Description
When using the redis-cluster policy in limit-count or equivalent plugins, APISIX can only authenticate against Redis using the default user and there is no way to configure a named ACL user to limit its privileges. This is a security gap in environments that follow the principle of least privilege.
What makes this more visible is the existing inconsistency in APISIX itself since the standalone redis policy already supports redis_username . The redis-cluster policy has no equivalent field, leaving cluster users with a weaker security posture than standalone users with no documented reason for the difference.
Proposal
- Add a new optional variable 'redis_username' for redis cluster (on apisix/utils/redis-schema.lua and apisix/utils/rediscluster.lua)
- Implement the possibility to use a username in resty.rediscluster library (dependency) so another MR on https://github.com/steve0511/resty-redis-cluster will be necessary to complete this issue
Description
When using the redis-cluster policy in limit-count or equivalent plugins, APISIX can only authenticate against Redis using the default user and there is no way to configure a named ACL user to limit its privileges. This is a security gap in environments that follow the principle of least privilege.
What makes this more visible is the existing inconsistency in APISIX itself since the standalone redis policy already supports redis_username . The redis-cluster policy has no equivalent field, leaving cluster users with a weaker security posture than standalone users with no documented reason for the difference.
Proposal