From c756cdb3121a1ca27d52672a331aef0874524536 Mon Sep 17 00:00:00 2001 From: Oluwabusayo Jacobs <68024640+TropicolX@users.noreply.github.com> Date: Sat, 8 Nov 2025 17:02:14 +0100 Subject: [PATCH 1/2] Revise "Setting default user password #uv9" Clarified the usage of the `ACL SETUSER` command and its effects on user properties. Added details on password storage and validation tests. --- stage_descriptions/auth-05-uv9.md | 48 +++++++++++++++++++------------ 1 file changed, 30 insertions(+), 18 deletions(-) diff --git a/stage_descriptions/auth-05-uv9.md b/stage_descriptions/auth-05-uv9.md index e25948c1..4c8cc49c 100644 --- a/stage_descriptions/auth-05-uv9.md +++ b/stage_descriptions/auth-05-uv9.md @@ -1,10 +1,25 @@ -In this stage, you'll add support for setting the default user's password. +In this stage, you'll add support for setting the `default` user's password. ### The `ACL SETUSER` command -The [`ACL SETUSER`](https://redis.io/docs/latest/commands/acl-setuser/) command can be used to modify the properties of an existing user. If this command is used with the `>` rule, it is used to add a password for the given user. Adding a password also clears the `nopass` flag from the user. +The [`ACL SETUSER`](https://redis.io/docs/latest/commands/acl-setuser/) command modifies the properties of an existing user. -Example usage: +When the command is used with the `>` rule, it adds a password for the specified user: + +```bash +> ACL SETUSER default >mypassword +OK +``` + +The server then responds with `OK` encoded as a RESP simple string (`+OK\r\n`). + +### Password Storage + +Adding a password for a user with `ACL SETUSER` has two effects: +- The password is stored as a SHA-256 hash. +- The `nopass` flag is automatically removed. + +For example: ```bash > ACL SETUSER default >mypassword @@ -12,16 +27,14 @@ OK > ACL GETUSER default 1) "flags" - 2) 1) "nopass" + 2) (empty array) 3) "passwords" 4) 1) "89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8" ``` -The response to the `ACL SETUSER` command is a RESP simple string: `+OK\r\n`. +Notice that the `nopass` flag is now gone from the `flags` array. Also, the `mypassword` SHA-256 hash is stored as a bulk string in the `passwords` array. -The password array in the response of `ACL GETUSER` command contains one element and is the SHA-256 hash of the password `mypassword`. - -Redis does not store the raw password specified in the `ACL SETUSER` command. Instead, it stores the SHA-256 hash of the password. While validating the password during authentication, the SHA-256 hash of the input password is calculated and matched against the stored list of SHA-256 password hashes. This is done because storing raw passwords is a security vulnerability. +Storing only the SHA-256 hash is a security best practice Redis uses to prevent password leaks if the database is compromised. ### Tests @@ -31,7 +44,7 @@ The tester will execute your program like this: $ ./your_program.sh ``` -It'll then send a `ACL GETUSER` command, specifying the `default` user +It will then send an `ACL GETUSER` command, specifying the `default` user: ```bash $ redis-cli @@ -43,12 +56,12 @@ $ redis-cli 4) (empty array) ``` -The tester will validate the following for the response of the `ACL GETUSER` command: +The tester will verify that: -- The `nopass` flag is present in the flags array -- The password array is empty +- The `nopass` flag is present in the flags array. +- The `passwords` array is empty. -It'll then send a `ACL SETUSER` command, specifying the `default` user and a password. +Next, the tester will send a `ACL SETUSER` command, specifying the `default` user and a password: ```bash # Expect: +OK\r\n @@ -58,7 +71,7 @@ OK The tester will validate that the response to the `ACL SETUSER` command is `+OK\r\n`. -It'll then send a `ACL GETUSER` command, specifying the `default` user. +Finally, the tester will send a `ACL GETUSER` command, specifying the `default` user: ```bash # Expect RESP array: ["flags", ["nopass"], "passwords", ["89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8"]] @@ -69,13 +82,12 @@ It'll then send a `ACL GETUSER` command, specifying the `default` user. 4) 1) "89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8" ``` -The tester will validate the following for the response of the `ACL GETUSER` command: +The tester will validate the following for your response: -- The `nopass` flag is not present in the flags array -- The passwords array contains one element, and the element is the SHA-256 hash of the password, encoded as a RESP bulk string. +- The `nopass` flag is no longer present. +- The `passwords` array contains the SHA-256 hash of `mypassword` encoded as a bulk string. ### Notes - Redis uses the SHA-256 hashing algorithm for password storage. You'll need to compute the SHA-256 hash of the provided password and store it. - - The password hash should be stored as a lowercase hexadecimal string. From b489f5134709ab664e73fafc905acf017541cf97 Mon Sep 17 00:00:00 2001 From: Oluwabusayo Jacobs <68024640+TropicolX@users.noreply.github.com> Date: Sun, 9 Nov 2025 05:48:20 +0100 Subject: [PATCH 2/2] Update ACL SETUSER command documentation Clarify command descriptions and server responses in the documentation. --- stage_descriptions/auth-05-uv9.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/stage_descriptions/auth-05-uv9.md b/stage_descriptions/auth-05-uv9.md index 4c8cc49c..0059d86f 100644 --- a/stage_descriptions/auth-05-uv9.md +++ b/stage_descriptions/auth-05-uv9.md @@ -1,6 +1,6 @@ In this stage, you'll add support for setting the `default` user's password. -### The `ACL SETUSER` command +### The `ACL SETUSER` Command The [`ACL SETUSER`](https://redis.io/docs/latest/commands/acl-setuser/) command modifies the properties of an existing user. @@ -11,7 +11,7 @@ When the command is used with the `>` rule, it adds a password for the specified OK ``` -The server then responds with `OK` encoded as a RESP simple string (`+OK\r\n`). +The server responds with `OK` encoded as a RESP simple string (`+OK\r\n`). ### Password Storage @@ -47,9 +47,8 @@ $ ./your_program.sh It will then send an `ACL GETUSER` command, specifying the `default` user: ```bash -$ redis-cli # Expect RESP array: ["flags", ["nopass"], "passwords", []] -> ACL GETUSER default +$ redis-cli ACL GETUSER default 1) "flags" 2) 1) "nopass" 3) "passwords" @@ -69,7 +68,7 @@ Next, the tester will send a `ACL SETUSER` command, specifying the `default` use OK ``` -The tester will validate that the response to the `ACL SETUSER` command is `+OK\r\n`. +Your server must respond with `+OK\r\n`. Finally, the tester will send a `ACL GETUSER` command, specifying the `default` user: