How to change redis passwd without downtime

Question

for the safety concern, we plan to change our redis passwd periodically(like every 4weeks). The question is how to change it without external downtime or just a very short period of time.

My plans are:

1. clear the passwd on redis server and restart.
2. seeing as there's no passwd required, clients can still reconnect to redis server even with obsolete passwd
3. clients reload new passwd from config center periodically, and soon after, all clients will have been updated to the new passwd.
4. change the redis server to new passwd and restart.
5. clients use new passwd to reconnect to redis server

But when I tried it(I'm using redigo), I got ERR Client sent AUTH, but no password is set on step 2. Seems like we can't connect to redis with extra passwd if it doesn't require passwd. But when I use redis-cli, it can! I want to know how redis-cli achieve this, and how can I do that with redigo?

Answer 1

Why not use Redis ACLs https://redis.io/topics/acl

1. create current user user1 with password1
2. after time period create user2/password2
3. leave grace period for Apps to reconnect (some clients allow you to set MaxConnAge in go)
4. delete user1/password1

Answer 2

A common solution to password rotation is:

• During password rollover period, have the config provider supply two passwords: current and previous.
• Client tries with the current password.
• If that fails, it retries with the previous one.

At the end of the rollover period, the server is restarted with the new password and the old password is deleted from the config.