Redis Enterprise Software release notes 6.4.2-30 (February 2023)
Pub/sub ACLs & default permissions. Validate client certificates by subject attributes.
Redis Enterprise Software version 6.4.2 is now available!
This version offers:
-
Extended validation of client certificates via mTLS (mutual TLS) full subject support
-
Support for default restrictive permissions when using publish/subscribe commands and ACLs (access control lists)
-
Enhanced TLS performance when Redis returns large arrays in responses
-
Compatibility with open source Redis 6.2.7
-
Additional enhancements and bug fixes
The following table shows the MD5 checksums for the available packages:
Package | MD5 checksum (6.4.2-30 February release) |
---|---|
Ubuntu 16 | b0dbecaa974ca08245dda55d53b6fe9b |
Ubuntu 18 | a5192e8b0734db80d6b7c2b98a170c58 |
RedHat Enterprise Linux (RHEL) 7 Oracle Enterprise Linux (OL) 7 |
c1537855dcfe7a7cedf9031ce01e2b9b |
RedHat Enterprise Linux (RHEL) 8 Oracle Enterprise Linux (OL) 8 Rocky Enterprise Linux |
a24dc749d6dcb5df2162d7a41791c7aa |
New features and enhancements
Validate client certificates by subject attributes
You can now validate client certificates by their Subject
attributes. When a client attempts to connect to a database, Redis Enterprise Software compares the values of the client certificate subject attributes to the subject values allowed by the database. Clients can connect to the database only if the subject values match. This gives more flexibility in controlling which clients can access which databases.
See Enable TLS for more information.
Default pub/sub ACL permissions
Redis is continuously enhancing its ACL (access control list) functionality and coverage. Redis version 6.2 enhances ACLs to allow and disallow pub/sub channels.
Part of protecting pub/sub channels requires changing the default access from permissive to restrictive, which blocks all pub/sub channels unless specifically permitted by an ACL rule. To allow this transition across all databases in the cluster, Redis Enterprise Software 6.4.2 provides a new configuration option acl-pubsub-default
that sets the cluster-wide default for all channels to either permitted or restricted.
The 6.4.2 installation-provided value of acl-pubsub-default
is permissive (allchannels
) to comply with earlier Redis versions. After you upgrade all databases in the cluster to Redis DB version 6.2 (or later in future versions), you can use rladmin
or the REST API to change the value to restrictive (resetchannels
).
To allow certain users to access specific pub/sub channels, define the appropriate ACL. Redis Enterprise Software 6.4.2 enhances the admin console (UI), CLI, and REST API to support pub/sub channel ACL definitions.
If you use ACLs and pub/sub channels, we recommend you review your databases and ACL settings and plan to change your cluster to restricted mode. This will help you prepare for future Redis Enterprise Software releases that use restrictive resetchannels
as the new default for acl-pubsub-default
.
Redis modules
Redis Enterprise Software v6.4.2 includes the following Redis modules:
See Upgrade modules to learn how to upgrade a module for a database.
Installations, upgrades, and troubleshooting
-
Added the ability for
install.sh
to run even if “upgrade mode” is already enabled to allow reruns in case of a previous run failure (RS77319) -
Added log messages to the
redis_mgr
process (RS77891), the job_scheduler process (RS82673), and theinstall.sh
script (RS82673) -
Improved
rladmin
error messages for certificate validation (RS79933) -
Added internode encryption ports to command-line utility
rlcheck
validation (RS68965) -
Added an alert to notify when a node operation (such as maintenance mode) failed, aborted, or was canceled. The alert is enabled by default (RS76089)
Version changes
Breaking changes
- REST API: the
authorized_names
field of the BDB object is deprecated. Use the newauthorized_subjects
field instead.
New default Redis DB version
Both Redis Enterprise Software versions 6.2.x and 6.4.x package two Redis DB versions: Redis DB 6.0 and Redis DB 6.2. Until now, the default Redis DB version for creating new databases and upgrading existing databases was 6.0 (enforced by the redis_upgrade_policy
parameter).
To allow customers more flexibility in future upgrades, starting with Redis Enterprise Software 6.4.2, the default Redis DB version for new and upgraded databases is now 6.2 for all upgrade policies (redis_upgrade_policy=major
and redis_upgrade_policy=latest
).
Redis Enterprise |
Bundled Redis DB versions |
Default DB version (upgraded/new databases) |
---|---|---|
6.2.x | 6.0, 6.2 | 6.0 |
6.4.2 | 6.0, 6.2 | 6.2 |
You can override the default version with rladmin
; however, we recommend that you don't change this setting.
Deprecations
Ubuntu 16.04
Ubuntu 16 support is considered deprecated and will be removed in a future release. Ubuntu 16.04 LTS (Xenial) has reached the end of its free initial five-year security maintenance period as of April 30, 2021.
