The problem/use-case that the feature addresses
Redis currently only supports password and TLS-based authentication and encryption, though there are several other secure mechanisms that could be used. For example, GSSAPI/Kerberos based authentication might be available in enterprise environments that use FreeIPA or Active Directory which offers an alternative to regular TLS.
Description of the feature
- A user connectes to Redis and issues a
AUTH SASLcommand. - The server responds with a list of supported authentication mechanisms, for example,
i.
ANONYMOUS- If the server has password authentication disabled ii.PLAIN- If the server supports password authentication. iii.EXTERNAL- If the user is connected via a Unix socket, or has established a TLS connection. iv.GSSAPI/GS2/GSS-SPNEGO- Option to authenticate and optionally encrypt connection using GSSAPI and the like. v. ...etc - The user picks one option, for example
PLAINand issues aAUTH SASL PLAIN <method data>. i. To maintain backwards compatibility,PLAINfirst checks the internal Redis user database before querying any external sources. ii. The above applies to the regularAUTH <username> <password>method as well. iii. If using an authentication mechanism uses binary data, transmit in base64 instead. - The server authenticates the connection. If GSSAPI is used, then it may encrypt the connection.
- Depending on whether encryption is used, proceed as usual or send data through a SASL-wrapped channel.
Alternatives you've considered
I was considering opening a PR to implement GSSAPI encryption and authentication, though I figured it would be better to not entirely reinvent the wheel and add support for future authentication mechanisms by using cyrus-sasl or gsasl. In particular cyrus-sasl comes with the added benefit of supporting PLAIN authentication against PAM, Kerberos 5, LDAP, and the like by using saslauthd.
Additional information
N/A
Comment From: sundb
Redis supports custom authentication since https://github.com/redis/redis/issues/11659