Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Credentials & Security

Configure Redis credentials to allow Radar Agent to collect monitoring data. The agent requires read-only access to Redis instances and supports various authentication methods.

Redis Standalone Authentication

For standalone Redis instances, you can configure authentication in several ways:

Method 1: URL-based Authentication

Include credentials directly in the Redis URL:

deployments:
  - id: "redis-prod"
    name: "Production Redis"
    deployment_type: "standalone"
    redis_url: "redis://username:password@localhost:6379"

Method 2: Separate Credentials

Use the credentials section for better security:

deployments:
  - id: "redis-prod"
    name: "Production Redis"  
    deployment_type: "standalone"
    redis_url: "redis://localhost:6379"
    credentials:
      username: "radar-agent"
      password: "${REDIS_PASSWORD}"

Method 3: Environment Variables in URL

Combine URL format with environment variable expansion:

deployments:
  - id: "redis-prod"
    name: "Production Redis"
    deployment_type: "standalone" 
    redis_url: "redis://${REDIS_USER}:${REDIS_PASSWORD}@${REDIS_HOST}:6379"

Redis ACL Setup

Creating a Monitoring User

For Redis instances with ACL support (Redis 6+), create a dedicated monitoring user:

# Connect to Redis
redis-cli

# Create user with read-only permissions
ACL SETUSER radar-agent on >${SECURE_PASSWORD} \
  +info +ping +config|get +client|list +memory|usage +latency \
  +@read ~* &*

# Verify the user
ACL LIST

Required Permissions

The radar-agent user needs these Redis permissions:

Command CategoryCommandsPurpose
Server Info+info, +pingBasic server information and health
Configuration+config|getRedis configuration settings
Client Info+client|listActive connection information
Memory+memory|usageMemory usage statistics
Performance+latencyLatency monitoring data
Data Access+@read, ~*Read access to all keys for sampling
Pub/Sub&*Access to all pub/sub channels

Minimal ACL Rule

For the most restrictive setup:

ACL SETUSER radar-agent on >${PASSWORD} \
  +info +ping +config|get +client|list +memory|usage +latency \
  +@read ~* &*

TLS/SSL Configuration

For secure connections, use rediss:// URLs:

deployments:
  - id: "redis-tls"
    name: "Redis with TLS"
    deployment_type: "standalone"
    redis_url: "rediss://username:password@localhost:6380"

Environment Variables

Store sensitive information in environment variables:

# Set environment variables
export REDIS_PASSWORD="your-secure-password"
export REDIS_HOST="redis.example.com"
export REDIS_PORT="6379"

Reference them in configuration:

deployments:
  - id: "redis-prod"
    name: "Production Redis"
    deployment_type: "standalone"
    redis_url: "redis://radar-agent:${REDIS_PASSWORD}@${REDIS_HOST}:${REDIS_PORT}"
    
  - id: "redis-replica"
    name: "Redis Replica"
    deployment_type: "standalone" 
    redis_url: "redis://${REDIS_HOST_REPLICA}:6379"
    credentials:
      username: "radar-agent"
      password: "${REDIS_REPLICA_PASSWORD}"

Testing Credentials

Validate your credentials using the validation command:

# Test all deployments
radar-agent validate

# Test specific deployment
radar-agent validate --deployment-id redis-prod

# Test with connection attempts
radar-agent validate --test-connections

Security Best Practices

  1. Use dedicated monitoring users - Don't use admin credentials
  2. Apply least privilege - Only grant necessary permissions
  3. Use environment variables - Don't hardcode credentials in config files
  4. Enable TLS - Use rediss:// URLs for encrypted connections
  5. Rotate credentials - Regularly update passwords and API keys
  6. Monitor access - Review Redis logs for authentication events

Redis Enterprise Authentication

Redis Enterprise deployments use REST API basic authentication:

deployments:
  - id: "ent-01"
    name: "production-enterprise"
    type: "enterprise"
    rest_api:
      host: "enterprise.example.com"
      port: 9443
      use_tls: true
      insecure: false  # Set true for self-signed certificates
    credentials:
      rest_api:
        basic_auth: "admin@cluster.local:${ENTERPRISE_PASSWORD}"

Key points:

  • Authentication uses username:password format in the basic_auth field
  • Typically uses admin-level credentials for cluster API access
  • Supports self-signed certificates with insecure: true
  • Uses port 9443 for REST API access

Future Authentication Support

Planned authentication methods for future deployment types:

Redis Cloud (Planned)

  • API key authentication
  • Cloud console integration

AWS ElastiCache (Planned)

  • IAM role-based authentication
  • AUTH token support