Active-Active database persistence
The snapshot option for Active-Active database persistence is deprecated. We advise customers running Active-Active databases, configured with snapshot data persistence, to reconfigure their data persistence mode to use the AOF (Append Only File) option with the following command:
crdb-cli crdb update --crdb-guid <CRDB_GUID> \
--default-db-config '{"data_persistence": "aof", "aof_policy":"appendfsync-every-sec"}'
TLS 1.0 and TLS 1.1
TLS 1.0 and TLS 1.1 connections are considered deprecated in favor of TLS 1.2 or later. Please verify that all clients, apps, and connections support TLS 1.2. Support for the earlier protocols will be removed in a future release. Certain operating systems, such as RHEL 8, have already removed support for the earlier protocols. Redis Enterprise Software cannot support connection protocols that are not supported by the underlying operating system.
3DES encryption cipher
The 3DES encryption cipher is considered deprecated in favor of stronger ciphers like AES. Please verify that all clients, apps, and connections support the AES cipher. Support for 3DES will be removed in a future release. Certain operating systems, such as RHEL 8, have already removed support for 3DES. Redis Enterprise Software cannot support cipher suites that are not supported by the underlying operating system.
Resolved issues
-
RS72866 - Improved performance for client connections which use TLS
-
RS78241 - Fixed shard placement to always respect rack-zone restrictions and avoid a state where a primary (master) and replica are on the same rack, even if temporarily
-
RS78144 - Removed the dependency on system-wide
ldconfig
so non-interactive processes will use their own dynamic libraries without impacting external services -
RS78028 - Fixed race condition during rolling upgrade that might result in shards repeatedly restarting
-
RS77964 - Fixed module deletion to remove the old directory with the module
-
RS75259 - Fixed node to prevent using plain text communication instead of TLS after losing connectivity
-
RS69616 - Fixed validation for internode communication ports
-
RS83535 - Fixed
sentinel_service
to start on RHEL 8 with DISA STIG profile -
RS87191 - Fixed a cross slot error when using Auto Tiering with Replica Of, in case a key on the source database swapped from RAM to flash and expired while it was also part of Lua script execution
Known limitations
Feature limitations
- RS101204 - High memory consumption caused by the
persistence_mgr
service when AOF persistence is configured for every second. Monitor RAM usage of the process. In case of high usage, the temporary workaround is to restart the service by runningsupervisorctl restart persistence_mgr
. A permanent fix is to install or upgrade to the 6.4.2 June maintenance release.
Upgrade limitations
Before you upgrade a cluster that hosts Active-Active databases with modules to v6.4.2-30, perform the following steps:
-
Use
crdb-cli
to verify that the modules (modules
) and their versions (inmodule_list
) are as they appear in the database configuration and in the default database configuration:crdb-cli crdb get --crdb-guid <crdb-guid>
-
From the admin console's redis modules tab, validate that these modules with their specific versions are loaded to the cluster.
-
If one or more of the modules/versions are missing or if you need help, contact Redis support before taking additional steps.
This limitation has been fixed and resolved as of v6.4.2-43.
Operating system limitations
RHEL 7 and RHEL 8
If you have a custom installation with a non-default $installdir
and use Active-Active or Auto Tiering features, failures might occur when you upgrade. This issue will be fixed in a future maintenance release.
RHEL 8
Due to module binary differences between RHEL 7 and RHEL 8, you cannot upgrade RHEL 7 clusters to RHEL 8 when they host databases using modules. Instead, you need to create a new cluster on RHEL 8 and then migrate existing data from your RHEL 7 cluster. This does not apply to clusters that do not use modules.
Security
Open source Redis security fixes compatibility
As part of Redis's commitment to security, Redis Enterprise Software implements the latest security fixes available with open source Redis. The following open source Redis CVEs do not affect Redis Enterprise:
-
CVE-2021-32625 — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis since Redis Enterprise does not implement LCS. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.4, Redis 6.0.14)
-
CVE-2021-32672 — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the LUA debugger is unsupported in Redis Enterprise. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.6, Redis 6.0.16)
-
CVE-2021-32675 — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the proxy in Redis Enterprise does not forward unauthenticated requests. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.6, Redis 6.0.16)
-
CVE-2021-32762 — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the memory allocator used in Redis Enterprise is not vulnerable. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.6, Redis 6.0.16)
-
CVE-2021-41099 — Redis Enterprise is not impacted by the CVE that was found and fixed in open source Redis because the
proto-max-bulk-len CONFIG
is blocked in Redis Enterprise. Additional information about the open source Redis fix is on the Redis GitHub page (Redis 6.2.6, Redis 6.0.16)
Redis Enterprise has already included the fixes for the relevant CVEs. Some CVEs announced for open source Redis do not affect Redis Enterprise due to different and additional functionality available in Redis Enterprise that is not available in open source Redis.