From 33b760d808bd3ea892387bc9b5270dffd610e477 Mon Sep 17 00:00:00 2001 From: Alvar Penning Date: Wed, 14 Jan 2026 11:39:15 +0100 Subject: [PATCH] doc/07-Operations.md: Redis ACL Inspired by an Icinga Community thread[^0], it was ensured that Icinga DB only uses Redis keys in the "icinga" and "icingadb" namespaces[^1]. This change and, more importantly, how to configure Redis ACLs to ensure only those namespaces can be accessed, are now documented. [^0]: https://community.icinga.com/t/redis-user-acl-for-icingadb/15309 [^1]: 3a6df542f74f02baa2cd42fbde4b611aa9955e21 --- doc/07-Operations.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/doc/07-Operations.md b/doc/07-Operations.md index a77ac084..f55a8a64 100644 --- a/doc/07-Operations.md +++ b/doc/07-Operations.md @@ -125,3 +125,27 @@ save 3600 1 900 100000 can be used. In this example, a dump is performed every hour (3600s) if at least on changes occurred in that time frame and every fifteen minutes (900s) if at least 100,000 changes occurred. + +#### Redis® Access Control List + +When using a shared Redis® server between Icinga DB and other applications, configuring the +[Redis® Access Control List (ACL)](https://redis.io/docs/latest/operate/oss_and_stack/management/security/acl/) +should be considered. +Creating dedicated Redis® users and ACL entries ensure that each application can only access its data. + +Icinga DB only needs to access Redis® keys in the `icinga` and `icingadb` namespaces. + +Using the [`ACL SETUSER`](https://redis.io/docs/latest/commands/acl-setuser/) command, +a new `icingadb` user only permitted to access its keys can be created. +Please change the password behind `>` in the following example. + +``` +> ACL SETUSER icingadb on >PASSWORD_CHANGE_ME ~icinga:* ~icingadb:* +@all + OK +``` + +Afterward, Icinga DB needs to connect using this username and password. +This requires a change to +[Icinga 2's `IcingaDB` object](https://icinga.com/docs/icinga-2/latest/doc/09-object-types/#icingadb), +[Icinga DB's Redis® configuration](03-Configuration.md#redis-configuration) and +[Icinga DB Web's Redis® configuration](https://icinga.com/docs/icinga-db-web/latest/doc/03-Configuration/#redis-configuration).