ACL
The Redis ACL, short for Access Control List, is the feature that allows certain connections to be limited in terms of the commands that can be executed and the keys that can be accessed. The way it works is that, after connecting, a client is required to authenticate providing a username and a valid password: if the authentication stage succeeded, the connection is associated with a given user and the limits the user has. Redis can be configured so that new connections are already authenticated with a “default” user (this is the default configuration), so configuring the default user has, as a side effect, the ability to provide only a specific subset of functionalities to connections that are not explicitly authenticated.
In the default configuration, Redis 6 (the first version to have ACLs) works exactly like older versions of Redis, that is, every new connection is capable of calling every possible command and accessing every key, so the ACL feature is backward compatible with old clients and applications. Also the old way to configure a password, using the requirepass configuration directive, still works as expected, but now what it does is just to set a password for the default user.
The Redis AUTH command was extended in Redis 6, so now it is possible to use it in the two-arguments form:
AUTH <username> <password>
When it is used according to the old form, that is:
AUTH <password>
What happens is that the username used to authenticate is “default”, so just specifying the password implies that we want to authenticate against the default user. This provides perfect backward compatibility with the past.
Configuring ACLs using the ACL command
> ACL LIST
1) "user default on nopass ~* &* +@all"
The first two words in each line are “user” followed by the username. The next words are ACL rules that describe different things. We’ll show in details how the rules work, but for now it is enough to say that the default user is configured to be active (on), to require no password (nopass), to access every possible key (~*) and Pub/Sub channel (&*), and be able to call every possible command (+@all).
Also, in the special case of the default user, having the nopass rule means that new connections are automatically authenticated with the default user without any explicit AUTH call needed.
