Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle enabling/changing redis password without application restart #821

Open
epoberezkin opened this issue Sep 4, 2015 · 4 comments · May be fixed by #2849
Open

Handle enabling/changing redis password without application restart #821

epoberezkin opened this issue Sep 4, 2015 · 4 comments · May be fixed by #2849
Labels
feature

Comments

@epoberezkin
Copy link

It seems to be not possible to enable or change redis password without application restart.

Even in case when I want to enable password and I supply password to the driver (it logs warning that the password is not required), when the password is enabled in redis, the driver returns error "not authenticated"; it doesn't try to authenticate using password that was passed in config.

For changing password there is no option. It would not be required if redis supported user accounts - you'd be able to simply create another account, switch application to use it and then remove the old account. Redis doesn't and apparently will not have accounts.

Of course the issue can be resolved by creating a wrapper around redis driver that would create a new client when authentication fails, but it seems as either too much of a change in applications or too much of an effort to make the wrapper that behaves exactly as the driver...

Maybe there is a simpler solution to this problem, like subscribing to some event, authenticating and replaying the last command when authentication fails? Please let me know if there is.

Otherwise it would be nice to have these two features inside driver:

  1. Handle enabling password:
    1. If the password is passed
    2. and it was not required by redis
    3. and at some later time some command was rejected as not authenticated
    4. driver will try authenticating again using the passed password
    5. if authentication is successful, it will resend command
    6. if authentication failed it would return error
  2. Support feature of password change using new_password option (or something like this). In this case when authentication fails, the driver will try authenticating using the new password and if it was successful the driver will use it afterwards in case of re-connects.

If you are OK with these features I could implement.

Please let me know.
Thank you.
@epoberezkin epoberezkin mentioned this issue Sep 10, 2015
Closed
@BridgeAR BridgeAR mentioned this issue Sep 15, 2015
Merged
@epoberezkin epoberezkin mentioned this issue Sep 16, 2015
Open
@epoberezkin epoberezkin mentioned this issue Oct 21, 2015
Closed
@Nevon
Copy link

Nevon commented Jan 16, 2024

This feature, or something similar, is required in order to support temporary refreshable credentials, such as AWS IAM authentication. In that authentication mechanism, the user creates a token that's valid for 15 minutes, which is used as the password in the AUTH command. As the token is only valid for 15 minutes, the client needs to be able to pick up a new token for then next authentication request. Furthermore, the client needs to periodically reauthenticate by sending a new AUTH request - however, I suspect this can be accomplished on the application layer.

Rather than passing some new_password property, I would suggest making the password option be:

type Provider<T> = () => T | Promise<T>
type password = string | Provider<string>

And have the driver look up the password on every auth command. This is similar to how it is implemented in the java redis client Lettuce, for example.

@leibale
Copy link
Collaborator

leibale commented Jan 16, 2024

@Nevon good idea! but maybe instead of doing it for password only we should do it for the whole options object? i.e.

// keep the current API
createClient({
  // ...
});

// add an option to send a "factory function" instead of an object
createClient(() => {
  return {
    // ...
  };
});

BTW, you can use this as a workaround for now:

const client = createClient({
  username: '...',
  password: '...'
});

function onPasswordChange(newPassword) {
  client.options.password = newPassword;  
}

@leibale leibale mentioned this issue Jun 14, 2024
Closed
@devonhumes
Copy link

I would lean towards the credentials (i.e. user / password) like other client implementations.

@dhensby dhensby linked a pull request Oct 7, 2024 that will close this issue
Open
3 tasks
@dhensby
Copy link

dhensby commented Oct 9, 2024

I've attempted to address this in #2849

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add credentialProvider option when creating clients dhensby/node-redis
6 participants
@Nevon @dhensby @devonhumes @epoberezkin @leibale @BridgeAR