Document Pub/Sub ACL risk on Sentinel-monitored nodes#3607
Open
moticless wants to merge 3 commits into
Open
Conversation
Warn against granting broad Pub/Sub channel access (allchannels / &*) on Sentinel-monitored Redis nodes. Any client able to publish to the reserved __sentinel__:hello channel can inject forged, unauthenticated topology messages and trigger spurious failovers or a denial of service. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
|
Correct the guidance: the Sentinel auth-user does not need allchannels. Sentinel only ever SUBSCRIBEs to and PUBLISHes on the exact __sentinel__:hello channel on monitored nodes, so resetchannels &__sentinel__:hello is sufficient. Validated against the Redis sentinel TCL test suite (fresh sentinel + replica auto-discovery and a manual failover all succeed with the auth-user restricted to that one channel; a negative control confirms discovery breaks when the channel is denied). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
dwdougherty
approved these changes
Jul 9, 2026
Collaborator
There was a problem hiding this comment.
Thank you, @moticless! Just one punctuation nit, which I've already committed. Otherwise, LGTM.
Please sign our CLA. I can't merge this PR until you do so.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds a security note to the Sentinel management page warning against granting broad Pub/Sub channel access (
allchannels/&*) on Sentinel-monitored Redis nodes.Sentinel discovery relies on the reserved
__sentinel__:helloPub/Sub channel on each monitored master/replica. Those messages carry no authentication and are trusted wholesale by receiving Sentinels, so any client able to publish to that channel on a monitored node can inject forged topology information and trigger spurious failovers or a denial of service.The note advises:
allchannels/&*for any user other than the Sentinelauth-user(with a reminder about the Redis 7.0resetchannelsdefault and the legacydefaultuser).__sentinel__:channel prefix as reserved.🤖 Generated with Claude Code
Note
Low Risk
Documentation-only change with no runtime or configuration behavior changes.
Overview
Updates the Sentinel ACL example for monitored Redis nodes to grant Pub/Sub on
__sentinel__:helloonly (resetchannels &__sentinel__:hello) instead ofallchannels, with a short note explaining that Sentinel only needs that channel.Adds a warning that discovery traffic on
__sentinel__:hellois unauthenticated and trusted, so publishers on monitored masters/replicas can forge topology and cause spurious failovers or DoS. It advises againstallchannels/&*for any user, limiting the Sentinelauth-userto&__sentinel__:hello, noting Redis 7.0’sacl-pubsub-defaultofresetchannels, and treating the__sentinel__:prefix as reserved.Reviewed by Cursor Bugbot for commit 42d065d. Bugbot is set up for automated code reviews on this repo. Configure here.