diff --git a/.fides/fides.toml b/.fides/fides.toml index 794da4f5b5..bb21d7f107 100644 --- a/.fides/fides.toml +++ b/.fides/fides.toml @@ -22,7 +22,7 @@ analytics_opt_out = false [redis] host = "redis" -password = "testpassword" +password = "redispassword" port = 6379 charset = "utf8" default_ttl_seconds = 604800 diff --git a/CHANGELOG.md b/CHANGELOG.md index 2760f4fa7d..db6b606741 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,11 +17,17 @@ The types of changes are: ## [Unreleased](https://github.com/ethyca/fides/compare/2.7.0...main) ### Added + * Add API support for messaging config properties [#2551](https://github.com/ethyca/fides/pull/2551) ### Changed * Add warning to 'fides deploy' when installed outside of a virtual environment [#2641](https://github.com/ethyca/fides/pull/2641) +* Removed unexpected default Redis password [#2666](https://github.com/ethyca/fides/pull/2666) + +### Fixed + +* Fix support for "redis.user" setting when authenticating to the Redis cache [#2666](https://github.com/ethyca/fides/pull/2666) ## [2.7.0](https://github.com/ethyca/fides/compare/2.6.6...2.7.0) diff --git a/docker-compose.child-env.yml b/docker-compose.child-env.yml index 926b4209bf..7488fbd508 100644 --- a/docker-compose.child-env.yml +++ b/docker-compose.child-env.yml @@ -66,9 +66,7 @@ services: redis-child: image: "redis:6.2.5-alpine" - command: redis-server --requirepass testpassword - environment: - - REDIS_PASSWORD=testpassword + command: redis-server --requirepass redispassword expose: - 6379 ports: diff --git a/docker-compose.yml b/docker-compose.yml index a891fcf613..7d3e052307 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -127,13 +127,23 @@ services: redis: image: "redis:6.2.5-alpine" - command: redis-server --requirepass testpassword - environment: - - REDIS_PASSWORD=testpassword + # AUTH option #1: no authentication at all + # command: redis-server + # AUTH option #2: require password + command: redis-server --requirepass redispassword + # AUTH option #3: Redis ACL defined in redis.conf + # command: redis-server /usr/local/etc/redis/redis.conf expose: - 6379 ports: - "0.0.0.0:6379:6379" + volumes: + # Mount a redis.conf file for configuration + # NOTE: Only used by "AUTH option #3" above! + - type: bind + source: ./docker/redis + target: /usr/local/etc/redis + read_only: False volumes: postgres: null diff --git a/docker/docker-compose.minimal-config.yml b/docker/docker-compose.minimal-config.yml index c86c4e064f..15e49ea9e6 100644 --- a/docker/docker-compose.minimal-config.yml +++ b/docker/docker-compose.minimal-config.yml @@ -22,6 +22,7 @@ services: FIDES__DATABASE__PASSWORD: "fides" FIDES__DATABASE__PORT: "5432" FIDES__DATABASE__DB: "fides" + FIDES__REDIS__PASSWORD: "redispassword" FIDES__USER__ANALYTICS_OPT_OUT: "True" FIDES__SECURITY__APP_ENCRYPTION_KEY: "OLMkv91j8DHiDAULnK5Lxx3kSCov30b3" FIDES__SECURITY__OAUTH_ROOT_CLIENT_ID: "fidesadmin" @@ -52,9 +53,7 @@ services: redis: image: "redis:6.2.5-alpine" - command: redis-server --requirepass testpassword - environment: - - REDIS_PASSWORD=testpassword + command: redis-server --requirepass redispassword expose: - 6379 ports: diff --git a/docker/redis/redis.conf b/docker/redis/redis.conf new file mode 100644 index 0000000000..18dec3e0c6 --- /dev/null +++ b/docker/redis/redis.conf @@ -0,0 +1,15 @@ +# Redis configuration file for local Fides development +# +# Note that this file is not loaded by default, and it is checked in here for +# manual testing in the future. To use this redis.conf file, do the following: +# 1) Check docker-compose.yml is mounting this to /usr/local/etc/redis +# 2) Edit docker-compose.yml to swap in the `command` for "AUTH option #3", +# which should look like this: +# ``` +# command: redis-server /usr/local/etc/redis/redis.conf +# ``` +# 3) Make any edits to this file and bring up redis with `nox -s dev` or similar + +# Enable an ACL that gives access to all keys and all commands, but requires +# a login with user="redisadmin" and password="redispassword" +user