sentinel_user in users.acl not working with limited permission in redis 7

Question

I am trying to have a sentinel_user acl user in users.acl file that will have limited permission to run commnads related to sentinel only.

I tried setting this user as below following redis documentaion :

ACL SETUSER sentinel_user ON nopass allchannels +multi +slaveof +ping +exec +subscribe +config|rewrite +role +publish +info +client|setname +client|kill +script|kill

but i am getting the issue when starting the sentinel_user as it says # Aborting Redis startup because of ACL errors: Error in applying operation '+script|kill': Unknown command or category name in ACL

complete error log :

052811:X 25 Jul 2023 15:01:06.354 # Aborting Redis startup because of ACL errors: /home/somepath/redis-centinal-poc/redis-7.0.11/users.acl:6: Error in applying operation '+script|kill': Unknown command or category name in ACL. /home/somepath/redis-centinal-poc/redis-7.0.11/users.acl:6: Error in applying operation '+exec': Unknown command or category name in ACL. /home/somepath/redis-centinal-poc/redis-7.0.11/users.acl:6: Error in applying operation '+multi': Unknown command or category name in ACL. /home/somepath/redis-centinal-poc/redis-7.0.11/users.acl:6: Error in applying operation '+config|rewrite': Unknown command or category name in ACL. /home/somepath/redis-centinal-poc/redis-7.0.11/users.acl:6: Error in applying operation '+slaveof': Unknown command or category name in ACL. WARNING: ACL errors detected, no change to the previously active ACL rules was performed

Answer 1

The user you trying to create must be created in the Redis instance, not in the Sentinel instance.

There are two users related to Sentinel:

• One user that communicates with Redis. This user must be created in all of the Redis instances. Example:

    acl setuser sentinel_to_redis on >"sentinelredis123" allchannels +multi +slaveof +ping +exec +subscribe +config|rewrite +role +publish +info +client|setname +client|kill +script|kill
  

• One user that communicates with other Sentinels. This user must be created in all of the Sentinal instances. Example:

    acl setuser sentinel_to_sentinel on >"sentinelsentinel123" allchannels +@all
  

When the users have been created you must configure them in all Sentinal instances. Example doing it in runtime:

sentinel set <MASTER_NAME> auth-user sentinel_to_redis
sentinel set <MASTER_NAME> auth-pass "sentinelredis123"
sentinel config set sentinel-user sentinel_to_sentinel
sentinel config set sentinel-pass "sentinelsentinel123"