Skip to content

Commit

Permalink
(voxpupuli#527) Add masteruser parameter
Browse files Browse the repository at this point in the history
Enable setting the masteruser parameter which was introduced in Redis 6+ to be able to connect using the new ACL rules.
  • Loading branch information
Steffen Jørgensen committed May 15, 2024
1 parent ad3cd35 commit 54e061e
Show file tree
Hide file tree
Showing 9 changed files with 89 additions and 4 deletions.
10 changes: 10 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,16 @@ class { 'redis':
}
```

With ACL authentication

```puppet
class { 'redis':
bind => '10.0.1.1',
masterauth => 'secret',
masteruser => 'username',
}
```

### Slave node

```puppet
Expand Down
22 changes: 20 additions & 2 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@ The following parameters are available in the `redis` class:
* [`manage_package`](#-redis--manage_package)
* [`managed_by_cluster_manager`](#-redis--managed_by_cluster_manager)
* [`masterauth`](#-redis--masterauth)
* [`masteruser`](#-redis--masteruser)
* [`maxclients`](#-redis--maxclients)
* [`maxmemory`](#-redis--maxmemory)
* [`maxmemory_policy`](#-redis--maxmemory_policy)
Expand Down Expand Up @@ -532,7 +533,15 @@ Default value: `false`

Data type: `Optional[Variant[String[1], Sensitive[String[1]], Deferred]]`

If the master is password protected (using the "requirepass" configuration
If the master is password protected (using the "requirepass" configuration)

Default value: `undef`

##### <a name="-redis--masteruser"></a>`masteruser`

Data type: `Optional[Variant[String[1], Sensitive[String[1]], Deferred]]`

If the master is password protected and a user is defined (using the "user" configuration)

Default value: `undef`

Expand Down Expand Up @@ -1953,6 +1962,7 @@ The following parameters are available in the `redis::instance` defined type:
* [`managed_by_cluster_manager`](#-redis--instance--managed_by_cluster_manager)
* [`manage_service_file`](#-redis--instance--manage_service_file)
* [`masterauth`](#-redis--instance--masterauth)
* [`masteruser`](#-redis--instance--masteruser)
* [`maxclients`](#-redis--instance--maxclients)
* [`maxmemory`](#-redis--instance--maxmemory)
* [`maxmemory_policy`](#-redis--instance--maxmemory_policy)
Expand Down Expand Up @@ -2305,7 +2315,15 @@ Default value: `true`

Data type: `Optional[Variant[String[1], Sensitive[String[1]], Deferred]]`

If the master is password protected (using the "requirepass" configuration
If the master is password protected (using the "requirepass" configuration)

Default value: `$redis::masterauth`

##### <a name="-redis--instance--masteruser"></a>`masteruser`

Data type: `Optional[Variant[String[1], Sensitive[String[1]], Deferred]]`

If the master is password protected and a user is defined (using the "user" configuration)

Default value: `$redis::masterauth`

Expand Down
5 changes: 4 additions & 1 deletion manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,9 @@
# @param managed_by_cluster_manager
# Choose if redis will be managed by a cluster manager such as pacemaker or rgmanager
# @param masterauth
# If the master is password protected (using the "requirepass" configuration
# If the master is password protected (using the "requirepass" configuration)
# @param masteruser
# If the master is password protected and a user is defined (using the "user" configuration)
# @param maxclients
# Set the max number of connected clients at the same time.
# @param maxmemory
Expand Down Expand Up @@ -392,6 +394,7 @@
Boolean $manage_package = true,
Boolean $manage_repo = false,
Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $masterauth = undef,
Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $masteruser = undef,
Integer[1] $maxclients = 10000,
$maxmemory = undef,
Optional[Redis::MemoryPolicy] $maxmemory_policy = undef,
Expand Down
6 changes: 5 additions & 1 deletion manifests/instance.pp
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,9 @@
# @param manage_service_file
# Determine if the systemd service file should be managed
# @param masterauth
# If the master is password protected (using the "requirepass" configuration
# If the master is password protected (using the "requirepass" configuration)
# @param masteruser
# If the master is password protected and a user is defined (using the "user" configuration)
# @param maxclients
# Set the max number of connected clients at the same time.
# @param maxmemory
Expand Down Expand Up @@ -325,6 +327,7 @@
Stdlib::Filemode $log_dir_mode = $redis::log_dir_mode,
Redis::LogLevel $log_level = $redis::log_level,
Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $masterauth = $redis::masterauth,
Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $masteruser = $redis::masterauth,
Integer[1] $maxclients = $redis::maxclients,
Optional[Variant[Integer, String]] $maxmemory = $redis::maxmemory,
Optional[Redis::MemoryPolicy] $maxmemory_policy = $redis::maxmemory_policy,
Expand Down Expand Up @@ -526,6 +529,7 @@
slaveof => $slaveof,
replicaof => $replicaof,
masterauth => $masterauth,
masteruser => $masteruser,
slave_serve_stale_data => $slave_serve_stale_data,
slave_read_only => $slave_read_only,
repl_announce_ip => $repl_announce_ip,
Expand Down
9 changes: 9 additions & 0 deletions manifests/sentinel.pp
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@
# @param auth_pass
# The password to use to authenticate with the master and slaves.
#
# @param auth_user
# The username to use to authenticate with the master and slaves.
#
# @param config_file
# The location and name of the sentinel config file.
#
Expand Down Expand Up @@ -147,6 +150,7 @@
#
class redis::sentinel (
Optional[Variant[String[1], Sensitive[String[1]]]] $auth_pass = undef,
Optional[Variant[String[1], Sensitive[String[1]]]] $auth_user = undef,
Stdlib::Absolutepath $config_file = $redis::params::sentinel_config_file,
Stdlib::Absolutepath $config_file_orig = $redis::params::sentinel_config_file_orig,
Stdlib::Filemode $config_file_mode = '0644',
Expand Down Expand Up @@ -193,6 +197,11 @@
} else {
$auth_pass
}
$auth_user_unsensitive = if $auth_user =~ Sensitive {
$auth_user.unwrap
} else {
$auth_user
}

