Skip to content

Document Pub/Sub ACL risk on Sentinel-monitored nodes#3607

Open
moticless wants to merge 3 commits into
redis:mainfrom
moticless:docs-sentinel-pubsub-acl-note
Open

Document Pub/Sub ACL risk on Sentinel-monitored nodes#3607
moticless wants to merge 3 commits into
redis:mainfrom
moticless:docs-sentinel-pubsub-acl-note

Conversation

@moticless

@moticless moticless commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Description

Adds a security note to the Sentinel management page warning against granting broad Pub/Sub channel access (allchannels / &*) on Sentinel-monitored Redis nodes.

Sentinel discovery relies on the reserved __sentinel__:hello Pub/Sub channel on each monitored master/replica. Those messages carry no authentication and are trusted wholesale by receiving Sentinels, so any client able to publish to that channel on a monitored node can inject forged topology information and trigger spurious failovers or a denial of service.

The note advises:

  • Avoiding allchannels / &* for any user other than the Sentinel auth-user (with a reminder about the Redis 7.0 resetchannels default and the legacy default user).
  • Treating the __sentinel__: channel prefix as reserved.

🤖 Generated with Claude Code


Note

Low Risk
Documentation-only change with no runtime or configuration behavior changes.

Overview
Updates the Sentinel ACL example for monitored Redis nodes to grant Pub/Sub on __sentinel__:hello only (resetchannels &__sentinel__:hello) instead of allchannels, with a short note explaining that Sentinel only needs that channel.

Adds a warning that discovery traffic on __sentinel__:hello is unauthenticated and trusted, so publishers on monitored masters/replicas can forge topology and cause spurious failovers or DoS. It advises against allchannels / &* for any user, limiting the Sentinel auth-user to &__sentinel__:hello, noting Redis 7.0’s acl-pubsub-default of resetchannels, and treating the __sentinel__: prefix as reserved.

Reviewed by Cursor Bugbot for commit 42d065d. Bugbot is set up for automated code reviews on this repo. Configure here.

Warn against granting broad Pub/Sub channel access (allchannels / &*) on
Sentinel-monitored Redis nodes. Any client able to publish to the reserved
__sentinel__:hello channel can inject forged, unauthenticated topology
messages and trigger spurious failovers or a denial of service.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@CLAassistant

CLAassistant commented Jul 9, 2026

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ dwdougherty
❌ moticless
You have signed the CLA already but the status is still pending? Let us recheck it.

Correct the guidance: the Sentinel auth-user does not need allchannels.
Sentinel only ever SUBSCRIBEs to and PUBLISHes on the exact
__sentinel__:hello channel on monitored nodes, so resetchannels
&__sentinel__:hello is sufficient. Validated against the Redis sentinel
TCL test suite (fresh sentinel + replica auto-discovery and a manual
failover all succeed with the auth-user restricted to that one channel;
a negative control confirms discovery breaks when the channel is denied).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@moticless moticless marked this pull request as ready for review July 9, 2026 10:06

@dwdougherty dwdougherty left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, @moticless! Just one punctuation nit, which I've already committed. Otherwise, LGTM.

Please sign our CLA. I can't merge this PR until you do so.

Comment thread content/operate/oss_and_stack/management/sentinel.md Outdated
@dwdougherty dwdougherty self-assigned this Jul 9, 2026
@dwdougherty dwdougherty added op Operate docs oss Redis Open Source labels Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

op Operate docs oss Redis Open Source

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants