You can configure users and roles for the admin console. This section details how you can set users and roles, configure external identity providers for authentication, and set up user account security within Redis Enterprise.

Role-Based Access Control

Redis Enterprise includes five pre-built roles to help users who need limited access to the admin console.

  1. DB Viewer - Read any settings for databases
  2. DB Member - Administer databases
  3. Cluster Viewer - Read any cluster settings
  4. Cluster Member - Administrator the cluster
  5. Admin - Full cluster access

The following table elaborates on the privileges for each of these roles:

Database Nodes Cluster
View metrics View
config
View
redis
password
Edit config Reset
slow log
View metrics View
config
View metrics View
config
View logs View
and edit
settings
DB Viewer V V
DB Member V V V V V V
Cluster Viewer V V V V V V V
Cluster Member V V V V V V V V V V
Admin V V V V V V V V V V V

Configuring users with roles

To add a user to the cluster:

  1. Go to the access control tab

  2. Click Add

  3. Enter the name, email and password of the new user and select the role to assign to the user.

  4. Select the internal user type

  5. For email alerts, click “Edit” and select the alerts that the user should receive. You can select:

    • Receive alerts for databases - The alerts that are enabled for the selected databases will be sent to the user. You can either select “All databases”, or you can select “Customize” and select the individual databases to send alerts for.
      • Receive cluster alerts - The alerts that are enabled for the cluster in settings > alerts are sent to the user.
  6. Select the save icon.

User Account Security

Redis Enterprise supports the following user account security settings:

  1. Password complexity
  2. Password expiration
  3. User Lockouts
  4. Account inactivity timeout

To enforce a more advanced password policy, we recommend that you use LDAP integration with an external identity provider, such as Active Directory.

Enabling the password complexity profile

Redis Enterprise Software provides an optional password complexity profile that meets most organizational needs. When enabled, this password profile requires the following:

  • At least 8 characters
  • At least one uppercase character
  • At least one lowercase character
  • At least one number (not first or last character)
  • At least one special character (not first or last character)

In addition, the password:

  • Cannot contain the user ID or reverse of the user ID
  • Cannot have more than three repeating characters
Note:
The password complexity profile applies when a new user is added or an existing user changes their password. This profile does not apply to users authenticated through an external identity provider.

To enable the password complexity profile, run the following curl command against the REST API:

curl -k -X PUT -v -H "cache-control: no-cache" -H "content-type: application/json" -u "<administrator-user-email>:<password>" -d '{"password_complexity":true}' https://<RS_server_address>:9443/v1/cluster

To disable the password complexity requirement, run the same command, but set “password_complexity” to “false”.

Enabling password expiration

To enforce an expiration of a user’s password after a specified number of days, run the following command:

curl -k -X PUT -v -H "cache-control: no-cache" -H "content-type: application/json" -u "<administrator_user>:<password>" -d '{"password_expiration_duration":<number_of_days>}' https://<RS_server_address>:9443/v1/cluster

To disable password expiration, set the number of days to 0.

User Login Lockout

The parameters for the user login lockout are:

  • Login Lockout Threshold - The number of failed login attempts allowed before the user account is locked. (Default: 5)
  • Login Lockout Counter Reset - The amount of time during which failed login attempts are counted. (Default: 15 minutes)
  • Login Lockout Duration - The amount of time that the user account is locked after excessive failed login attempts. (Default: 30 minutes)

By default, after 5 failed login attempts within 15 minutes, the user account is locked for 30 minutes.

You can view the user login restrictions for your cluster with:

rladmin info cluster | grep login_lockout

Changing the login lockout threshold

You can set the login lockout threshold with the command:

rladmin tune cluster login_lockout_threshold <login_lockout_threshold>

For example, to set the lockout threshold to 10 failed login attempts.

rladmin tune cluster login_lockout_threshold 10

Setting the lockout threshold to 0 disables account lockout. In this case, the cluster settings show: login_lockout_threshold: disabled

Changing the login lockout counter

You can set the login lockout reset counter in seconds with the command:

rladmin tune cluster login_lockout_counter_reset_after <login_lockout_counter_reset_after>

To set the lockout reset to 1 hour, run:

rladmin tune cluster login_lockout_counter_reset_after 3600

Changing the Login Lockout Duration

You can set the login lockout duration in seconds with the command:

rladmin tune cluster login_lockout_duration <login_lockout_duration>

For example, to set the lockout duration to 1 hour use the command:

rladmin tune cluster login_lockout_duration 3600

If you set the lockout duration to 0, then the account can be unlocked only when an administrator changes the account’s password. In this case, the cluster settings show: login_lockout_duration: admin-release

Unlocking Locked User Accounts

To unlock a user account or reset a user password from the CLI, run:

rladmin cluster reset_password <username>

Session timeout

The Redis Enterprise admin console supports session timeouts. By default, users are automatically logged out after 15 minutes of inactivity.

To customize the session timeout you can run the following command:

rladmin cluster config cm_session_timeout_minutes <number_of_min>

Here, number_of_min is the number of minutes after which sessions will time out.

Setting up LDAP

Redis Enterprise supports LDAP Authentication for the admin console.

Note:
LDAP access is not yet available for database access, but this is planned for a future release.

There following steps should be used when configuring LDAP:

  1. Configure the saslauthd service
  2. Import the saslauthd configuration
  3. Restart saslauthd service
  4. Configure LDAP users

Configuring the saslauthd Service

Saslauthd is a process that handles authentication requests on behalf of Redis Enterprise to LDAP. There are two steps to configuring this process:

  1. Modify the mechanisms configuration to LDAP
  2. Provide the LDAP configuration information

To modify the mechanisms configuration:

  1. Edit the saslauthd file located in /etc/default
    • In this file change the MECHANISMS variable to MECHANISMS=”ldap”

To provide the LDAP configuration information:

  1. Edit the configuration file located at /etc/opt/redislabs/saslauthd.conf or the installation directory of your choice during initial configuration.
  2. Provide the following information associated with each variable
    • ldap_servers: the ldap servers that you authenticate against and the port to use
    • Provide the following information associated with each variable
      • ldap_servers: the ldap servers that you authenticate against and the port to use
        • Port 389 is standardly used for unencrypted LDAP connections
        • Port 636 is standardly used for encrypted LDAP connections and is strongly recommended.
      • Ldap_tls_cacert_file (optional): The path to your CA Certificates. This is required for encrypted LDAP connections only.
      • ldap_filter: the filter used to search for users
      • ldap_bind_dn: The distinguished name for the user that will be used to authenticate to the LDAP server.
        • ldap_password: The password used for the user specified in ldap_bind_dn
  3. Import the saslauthd configuration into Redis Enterprise using the below command
rladmin cluster config saslauthd_ldap_conf <path_to_saslauthd.conf>
Note:
If this is a new server installation, for this command to work, a cluster must be set up already.
  1. If this is a new server installation, for this command to work, a cluster must be set up already.

    sudo supervisorctl restart saslauthd
    

    ``

An example configuration for your reference may be found below:

ldap_servers: ldaps://ldap1.mydomain.com:636 ldap://ldap2.mydomain.com:636
ldap_tls_cacert_file: /path/to/your/CARootCert.crt
ldap_search_base: ou=coolUsers,dc=company,dc=com
ldap_search_base: ou=coolUsers,dc=company,dc=com
ldap_filter: (sAMAccountName=%u)
ldap_bind_dn: cn=admin,dc=company,dc=com
ldap_password: secretSquirrel

Setting up LDAP users in Redis Enterprise

To set up an LDAP user, simply select an external account type when configuring the user following the procedure to configure users.