OCI Cache User ACL Strings
Learn about Access Control List (ACL) strings to configure your OCI Cache users.
The ACL string you provided when you created the cache user is a list of predefined rules that grant or revoke user permissions, deciding which operations a cache user can perform. The format typically starts with the keyword user, followed by the username, and then the ACL rules. Each ACL rule specifies permissions for commands, key patterns, Pub/Sub channels, and authentication requirements.
The following table shows some options in the ACL commands:
| Sample ACL Commands | |
|---|---|
| Command | Description |
| Authentication | |
on |
The user status is active and can authenticate. |
nopass |
The user requires no password. |
>mypassword123 |
The user must authenticate using the password mypassword123. |
#hashedPassword |
The user must authenticate using the password plainPassword (where hashedPassword is sha-256 converter of plainPassword). |
| Key Access | |
allkeys |
The user has access to all keys (represented by the wildcard *). |
allkeys +get +set |
The user can retrieve all keys and setting them. |
|
The user can retrieve all keys without setting them. |
allkeys -get -set |
The user can neither retrieve nor to set the keys. |
~service1:* |
The user has access only to keys that start with the prefix service1:. |
| Pub/Sub Access | |
allchannels |
The user has access to all Pub/Sub channels. |
&service1:* |
The user has access only to Pub/Sub channels that start with the prefix service1:. |
| Command Access | |
allcommands |
The user can run all commands. |
+@write |
The user can run all write commands. |
-@read |
The user is denied all read commands. |
+@read +@write |
The user can run read operations (like GET, HGET) and write operations (like SET, HSET) |
-@write -@read |
The user is restricted from all read and all write operations. |
+@read -keys |
The user can run read operations (like GET, HGET) but is restricted from the keys command. |
+command|info |
The user can fetch information or details about available commands. |
OCI Cache, as a managed service, restricts some commands to ensure system stability and prevent unintended changes to the cache cluster. You can't include these restricted commands in the ACL string when creating or updating a cache user. The following are the examples of restricted access user configuration:
user service1 on >mypassword123 ~service1:* &service1:* +@write -@readuser service1 on #hashedPassword ~service1:* &service1:* +@write -@read
Although your ACL string might contain @all for a user, OCI Cache implicitly restricts the following commands:
| OCI Cache Restricted ACL Commands | ||
|---|---|---|
acl|cat |
cluster|flushslots |
memory|malloc-stats |
acl|deluser |
cluster|forget |
memory|purge |
acl|dryrun |
cluster|meet |
memory|stats |
acl|genpass |
cluster|replicate |
memory|usage |
acl|getuser |
cluster|reset |
cmigrate |
acl|help |
cluster|saveconfig |
module |
acl|list |
cluster|set-config-epoch |
module|help |
acl|load |
cluster|setslot |
module|list |
acl|log |
config|rewrite |
module|load |
acl|save |
config|set |
module|loadex |
acl|setuser |
failover |
module|unload |
acl|users |
memory |
psync |
cluster|addslots |
memory|doctor |
replicaof |
cluster|addslotsrange |
memory|help |
shutdown |
cluster|bumpepoch |
memory|malloc-stats |
slaveof |
cluster|delslots |
memory|purge |
sync |
cluster|delslotsrange |
memory|stats |
|
cluster|failover |
memory|usage |
|