Skip to content

Revise "Setting default user password #uv9" #461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Nov 9, 2025
Merged

Revise "Setting default user password #uv9" #461

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c756cdb
Revise "Setting default user password #uv9"
TropicolX Nov 8, 2025
b489f51
Update ACL SETUSER command documentation
TropicolX Nov 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
55 changes: 33 additions & 22 deletions stage_descriptions/auth-05-uv9.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,27 +1,40 @@
In this stage, you'll add support for setting the default user's password.
In this stage, you'll add support for setting the `default` user's password.

### The `ACL SETUSER` command
### The `ACL SETUSER` Command

The [`ACL SETUSER`](https://redis.io/docs/latest/commands/acl-setuser/) command can be used to modify the properties of an existing user. If this command is used with the `>` rule, it is used to add a password for the given user. Adding a password also clears the `nopass` flag from the user.
The [`ACL SETUSER`](https://redis.io/docs/latest/commands/acl-setuser/) command modifies the properties of an existing user.

Example usage:
When the command is used with the `>` rule, it adds a password for the specified user:

```bash
> ACL SETUSER default >mypassword
OK
```

The server responds with `OK` encoded as a RESP simple string (`+OK\r\n`).

### Password Storage

Adding a password for a user with `ACL SETUSER` has two effects:
- The password is stored as a SHA-256 hash.
- The `nopass` flag is automatically removed.

For example:

```bash
> ACL SETUSER default >mypassword
OK

> ACL GETUSER default
1) "flags"
2) 1) "nopass"
2) (empty array)
3) "passwords"
4) 1) "89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8"
```

The response to the `ACL SETUSER` command is a RESP simple string: `+OK\r\n`.
Notice that the `nopass` flag is now gone from the `flags` array. Also, the `mypassword` SHA-256 hash is stored as a bulk string in the `passwords` array.

The password array in the response of `ACL GETUSER` command contains one element and is the SHA-256 hash of the password `mypassword`.

Redis does not store the raw password specified in the `ACL SETUSER` command. Instead, it stores the SHA-256 hash of the password. While validating the password during authentication, the SHA-256 hash of the input password is calculated and matched against the stored list of SHA-256 password hashes. This is done because storing raw passwords is a security vulnerability.
Storing only the SHA-256 hash is a security best practice Redis uses to prevent password leaks if the database is compromised.

### Tests

Expand All @@ -31,34 +44,33 @@ The tester will execute your program like this:
$ ./your_program.sh
```

It'll then send a `ACL GETUSER` command, specifying the `default` user
It will then send an `ACL GETUSER` command, specifying the `default` user:

```bash
$ redis-cli
# Expect RESP array: ["flags", ["nopass"], "passwords", []]
> ACL GETUSER default
$ redis-cli ACL GETUSER default
1) "flags"
2) 1) "nopass"
3) "passwords"
4) (empty array)
```

The tester will validate the following for the response of the `ACL GETUSER` command:
The tester will verify that:

- The `nopass` flag is present in the flags array
- The password array is empty
- The `nopass` flag is present in the flags array.
- The `passwords` array is empty.

It'll then send a `ACL SETUSER` command, specifying the `default` user and a password.
Next, the tester will send a `ACL SETUSER` command, specifying the `default` user and a password:

```bash
# Expect: +OK\r\n
> ACL SETUSER default >mypassword
OK
```

The tester will validate that the response to the `ACL SETUSER` command is `+OK\r\n`.
Your server must respond with `+OK\r\n`.

It'll then send a `ACL GETUSER` command, specifying the `default` user.
Finally, the tester will send a `ACL GETUSER` command, specifying the `default` user:

```bash
# Expect RESP array: ["flags", ["nopass"], "passwords", ["89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8"]]
Expand All @@ -69,13 +81,12 @@ It'll then send a `ACL GETUSER` command, specifying the `default` user.
4) 1) "89e01536ac207279409d4de1e5253e01f4a1769e696db0d6062ca9b8f56767c8"
```

The tester will validate the following for the response of the `ACL GETUSER` command:
The tester will validate the following for your response:

- The `nopass` flag is not present in the flags array
- The passwords array contains one element, and the element is the SHA-256 hash of the password, encoded as a RESP bulk string.
- The `nopass` flag is no longer present.
- The `passwords` array contains the SHA-256 hash of `mypassword` encoded as a bulk string.

### Notes

- Redis uses the SHA-256 hashing algorithm for password storage. You'll need to compute the SHA-256 hash of the provided password and store it.

- The password hash should be stored as a lowercase hexadecimal string.
Loading