Potentially breaking changes to ACLs

Redis 8 includes Redis Query Engine, as well as JSON, time series, Bloom filter, cuckoo filter, top-k, count-min sketch, and t-digest data types. The integration of these features into Redis also comes with improvements to Redis ACL rules.

Extension to the existing ACL categories

Before Redis 8, the existing ACL categories @read, @write, @dangerous, @admin, @slow, and @fast did not include commands for the Redis Query Engine and the JSON, time series, and probabilistic data structures.

Starting with Redis 8, Redis includes all Query Engine, JSON, time series, Bloom filter, cuckoo filter, top-k, count-min sketch, and t-digest commands in these existing ACL categories.

As a result:

• Existing ACL rules such as +@read +@write will allow access to more commands than in previous versions of Redis. Here are some examples:

  • A user with +@read access will be able to execute FT.SEARCH.
  • A user with +@write access will be able to execute JSON.SET.

• ACL rules such as +@all -@write will allow access to fewer commands than previous versions of Redis. For example:

  • A user with +@all -@write will not be able to execute JSON.SET.

Note that the @all category did not change, as it always included all the commands.

Additionally, ACL rules such as +@read +JSON.GET can now be simplified as +@read because JSON.GET is included in the @read category.

Who is affected by this change?

Users who currently use the Redis Query Engine and/or the JSON, time series, or probabilistic data structures, and use custom ACL rules.

You should reanalyze your ACL rules to make sure they are aligned with your security and access control requirements.