How to Use Password Rotation Correctly

[yxf-1024]

src/test/java/redis/clients/jedis/examples/RedisCredentialsProviderExample.java

When I refer to this example to complete the credential change, how should I gracefully reset the current redis to connect to redis using the new credentials to complete password rotation without downtime?

[ggivo]

Hey, sorry for the delayed response By "current redis" do you refer to the connected Jedis client or the Redis server itself?

The Redis server ACL supports multiple passwords per user, You should be able to add the new password, update the client connection to use it, and after some time, when all clients switch to use the new credentials, drop the old password.

https://redis.io/docs/latest/operate/oss_and_stack/management/security/acl/

: Add this password to the list of valid passwords for the user. For example >mypass will add "mypass" to the list of valid passwords. This directive clears the nopass flag (see later). Every user can have any number of passwords.

[yxf-1024]

I'm referring to the redis client,
The current jedis pool connection pool mode uses jedis. After the credential is changed, how do I gracefully switch the connection that uses the new credential? Or do I wait until the password expires and what options do I need to configure to re-establish the connection with the new credentials?

[ggivo]

From Jedis perspective, the code in the referenced example will do is to replace the current credentials in JedisPooled client with new ones. This way, the newly created connection added to the pool will use the updated credentials; at the same time, the existing connection in the pool will continue to be served using the old credentials till they eventually get closed and removed by the pool.
For example, if a connection is idle for a specific period, it will be closed.

You can also take a look at ConnectionPoolConfig.setTestWhileIdle(), ConnectionPoolConfig.setMinEvictableIdleTime(),ConnectionPoolConfig.setTestOnReturn()

Forgot to ask about what deployment of Redis you use?
Have you tried out the provided example, and did you have any particular issues with it?