diff --git a/content/operate/rs/references/rest-api/objects/certificates.md b/content/operate/rs/references/rest-api/objects/certificates.md index 6d24c0fc75..45290379ab 100644 --- a/content/operate/rs/references/rest-api/objects/certificates.md +++ b/content/operate/rs/references/rest-api/objects/certificates.md @@ -14,6 +14,6 @@ An API object that represents a certificate used by a Redis Enterprise Software | Name | Type/Value | Description | |------|------------|-------------| -| name | `cm`
`api`
`mtls_trusted_ca`
`proxy`
`metrics_exporter`
`syncer`
`ldap_client`
`ccs_internode_encryption`
`data_internode_encryption` | Certificate type.
See the [certificates table]({{< relref "/operate/rs/security/certificates" >}}) for the list of cluster certificates and their descriptions. | +| name | "cm"
"api"
"mtls_trusted_ca"
"proxy"
"metrics_exporter"
"syncer"
"ldap_client"
"ccs_internode_encryption"
"data_internode_encryption"
"sso_service"
"sso_issuer" | Certificate type.
See the [certificates table]({{< relref "/operate/rs/security/certificates" >}}) for the list of cluster certificates and their descriptions. | | certificate | string | The certificate in PEM format | | key | string | The private key in PEM format | diff --git a/content/operate/rs/references/rest-api/objects/sso.md b/content/operate/rs/references/rest-api/objects/sso.md new file mode 100644 index 0000000000..01ff6591ca --- /dev/null +++ b/content/operate/rs/references/rest-api/objects/sso.md @@ -0,0 +1,28 @@ +--- +Title: SSO object +alwaysopen: false +categories: +- docs +- operate +- rs +description: An object for single sign-on (SSO) configuration +linkTitle: sso +weight: $weight +--- + +An API object that represents single sign-on (SSO) configuration in the cluster. + +| Name | Type/Value | Description | +|------|------------|-------------| +| control_plane | boolean (default: false) | If `true`, enables single sign-on (SSO) for the control plane. | +| enforce_control_plane | boolean (default: false) | If `true`, enforce SSO login for the control plane for non-admin users. If `false`, all users can still login using their local username and password if SSO is down. | +| protocol | "saml2" | SSO protocol to use. | +| issuer | complex object | Issuer related configuration.
Contains the following fields:
**id**: Unique ID of the issuer side (example: "urn:sso:example:idp")
**login_url**: SSO login URL (example: "https://idp.example.com/sso/saml")
**logout_url**: SSO logout URL (example: "https://idp.example.com/sso/slo")
**metadata**: Base64 encoded IdP metadata (read-only) | +| service | complex object | Service related configuration.
For SAML2 service configuration:
{{}}{ + "address": "string", + "saml2": { + "entity_id": "string", + "acs_url": "string", + "slo_url": "string" + } +}{{}}
**address**: External service address used for SSO. By default, the cluster name with the Cluster Manager port is used.
**acs_url**: Assertion Consumer Service URL (read-only)
**slo_url**: Single Logout URL (read-only)
**entity_id**: Service entity ID (read-only) | diff --git a/content/operate/rs/references/rest-api/objects/user.md b/content/operate/rs/references/rest-api/objects/user.md index 62278759e1..2240cf52bd 100644 --- a/content/operate/rs/references/rest-api/objects/user.md +++ b/content/operate/rs/references/rest-api/objects/user.md @@ -15,7 +15,7 @@ weight: $weight | uid | integer | User's unique ID | | account_id | integer | SM account ID | | action_uid | string | Action UID. If it exists, progress can be tracked by the `GET /actions/{uid}` API request (read-only) | -| auth_method | **'regular'**
'certificate'
'entraid' | User's authentication method | +| auth_method | **'regular'**
'certificate'
'entraid'
'sso' | User's authentication method | | bdbs_email_alerts | complex object | UIDs of databases that user will receive alerts for | | certificate_subject_line | string | The certificate’s subject line as defined by RFC2253. Used for certificate-based authentication users only. | | cluster_email_alerts | boolean | Activate cluster email alerts for a user | diff --git a/content/operate/rs/references/rest-api/permissions.md b/content/operate/rs/references/rest-api/permissions.md index 639a9cba4e..f5cea0d3a0 100644 --- a/content/operate/rs/references/rest-api/permissions.md +++ b/content/operate/rs/references/rest-api/permissions.md @@ -34,12 +34,12 @@ Available management roles include: | Role | Permissions | |------|-------------| | none | No permissions | -| admin | [add_cluster_module](#add_cluster_module), [cancel_cluster_action](#cancel_cluster_action), [cancel_node_action](#cancel_node_action), [config_ldap](#config_ldap), [config_ocsp](#config_ocsp), [create_bdb](#create_bdb), [create_crdb](#create_crdb), [create_ldap_mapping](#create_ldap_mapping), [create_new_user](#create_new_user), [create_redis_acl](#create_redis_acl), [create_role](#create_role), [delete_bdb](#delete_bdb), [delete_cluster_module](#delete_cluster_module), [delete_crdb](#delete_crdb), [delete_ldap_mapping](#delete_ldap_mapping), [delete_redis_acl](#delete_redis_acl), [delete_role](#delete_role), [delete_user](#delete_user), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [install_new_license](#install_new_license), [manage_cluster_modules](#manage_cluster_modules), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [start_cluster_action](#start_cluster_action), [start_node_action](#start_node_action), [test_ocsp_status](#test_ocsp_status), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_cluster](#update_cluster), [update_crdb](#update_crdb), [update_ldap_mapping](#update_ldap_mapping), [update_node](#update_node), [update_proxy](#update_proxy), [update_redis_acl](#update_redis_acl), [update_role](#update_role), [update_user](#update_user), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_ldap_mappings_info](#view_all_ldap_mappings_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_all_users_info](#view_all_users_info), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_ldap_config](#view_ldap_config), [view_ldap_mapping_info](#view_ldap_mapping_info), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_ocsp_config](#view_ocsp_config), [view_ocsp_status](#view_ocsp_status), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action), [view_user_info](#view_user_info) | -| cluster_member | [create_bdb](#create_bdb), [create_crdb](#create_crdb), [delete_bdb](#delete_bdb), [delete_crdb](#delete_crdb), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_crdb](#update_crdb), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | -| cluster_viewer | [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | -| db_member | [create_bdb](#create_bdb), [create_crdb](#create_crdb), [delete_bdb](#delete_bdb), [delete_crdb](#delete_crdb), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_crdb](#update_crdb), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | -| db_viewer | [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | -| user_manager | [config_ldap](#config_ldap), [create_ldap_mapping](#create_ldap_mapping), [create_new_user](#create_new_user), [create_role](#create_role), [create_redis_acl](#create_redis_acl), [delete_ldap_mapping](#delete_ldap_mapping), [delete_redis_acl](#delete_redis_acl), [delete_role](#delete_role), [delete_user](#delete_user), [install_new_license](#install_new_license), [update_ldap_mapping](#update_ldap_mapping), [update_proxy](#update_proxy), [update_role](#update_role), [update_redis_acl](#update_redis_acl), [update_user](#update_user), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_ldap_mappings_info](#view_all_ldap_mappings_info), [view_all_nodes_alerts](view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_all_users_info](#view_all_users_info), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_ldap_config](#view_ldap_config), [view_ldap_mapping_info](#view_ldap_mapping_info), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action), [view_user_info](#view_user_info) +| admin | [add_cluster_module](#add_cluster_module), [cancel_cluster_action](#cancel_cluster_action), [cancel_node_action](#cancel_node_action), [config_ldap](#config_ldap), [config_ocsp](#config_ocsp), [config_sso](#config_sso), [create_bdb](#create_bdb), [create_crdb](#create_crdb), [create_ldap_mapping](#create_ldap_mapping), [create_new_user](#create_new_user), [create_redis_acl](#create_redis_acl), [create_role](#create_role), [delete_bdb](#delete_bdb), [delete_cluster_module](#delete_cluster_module), [delete_crdb](#delete_crdb), [delete_ldap_mapping](#delete_ldap_mapping), [delete_redis_acl](#delete_redis_acl), [delete_role](#delete_role), [delete_user](#delete_user), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [install_new_license](#install_new_license), [manage_cluster_modules](#manage_cluster_modules), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [start_cluster_action