Add Password To Redis #4642
Add Password To Redis #4642
Conversation
dotnet-issue-labeler
bot
added
the
area-integrations
dotnet-policy-service
bot
added
the
community-contribution
| .WithImage(RedisContainerImageTags.Image, RedisContainerImageTags.Tag) | ||
| .WithImageRegistry(RedisContainerImageTags.Registry); | ||
| } | ||
| throw new InvalidOperationException(); |
There was a problem hiding this comment.
Can we add a message to this exception to explain what went wrong?
There was a problem hiding this comment.
It is a shame that we have to do these parameters in this order (its different to AddPostgres).
mitchdenny
added
the
breaking-change
|
I'm comfortable with this change pending @eerhardt 's comments about the API txt files and some incremental improvements to the XML docs since we are in the neighbhorhood. I'm a little disappointed that about the parameter ordering but I can't think of a way that isn't a binary/source breaking change that isn't also disruptive. One more iteration and we should be able to stamp an approval on this. Thanks once again for your efforts @Alirexaa. |
|
Some of my comments might be non-sensical, or could be addressed in a follow-up PR. I'll let others decide that, since I'm very new to this code:) |
| ReferenceExpression.Create( | ||
| $"{PrimaryEndpoint.Property(EndpointProperty.Host)}:{PrimaryEndpoint.Property(EndpointProperty.Port)}"); | ||
| $"{PrimaryEndpoint.Property(EndpointProperty.Host)}:{PrimaryEndpoint.Property(EndpointProperty.Port)},password={PasswordParameter}") |
There was a problem hiding this comment.
Does the password need to be encoded here, e.g. URI encoded?
It likely does but we shouldn't fix it here in isolation as this is a larger issue #3117
There was a problem hiding this comment.
It isn't URL encoded. Looks like SE.Redis doesn't support = or , in their passwords:
https://github.com/StackExchange/StackExchange.Redis/blob/1c6b59e6c7751f03aec74679bb2f0d9123b74e3d/src/StackExchange.Redis/ConfigurationOptions.cs#L946-L959
FYI - @mgravell @NickCraver
Co-authored-by: Ankit Jain <[email protected]>
Co-authored-by: Ankit Jain <[email protected]>
Co-authored-by: Ankit Jain <[email protected]>
Co-authored-by: Ankit Jain <[email protected]>
| ReferenceExpression.Create( | ||
| $"{PrimaryEndpoint.Property(EndpointProperty.Host)}:{PrimaryEndpoint.Property(EndpointProperty.Port)}"); | ||
| $"{PrimaryEndpoint.Property(EndpointProperty.Host)}:{PrimaryEndpoint.Property(EndpointProperty.Port)},password={PasswordParameter}") |
There was a problem hiding this comment.
It isn't URL encoded. Looks like SE.Redis doesn't support = or , in their passwords:
https://github.com/StackExchange/StackExchange.Redis/blob/1c6b59e6c7751f03aec74679bb2f0d9123b74e3d/src/StackExchange.Redis/ConfigurationOptions.cs#L946-L959
FYI - @mgravell @NickCraver
|
@eerhardt We've discussed this for the client a few times but it has never hit the top of the pile. If it is a blocker, we can prioritize. I would suggest looking at ado-net quoted values as the template, but obvs we'd need to think a little about how to do it without impacting existing use of any new token |
I don't think it is blocking this work. I just wanted to point out that we can't URL encode the connection string here. |
This is in review in #5380 |
I think this is an option we should seriously consider. I think we would just need to look through where there are any licensing implications for folks deploying that image into production. There might be extra licensing requirements that we wouldn't want to silently swap people into. |
This needs to work around RedisInsight/RedisInsight#3452, which requires the agreements encryption property to be initialized.
|
I've revived this PR with the latest code in One complication is that Redis Insight needs to be initialized before we add a database with a password. I'll add a comment to the code to start a conversation about it there. |
| agreements = new | ||
| { | ||
| // all 4 are required to be set | ||
| eula = false, |
There was a problem hiding this comment.
This is unfortunate, but it is the only way I could get it to work. See RedisInsight/RedisInsight#3452 for more information on why this is needed.
Note that this isn't accepting the EULA (it is sending false). But the consequences of initializing this is the pop up no longer happens on first run of Redis Insight, which is a nice user experience.
Thoughts? @sebastienros @DamianEdwards @Alirexaa
There was a problem hiding this comment.
Seems they're suggesting we wait until they implement support for adding databases via environment variables instead.
There was a problem hiding this comment.
I've opened [Bug]: Posting eula: false to /api/settings suppresses the first run dialog (RedisInsight/RedisInsight#4340) for the first run dialog issue.
Let's move forward with this PR for now. We can readjust later.
|
Question: is it possible to specify the user for Redis? Or is that unnecessary in this scenario, with Aspire just using the default user? Similarly, there is increasing support for azure etc identity tokens for auth. |
|
|
||
| /// <summary> | ||
| /// Gets the parameter that contains the Redis server username. | ||
| /// </summary> | ||
| private ReferenceExpression ConnectionString => |
There was a problem hiding this comment.
nit: Prefer this pattern
Right now, no. We are just adding password protection for now. If necessary, we can also add support for user in the future.
We support Azure Redis and Entra ID already in 9.0. See https://learn.microsoft.com/dotnet/aspire/caching/stackexchange-redis-integration#add-azure-cache-for-redis-client |
I don't think this is a breaking change. We can log it in the changelog, but I'm not sure exactly what it would break. The only thing I can think of is if someone is explicitly cutting the password out of the connection string getting flown to the app (or passing the connection string a custom way - not using our Hosting ConnectionString). |
|
Thank you, @Alirexaa for your continued contributions! |
Repond to feedback from dotnet#4642. Refactor how the connection string reference expression is built.
Repond to feedback from #4642. Refactor how the connection string reference expression is built.
This reverts commit 7d221ef.
close: #3838
Microsoft Reviewers: Open in CodeFlow