0
0
Redisquery~10 mins

ACL rules and categories in Redis - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Concept Flow - ACL rules and categories
Start: User connects
Check ACL Categories
Match Command Category?
NoDeny Command
Yes
Check Specific ACL Rules
Allow or Deny Command
Execute Command or Return Error
When a user sends a command, Redis checks if the command's category is allowed by ACL categories, then checks specific ACL rules to allow or deny execution.
Execution Sample
Redis
ACL SETUSER alice on >password ~* -@dangerous +@all
AUTH alice password
SET key value
Defines user 'alice' with all commands allowed except dangerous ones, then runs a SET command to see if allowed.
Execution Table
StepActionInput/ConditionResultNotes
1User 'alice' connectsUser 'alice'User profile loadedACL rules for 'alice' active
2Check command categoryCommand: SET (category: @write)Category @write allowed?Yes, +@all includes @write
3Check specific ACL rulesIs @dangerous category allowed?No, -@dangerous denies itSET is not in @dangerous, so allowed
4Allow or deny commandAll checks passedCommand allowedSET command executed
5Execute commandSET key valueKey set in databaseCommand success response sent
💡 Command allowed because user 'alice' has +@all and -@dangerous, and SET is not dangerous
Variable Tracker
VariableStartAfter Step 2After Step 3After Step 4Final
User ACL Categoriesnone+@all+@all and -@dangerous+@all and -@dangerous+@all and -@dangerous
Command Categorynone@write@write@write@write
Command Allowed?unknowntrue (category allowed)true (not denied by specific rules)truetrue
Key Moments - 3 Insights
Why does the command get allowed even though -@dangerous is set?
Because the SET command belongs to the @write category, not @dangerous. The user has +@all which includes @write, so the command is allowed (see execution_table rows 2 and 3).
What happens if a command belongs to a denied category?
If the command's category matches a denied ACL category (like -@dangerous), the command is denied immediately (see execution_table row 3).
How do ACL categories simplify permission management?
ACL categories group commands by type, so you can allow or deny many commands at once instead of listing each command individually (see concept_flow and variable_tracker).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the command category checked at step 2?
A@write
B@dangerous
C@read
D@admin
💡 Hint
Check the 'Command Category' column in execution_table row 2
At which step does the system decide if the command is allowed or denied?
AStep 2
BStep 4
CStep 3
DStep 5
💡 Hint
Look at the 'Allow or deny command' action in execution_table
If the user had -@write instead of +@all, what would happen to the SET command?
ACommand allowed
BCommand category changes
CCommand denied
DUser disconnected
💡 Hint
Refer to variable_tracker 'User ACL Categories' and execution_table logic for category checks
Concept Snapshot
ACL rules control which commands a user can run.
Categories group commands (e.g., @write, @read).
Users get +category to allow, -category to deny.
Commands checked first by category, then specific rules.
If denied, command is rejected immediately.
Simplifies managing many commands at once.
Full Transcript
When a Redis user connects, the system loads their ACL rules including allowed and denied command categories. When the user sends a command, Redis checks the command's category against the user's allowed categories. If the category is allowed, Redis then checks if any specific deny rules apply. If no denies match, the command is allowed and executed. For example, a user with +@all and -@dangerous can run all commands except those in the dangerous category. The SET command belongs to @write, which is allowed, so it runs successfully. This process helps manage permissions efficiently by grouping commands into categories.