Tanzu GemFire for Redis Apps security includes support for TLS, including mutual TLS, and Authentication and Authorization. The implementation and support varies depending on the Tanzu GemFire deployment that you use.

TLS

To enable TLS on a cluster, follow the documentation for the corresponding deployment type:

Additionally, you must use a Redis client that supports TLS.

Authentication and Authorization

Tanzu GemFire for Redis Apps uses Tanzu GemFire’s Security Manager to enforce authentication. You must configure this Security Manager based on the Tanzu GemFire deployment that you use. For more information about the GemFire Security Manager, see Enable Security with Property Definitions in the VMware Tanzu GemFire Documentation.

GemFire’s Security Manager authenticates the AUTH <password> command and the AUTH <username> <password> command. When users send the AUTH <password> command without a username, the system uses the default username default. This behavior is similar to the behavior in Open Source Redis.

You can set a custom default username using the gemfire-for-redis-username parameter when starting the server as described in Default Region Configuration and Settings in Configuring Tanzu GemFire for Redis Apps. This custom default username will be used when the AUTH <password> command is sent without a <username>.

Tanzu GemFire

To enable security, you must create a Security Manager. A Security Manager allows you to create custom implementations that can integrate with your existing security systems, such as OAuth and LDAP. Once created, you must configure the Security Manager on the locator and all servers or all AUTH requests will fail.

In addition to authentication, each command is authorized according to VMware Tanzu GemFire’s security model. For more information about this, see Implementing Authentication in the VMware Tanzu GemFire documentation in the VMware Tanzu GemFire documentation.

Commands are divided into READ operations and WRITE operations. READ operations require DATA:READ resource permissions and WRITE operations require DATA:WRITE resource permissions. See the list below for more information about which commands fall into each category.

To restrict users to interacting with only the VMware Tanzu GemFire for Redis region, set the resource permissions to DATA:READ:GEMFIRE_FOR_REDIS and DATA:WRITE:GEMFIRE_FOR_REDIS. This specificity restricts users to only being able to READ and WRITE data to the GEMFIRE_FOR_REDIS region.

Redis Command Categorization for Authorization

DATA:READ

  • CLIENT GETNAME, CLIENT SETNAME, CLUSTER INFO, CLUSTER KEYSLOT, CLUSTER NODES, CLUSTER SLOTS, COMMAND,ECHO, EXISTS, GET, GETRANGE, HEXISTS, HGET, HGETALL, HKEYS, HLEN, HMGET, HSCAN, HSTRLEN, HVALS, INFO, KEYS, LINDEX, LLEN, LOLWUT, LRANGE, MGET, PING, PSUBSCRIBE, PTTL, PUBSUB CHANNELS, PUBSUB NUMPAT, PUBSUB NUMSUB, QUIT, SCARD, SDIFF, SINTER, SISMEMBER, SLOWLOG GET, SLOWLOG LEN, SLOWLOG RESET, SMEMBERS, SRANDMEMBER, SSCAN, STRLEN, SUBSCRIBE, SUNION, TTL, TYPE, UNSUBSCRIBE, ZCARD, ZCOUNT, ZLEXCOUNT, ZRANGE, ZRANGEBYLEX, ZRANGEBYSCORE, ZRANK, ZREVRANGE, ZREVRANGEBYLEX, ZREVRANGEBYSCORE, ZREVRANK, ZSCAN, ZSCORE

DATA:WRITE

  • APPEND, BLPOP, BRPOP, BRPOPLPUSH, BZPOPMAX, BZPOPMIN, DECR, DECRBY, DEL, EXPIRE, EXPIREAT, GETSET, HDEL, HINCRBY, HINCRBYFLOAT, HMSET, HSET, HSETNX, INCR, INCRBY, INCRBYFLOAT, LINSERT, LMOVE, LPOP, LPUSH, LPUSHX, LREM, LSET, LTRIM, MSET, MSETNX, PERSIST, PEXPIRE, PEXPIREAT, PSETEX, PUBLISH, PUNSUBSCRIBE, RENAME, RENAMENX, RPOP, RPOPLPUSH, RPUSH, RPUSHX, SADD, SDIFFSTORE, SET, SETEX, SETNX, SETRANGE, SINTERSTORE, SMOVE, SPOP, SREM, SUNIONSTORE, UNLINK, ZADD, ZINCRBY, ZINTERSTORE, ZPOPMAX, ZPOPMIN, ZREM, ZREMRANGEBYLEX, ZREMRANGEBYRANK, ZREMRANGEBYSCORE, ZUNIONSTORE
check-circle-line exclamation-circle-line close-line
Scroll to top icon