Skip to content

Commit

Permalink
(#527) Add masteruser parameter
Browse files Browse the repository at this point in the history
Enable setting the masteruser parameter which was introduced in Redis 6+ to be able to connect using the new ACL rules.
  • Loading branch information
Steffen Jørgensen committed May 15, 2024
1 parent ad3cd35 commit bb776ba
Show file tree
Hide file tree
Showing 8 changed files with 79 additions and 4 deletions.
10 changes: 10 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,16 @@ class { 'redis':
}
```

With ACL authentication

```puppet
class { 'redis':
bind => '10.0.1.1',
masterauth => 'secret',
masteruser => 'username',
}
```

### Slave node

```puppet
Expand Down
22 changes: 20 additions & 2 deletions REFERENCE.md
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@ The following parameters are available in the `redis` class:
* [`manage_package`](#-redis--manage_package)
* [`managed_by_cluster_manager`](#-redis--managed_by_cluster_manager)
* [`masterauth`](#-redis--masterauth)
* [`masteruser`](#-redis--masteruser)
* [`maxclients`](#-redis--maxclients)
* [`maxmemory`](#-redis--maxmemory)
* [`maxmemory_policy`](#-redis--maxmemory_policy)
Expand Down Expand Up @@ -532,7 +533,15 @@ Default value: `false`

Data type: `Optional[Variant[String[1], Sensitive[String[1]], Deferred]]`

If the master is password protected (using the "requirepass" configuration
If the master is password protected (using the "requirepass" configuration)

Default value: `undef`

##### <a name="-redis--masteruser"></a>`masteruser`

Data type: `Optional[Variant[String[1], Sensitive[String[1]], Deferred]]`

If the master is password protected and a user is defined (using the "user" configuration)

Default value: `undef`

Expand Down Expand Up @@ -1953,6 +1962,7 @@ The following parameters are available in the `redis::instance` defined type:
* [`managed_by_cluster_manager`](#-redis--instance--managed_by_cluster_manager)
* [`manage_service_file`](#-redis--instance--manage_service_file)
* [`masterauth`](#-redis--instance--masterauth)
* [`masteruser`](#-redis--instance--masteruser)
* [`maxclients`](#-redis--instance--maxclients)
* [`maxmemory`](#-redis--instance--maxmemory)
* [`maxmemory_policy`](#-redis--instance--maxmemory_policy)
Expand Down Expand Up @@ -2305,7 +2315,15 @@ Default value: `true`

Data type: `Optional[Variant[String[1], Sensitive[String[1]], Deferred]]`

If the master is password protected (using the "requirepass" configuration
If the master is password protected (using the "requirepass" configuration)

Default value: `$redis::masterauth`

##### <a name="-redis--instance--masteruser"></a>`masteruser`

Data type: `Optional[Variant[String[1], Sensitive[String[1]], Deferred]]`

If the master is password protected and a user is defined (using the "user" configuration)

Default value: `$redis::masterauth`

Expand Down
5 changes: 4 additions & 1 deletion manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,9 @@
# @param managed_by_cluster_manager
# Choose if redis will be managed by a cluster manager such as pacemaker or rgmanager
# @param masterauth
# If the master is password protected (using the "requirepass" configuration
# If the master is password protected (using the "requirepass" configuration)
# @param masteruser
# If the master is password protected and a user is defined (using the "user" configuration)
# @param maxclients
# Set the max number of connected clients at the same time.
# @param maxmemory
Expand Down Expand Up @@ -392,6 +394,7 @@
Boolean $manage_package = true,
Boolean $manage_repo = false,
Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $masterauth = undef,
Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $masteruser = undef,
Integer[1] $maxclients = 10000,
$maxmemory = undef,
Optional[Redis::MemoryPolicy] $maxmemory_policy = undef,
Expand Down
6 changes: 5 additions & 1 deletion manifests/instance.pp
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,9 @@
# @param manage_service_file
# Determine if the systemd service file should be managed
# @param masterauth
# If the master is password protected (using the "requirepass" configuration
# If the master is password protected (using the "requirepass" configuration)
# @param masteruser
# If the master is password protected and a user is defined (using the "user" configuration)
# @param maxclients
# Set the max number of connected clients at the same time.
# @param maxmemory
Expand Down Expand Up @@ -325,6 +327,7 @@
Stdlib::Filemode $log_dir_mode = $redis::log_dir_mode,
Redis::LogLevel $log_level = $redis::log_level,
Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $masterauth = $redis::masterauth,
Optional[Variant[String[1], Sensitive[String[1]], Deferred]] $masteruser = $redis::masterauth,
Integer[1] $maxclients = $redis::maxclients,
Optional[Variant[Integer, String]] $maxmemory = $redis::maxmemory,
Optional[Redis::MemoryPolicy] $maxmemory_policy = $redis::maxmemory_policy,
Expand Down Expand Up @@ -526,6 +529,7 @@
slaveof => $slaveof,
replicaof => $replicaof,
masterauth => $masterauth,
masteruser => $masteruser,
slave_serve_stale_data => $slave_serve_stale_data,
slave_read_only => $slave_read_only,
repl_announce_ip => $repl_announce_ip,
Expand Down
4 changes: 4 additions & 0 deletions spec/classes/redis_sentinel_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ class { 'redis':
{
sentinel_tls_port: 26_380,
auth_pass: 'password',
auth_user: 'username',
sentinel_bind: '192.0.2.10',
protected_mode: false,
master_name: 'cow',
Expand Down Expand Up @@ -151,6 +152,7 @@ class { 'redis':
sentinel parallel-syncs cow 1
sentinel failover-timeout cow 28000
sentinel auth-pass cow password
sentinel auth-user cow username
sentinel notification-script cow /path/to/bar.sh
sentinel client-reconfig-script cow /path/to/foo.sh

Expand All @@ -177,6 +179,7 @@ class { 'redis':
let(:params) do
{
auth_pass: 'password',
auth_user: 'username',
sentinel_bind: ['192.0.2.10', '192.168.1.1'],
master_name: 'cow',
down_after: 6000,
Expand All @@ -203,6 +206,7 @@ class { 'redis':
sentinel parallel-syncs cow 1
sentinel failover-timeout cow 28000
sentinel auth-pass cow password
sentinel auth-user cow username
sentinel notification-script cow /path/to/bar.sh
sentinel client-reconfig-script cow /path/to/foo.sh

Expand Down
20 changes: 20 additions & 0 deletions spec/classes/redis_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -523,6 +523,26 @@ class { 'redis':
}
end

describe 'with parameter masteruser ACL' do
let(:params) do
{
masterauth: '_PASSWORD_VALUE_',
masteruser: '_USERNAME_VALUE_'
}
end

it {
is_expected.to contain_file(config_file_orig).with(
'content' => %r{masterauth.*_PASSWORD_VALUE_}
)
}

Check failure on line 538 in spec/classes/redis_spec.rb

View workflow job for this annotation

GitHub Actions / Puppet / Static validations

RSpec/EmptyLineAfterExample: Add an empty line after `it`. (https://rspec.rubystyle.guide/#empty-lines-around-examples, https://www.rubydoc.info/gems/rubocop-rspec/RuboCop/Cop/RSpec/EmptyLineAfterExample)
it {
is_expected.to contain_file(config_file_orig).with(
'content' => %r{masteruser.*_USERNAME_VALUE_}
)
}
end

describe 'with parameter maxclients' do
let(:params) do
{
Expand Down
3 changes: 3 additions & 0 deletions templates/redis-sentinel.conf.erb
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,9 @@ sentinel failover-timeout <%= @master_name %> <%= @failover_timeout %>
<% if @auth_pass_unsensitive -%>
sentinel auth-pass <%= @master_name %> <%= @auth_pass_unsensitive %>
<% end -%>
<% if @auth_user_unsensitive -%>
sentinel auth-user <%= @master_name %> <%= @auth_user_unsensitive %>
<% end -%>
<% if @notification_script -%>
sentinel notification-script <%= @master_name %> <%= @notification_script %>
<% end -%>
Expand Down
13 changes: 13 additions & 0 deletions templates/redis.conf.epp
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
Optional[String[1]] $slaveof,
Optional[String[1]] $replicaof,
Optional[Variant[String[1], Sensitive[String[1]]]] $masterauth,
Optional[Variant[String[1], Sensitive[String[1]]]] $masteruser,
Boolean $slave_serve_stale_data,
Boolean $slave_read_only,
Optional[Stdlib::Host] $repl_announce_ip,
Expand Down Expand Up @@ -411,6 +412,18 @@ dir <%= $workdir %>
# masterauth <master-password>
<% if $masterauth { -%>masterauth <%= $masterauth %><% } -%>

# However this is not enough if you are using Redis ACLs (for Redis version
# 6 or greater), and the default user is not capable of running the PSYNC
# command and/or other commands needed for replication. In this case it's
# better to configure a special user to use with replication, and specify the
# username configuration as such:
#
# masteruser <username>
<% if $masteruser { -%>masteruser <%= $masteruser %><% } -%>
#
# When masteruser is specified, the replica will authenticate against its
# master using the new AUTH form: AUTH <username> <password>.

# When a slave loses the connection with the master, or when the replication
# is still in progress, the slave can act in two different ways:
#
Expand Down

0 comments on commit bb776ba

Please sign in to comment.