diff --git a/content/operate/oss_and_stack/management/sentinel.md b/content/operate/oss_and_stack/management/sentinel.md index 4be6502df0..cf58e6d705 100644 --- a/content/operate/oss_and_stack/management/sentinel.md +++ b/content/operate/oss_and_stack/management/sentinel.md @@ -817,7 +817,30 @@ following directives: Where `` and `` are the username and password for accessing the group's instances. These credentials should be provisioned on all of the group's Redis instances with the minimal control permissions. For example: - 127.0.0.1:6379> ACL SETUSER sentinel-user ON >somepassword allchannels +multi +slaveof +ping +exec +subscribe +config|rewrite +role +publish +info +client|setname +client|kill +script|kill + 127.0.0.1:6379> ACL SETUSER sentinel-user ON >somepassword resetchannels &__sentinel__:hello +multi +slaveof +ping +exec +subscribe +config|rewrite +role +publish +info +client|setname +client|kill +script|kill + +The only Pub/Sub channel that Sentinel uses on a monitored node is `__sentinel__:hello`, so +this user is granted access to that channel only (`resetchannels &__sentinel__:hello`) rather +than to all channels (`allchannels`, equivalently `&*`). + +{{< warning >}} +Sentinel discovery relies on the reserved `__sentinel__:hello` Pub/Sub channel on each +monitored master and replica. Sentinels periodically publish their presence there and +subscribe to it to discover other Sentinels and learn the current topology. These messages +carry no authentication and are trusted by receiving Sentinels, so any client that can +publish to this channel on a monitored node can inject forged topology information and +trigger spurious failovers or a denial of service. + +Because of this, do not grant broad Pub/Sub access on Sentinel-monitored Redis nodes: + +* No user needs access to all channels (`allchannels` / `&*`). The Sentinel `auth-user` + needs access only to the `__sentinel__:hello` channel (`&__sentinel__:hello`), and no + other user should be able to publish to or subscribe to it. Since Redis 7.0, the default + value of `acl-pubsub-default` is `resetchannels`, so newly created ACL users have no + channel access unless you grant it explicitly. Be especially careful with the legacy + `default` user, which may still have broad access. +* Treat the `__sentinel__:` channel prefix as reserved for Sentinel's internal use. +{{< /warning >}} ### Redis password-only authentication