contain 'redis'

Expand Down
4 changes: 4 additions & 0 deletions spec/classes/redis_sentinel_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ class { 'redis':
{
sentinel_tls_port: 26_380,
auth_pass: 'password',
auth_user: 'username',
sentinel_bind: '192.0.2.10',
protected_mode: false,
master_name: 'cow',
Expand Down Expand Up @@ -151,6 +152,7 @@ class { 'redis':
sentinel parallel-syncs cow 1
sentinel failover-timeout cow 28000
sentinel auth-pass cow password
sentinel auth-user cow username
sentinel notification-script cow /path/to/bar.sh
sentinel client-reconfig-script cow /path/to/foo.sh
Expand All @@ -177,6 +179,7 @@ class { 'redis':
let(:params) do
{
auth_pass: 'password',
auth_user: 'username',
sentinel_bind: ['192.0.2.10', '192.168.1.1'],
master_name: 'cow',
down_after: 6000,
Expand All @@ -203,6 +206,7 @@ class { 'redis':
sentinel parallel-syncs cow 1
sentinel failover-timeout cow 28000
sentinel auth-pass cow password
sentinel auth-user cow username
sentinel notification-script cow /path/to/bar.sh
sentinel client-reconfig-script cow /path/to/foo.sh
Expand Down
21 changes: 21 additions & 0 deletions spec/classes/redis_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -523,6 +523,27 @@ class { 'redis':
}
end

describe 'with parameter masteruser ACL' do
let(:params) do
{
masterauth: '_PASSWORD_VALUE_',
masteruser: '_USERNAME_VALUE_'
}
end

it {
is_expected.to contain_file(config_file_orig).with(
'content' => %r{masterauth.*_PASSWORD_VALUE_}
)
}

it {
is_expected.to contain_file(config_file_orig).with(
'content' => %r{masteruser.*_USERNAME_VALUE_}
)
}
end

describe 'with parameter maxclients' do
let(:params) do
{
Expand Down
3 changes: 3 additions & 0 deletions templates/redis-sentinel.conf.erb
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ sentinel failover-timeout <%= @master_name %> <%= @failover_timeout %>
<% if @auth_pass_unsensitive -%>
sentinel auth-pass <%= @master_name %> <%= @auth_pass_unsensitive %>
<% end -%>
<% if @auth_user_unsensitive -%>
sentinel auth-user <%= @master_name %> <%= @auth_user_unsensitive %>
<% end -%>
<% if @notification_script -%>
sentinel notification-script <%= @master_name %> <%= @notification_script %>
<% end -%>
Expand Down
13 changes: 13 additions & 0 deletions templates/redis.conf.epp
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
Optional[String[1]] $slaveof,
Optional[String[1]] $replicaof,
Optional[Variant[String[1], Sensitive[String[1]]]] $masterauth,
Optional[Variant[String[1], Sensitive[String[1]]]] $masteruser,
Boolean $slave_serve_stale_data,
Boolean $slave_read_only,
Optional[Stdlib::Host] $repl_announce_ip,
Expand Down Expand Up @@ -411,6 +412,18 @@ dir <%= $workdir %>
# masterauth <master-password>
<% if $masterauth { -%>masterauth <%= $masterauth %><% } -%>

# However this is not enough if you are using Redis ACLs (for Redis version
# 6 or greater), and the default user is not capable of running the PSYNC
# command and/or other commands needed for replication. In this case it's
# better to configure a special user to use with replication, and specify the
# username configuration as such:
#
# masteruser <username>
<% if $masteruser { -%>masteruser <%= $masteruser %><% } -%>

# When masteruser is specified, the replica will authenticate against its
# master using the new AUTH form: AUTH <username> <password>.

# When a slave loses the connection with the master, or when the replication
# is still in progress, the slave can act in two different ways:
#
Expand Down

0 comments on commit 54e061e

Please sign in to comment.