cluster|info" message appears again. Without --is-cluster flag there is no such message in the log.

gzivdo avatar Apr 12 '23 10:04 gzivdo

ACL LOG doesn't contain anything about this, also i see in the code if "CLUSTER", "INFO" is failed will be other log message.

gzivdo avatar Apr 13 '23 11:04 gzivdo

Ah, interesting. How do you run the exporter? What's the full cmd line? (strip passwords or other sensitive information)

oliver006 avatar Apr 13 '23 11:04 oliver006

/etc/default/redis_exporter: REDIS_EXPORTER_OPTS="--is-cluster --check-streams=somestream1,... systemd service with Environment=REDIS_USER=redis-exporter Environment=REDIS_PASSWORD=somepw EnvironmentFile=-/etc/default/redis_exporter ExecStart=/usr/bin/redis_exporter $REDIS_EXPORTER_OPTS

gzivdo avatar Apr 18 '23 14:04 gzivdo

And the rights are correctly set for the user "redis-exporter" ? (Not obvious from your original post as I don't think that includes the user name)

oliver006 avatar Apr 18 '23 21:04 oliver006 

11:18:51.323388 IP 127.0.0.1.43904 > 127.0.0.1.6379: Flags [P.], seq 1:58, ack 1, win 342, options [nop,nop,TS val 797427001 ecr 797427001], length 57: RESP "AUTH" "redis-exporter" "somepass"
11:18:51.323397 IP 127.0.0.1.6379 > 127.0.0.1.43904: Flags [.], ack 58, win 342, options [nop,nop,TS val 797427001 ecr 797427001], length 0
11:18:51.323427 IP 127.0.0.1.6379 > 127.0.0.1.43904: Flags [P.], seq 1:6, ack 58, win 342, options [nop,nop,TS val 797427001 ecr 797427001], length 5: RESP "OK"
11:18:51.323432 IP 127.0.0.1.43904 > 127.0.0.1.6379: Flags [.], ack 6, win 342, options [nop,nop,TS val 797427001 ecr 797427001], length 0
11:18:51.323461 IP 127.0.0.1.43904 > 127.0.0.1.6379: Flags [P.], seq 58:86, ack 6, win 342, options [nop,nop,TS val 797427001 ecr 797427001], length 28: RESP "CLUSTER" "SLOTS"
11:18:51.323495 IP 127.0.0.1.6379 > 127.0.0.1.43904: Flags [P.], seq 6:91, ack 86, win 342, options [nop,nop,TS val 797427001 ecr 797427001], length 85: RESP "NOPERM this user has no permissions to run the 'cluster' command or its subcommand"

Somehow it doing cluster slots, but in the code i see cluser info only I think it do go redis lib, we need adjust rights and just add +cluster|slots

gzivdo avatar Apr 19 '23 08:04 gzivdo