Implement authentication for Redis/Sentinel (#14805)

* Implement ACL support for redis (and sentinel) Currently, sentinel only works with anonymous connections. Some parameters are passed when using sentinel, however these are dropped on the floor. This encapsulates them as py-redis expects, and passes them correctly. * Pass username * Differentiate duplicate error messages * Actually pass var * Docs and requirement bump * Lint * Consistency * More lint * Lint harder * Doc Updates
2024-10-07 16:52:45 +00:00 · 2023-04-14 13:11:44 +01:00
parent 3362e0ee7b
commit 55b167562e
5 changed files with 79 additions and 17 deletions
--- a/LibreNMS/service.py
+++ b/LibreNMS/service.py
@@ -91,9 +91,12 @@ class ServiceConfig(DBConfig):
    redis_host = "localhost"
    redis_port = 6379
    redis_db = 0
+    redis_user = None
    redis_pass = None
    redis_socket = None
    redis_sentinel = None
+    redis_sentinel_user = None
+    redis_sentinel_pass = None
    redis_sentinel_service = None
    redis_timeout = 60

@@ -178,6 +181,9 @@ class ServiceConfig(DBConfig):
        self.redis_db = os.getenv(
            "REDIS_DB", config.get("redis_db", ServiceConfig.redis_db)
        )
+        self.redis_user = os.getenv(
+            "REDIS_USERNAME", config.get("redis_user", ServiceConfig.redis_user)
+        )
        self.redis_pass = os.getenv(
            "REDIS_PASSWORD", config.get("redis_pass", ServiceConfig.redis_pass)
        )
@@ -190,6 +196,14 @@ class ServiceConfig(DBConfig):
        self.redis_sentinel = os.getenv(
            "REDIS_SENTINEL", config.get("redis_sentinel", ServiceConfig.redis_sentinel)
        )
+        self.redis_sentinel_user = os.getenv(
+            "REDIS_SENTINEL_USERNAME",
+            config.get("redis_sentinel_user", ServiceConfig.redis_sentinel_user),
+        )
+        self.redis_sentinel_pass = os.getenv(
+            "REDIS_SENTINEL_PASSWORD",
+            config.get("redis_sentinel_pass", ServiceConfig.redis_sentinel_pass),
+        )
        self.redis_sentinel_service = os.getenv(
            "REDIS_SENTINEL_SERVICE",
            config.get("redis_sentinel_service", ServiceConfig.redis_sentinel_service),
@@ -644,10 +658,17 @@ class Service:
        """
        try:
            return LibreNMS.RedisLock(
+                sentinel_kwargs={
+                    "username": self.config.redis_sentinel_user,
+                    "password": self.config.redis_sentinel_pass,
+                    "socket_timeout": self.config.redis_timeout,
+                    "unix_socket_path": self.config.redis_socket,
+                },
                namespace="librenms.lock",
                host=self.config.redis_host,
                port=self.config.redis_port,
                db=self.config.redis_db,
+                username=self.config.redis_user,
                password=self.config.redis_pass,
                unix_socket_path=self.config.redis_socket,
                sentinel=self.config.redis_sentinel,
@@ -668,7 +689,11 @@ class Service:
                logger.critical(
                    "ERROR: Redis connection required for distributed polling"
                )
-                logger.critical("Could not connect to Redis. {}".format(e))
+                logger.critical(
+                    "Lock manager could not connect to Redis. {}: {}".format(
+                        type(e).__name__, e
+                    )
+                )
                self.exit(2)

        return LibreNMS.ThreadingLock()