redisadmin on ~* +@all >redispassword \ No newline at end of file diff --git a/noxfiles/dev_nox.py b/noxfiles/dev_nox.py index 8ed905ba06..044a9833fc 100644 --- a/noxfiles/dev_nox.py +++ b/noxfiles/dev_nox.py @@ -21,7 +21,26 @@ @nox_session() def dev(session: Session) -> None: - """Spin up the application. Uses positional arguments for additional features.""" + """ + Spin up the Fides webserver in development mode alongside it's Postgres + database and Redis cache. Use positional arguments to run other services + like privacy center, shell, admin UI, etc. (see usage for examples) + + Usage: + 'nox -s dev' - runs the Fides weserver, database, and cache + 'nox -s dev -- shell' - also open a shell on the Fides webserver + 'nox -s dev -- ui' - also build and run the Admin UI + 'nox -s dev -- pc' - also build and run the Privacy Center + 'nox -s dev -- remote_debug' - run with remote debugging enabled (see docker-compose.remote-debug.yml) + 'nox -s dev -- worker' - also run a Fides worker + 'nox -s dev -- child' - also run a Fides child node + 'nox -s dev -- ' - also run a test datastore (e.g. 'mssql', 'mongodb') + + Note that you can combine any of the above arguments together, for example: + 'nox -s dev -- shell ui pc' + + See noxfiles/dev_nox.py for more info + """ build(session, "dev") session.notify("teardown") diff --git a/src/fides/api/ops/util/cache.py b/src/fides/api/ops/util/cache.py index 3d2b8f4e46..99e5ffdd54 100644 --- a/src/fides/api/ops/util/cache.py +++ b/src/fides/api/ops/util/cache.py @@ -172,6 +172,7 @@ def get_cache() -> FidesopsRedis: host=CONFIG.redis.host, port=CONFIG.redis.port, db=CONFIG.redis.db_index, + username=CONFIG.redis.user, password=CONFIG.redis.password, ssl=CONFIG.redis.ssl, ssl_cert_reqs=CONFIG.redis.ssl_cert_reqs, diff --git a/src/fides/core/config/redis_settings.py b/src/fides/core/config/redis_settings.py index be89a97613..f23bcdc1f9 100644 --- a/src/fides/core/config/redis_settings.py +++ b/src/fides/core/config/redis_settings.py @@ -13,8 +13,8 @@ class RedisSettings(FidesSettings): host: str = "redis" port: int = 6379 - user: Optional[str] = "" - password: str = "testpassword" + user: Optional[str] = None + password: Optional[str] = None charset: str = "utf8" decode_responses: bool = True default_ttl_seconds: int = 604800 @@ -37,17 +37,29 @@ def assemble_connection_url( # If the whole URL is provided via the config, preference that return v - db_index = values.get("db_index") if values.get("db_index") is not None else "" connection_protocol = "redis" params = "" use_tls = values.get("ssl", False) + + # These vars are intentionally fetched with `or ""` as the default to account + # for the edge case where `None` is explicitly set in `values` by Pydantic because + # it is not overridden by the config file or an env var + user = values.get("user") or "" + password = values.get("password") or "" + db_index = values.get("db_index") or "" if use_tls: # If using TLS update the connection URL format connection_protocol = "rediss" cert_reqs = values.get("ssl_cert_reqs", "none") params = f"?ssl_cert_reqs={quote_plus(cert_reqs)}" - return f"{connection_protocol}://{quote_plus(values.get('user', ''))}:{quote_plus(values.get('password', ''))}@{values.get('host', '')}:{values.get('port', '')}/{db_index}{params}" + # Configure a basic auth prefix if either user or password is provided, e.g. + # redis://:@ + auth_prefix = "" + if password or user: + auth_prefix = f"{quote_plus(user)}:{quote_plus(password)}@" + + return f"{connection_protocol}://{auth_prefix}{values.get('host', '')}:{values.get('port', '')}/{db_index}{params}" class Config: env_prefix = ENV_PREFIX diff --git a/src/fides/data/test_env/fides.test_env.toml b/src/fides/data/test_env/fides.test_env.toml index f29ced3c8a..855c5a2afb 100644 --- a/src/fides/data/test_env/fides.test_env.toml +++ b/src/fides/data/test_env/fides.test_env.toml @@ -8,7 +8,7 @@ db = "fides" [redis] host = "redis" -password = "testpassword" +password = "redispassword" port = 6379 db_index = 0