](#start_cluster_action), [start_node_action](#start_node_action), [test_ocsp_status](#test_ocsp_status), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_cluster](#update_cluster), [update_crdb](#update_crdb), [update_ldap_mapping](#update_ldap_mapping), [update_node](#update_node), [update_proxy](#update_proxy), [update_redis_acl](#update_redis_acl), [update_role](#update_role), [update_user](#update_user), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_ldap_mappings_info](#view_all_ldap_mappings_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_all_users_info](#view_all_users_info), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_ldap_config](#view_ldap_config), [view_ldap_mapping_info](#view_ldap_mapping_info), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_ocsp_config](#view_ocsp_config), [view_ocsp_status](#view_ocsp_status), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action), [view_user_info](#view_user_info) | +| cluster_member | [create_bdb](#create_bdb), [create_crdb](#create_crdb), [delete_bdb](#delete_bdb), [delete_crdb](#delete_crdb), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_crdb](#update_crdb), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | +| cluster_viewer | [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_metrics](#view_all_metrics), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | +| db_member | [create_bdb](#create_bdb), [create_crdb](#create_crdb), [delete_bdb](#delete_bdb), [delete_crdb](#delete_crdb), [edit_bdb_module](#edit_bdb_module), [failover_shard](#failover_shard), [flush_crdb](#flush_crdb), [migrate_shard](#migrate_shard), [purge_instance](#purge_instance), [reset_bdb_current_backup_status](#reset_bdb_current_backup_status), [reset_bdb_current_export_status](#reset_bdb_current_export_status), [reset_bdb_current_import_status](#reset_bdb_current_import_status), [start_bdb_export](#start_bdb_export), [start_bdb_import](#start_bdb_import), [start_bdb_recovery](#start_bdb_recovery), [update_bdb](#update_bdb), [update_bdb_alerts](#update_bdb_alerts), [update_bdb_with_action](#update_bdb_with_action), [update_crdb](#update_crdb), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_debugging_info](#view_debugging_info), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | +| db_viewer | [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_nodes_alerts](#view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_recovery_plan](#view_bdb_recovery_plan), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_license](#view_license), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action) | +| user_manager | [config_ldap](#config_ldap), [create_ldap_mapping](#create_ldap_mapping), [create_new_user](#create_new_user), [create_role](#create_role), [create_redis_acl](#create_redis_acl), [delete_ldap_mapping](#delete_ldap_mapping), [delete_redis_acl](#delete_redis_acl), [delete_role](#delete_role), [delete_user](#delete_user), [install_new_license](#install_new_license), [update_ldap_mapping](#update_ldap_mapping), [update_proxy](#update_proxy), [update_role](#update_role), [update_redis_acl](#update_redis_acl), [update_user](#update_user), [view_all_bdb_stats](#view_all_bdb_stats), [view_all_bdbs_alerts](#view_all_bdbs_alerts), [view_all_bdbs_info](#view_all_bdbs_info), [view_all_ldap_mappings_info](#view_all_ldap_mappings_info), [view_all_nodes_alerts](view_all_nodes_alerts), [view_all_nodes_checks](#view_all_nodes_checks), [view_all_nodes_info](#view_all_nodes_info), [view_all_nodes_stats](#view_all_nodes_stats), [view_all_proxies_info](#view_all_proxies_info), [view_all_redis_acls_info](#view_all_redis_acls_info), [view_all_roles_info](#view_all_roles_info), [view_all_shard_stats](#view_all_shard_stats), [view_all_users_info](#view_all_users_info), [view_bdb_alerts](#view_bdb_alerts), [view_bdb_info](#view_bdb_info), [view_bdb_stats](#view_bdb_stats), [view_cluster_alerts](#view_cluster_alerts), [view_cluster_info](#view_cluster_info), [view_cluster_keys](#view_cluster_keys), [view_cluster_modules](#view_cluster_modules), [view_cluster_stats](#view_cluster_stats), [view_crdb](#view_crdb), [view_crdb_list](#view_crdb_list), [view_crdb_task](#view_crdb_task), [view_crdb_task_list](#view_crdb_task_list), [view_endpoint_stats](#view_endpoint_stats), [view_ldap_config](#view_ldap_config), [view_ldap_mapping_info](#view_ldap_mapping_info), [view_license](#view_license), [view_logged_events](#view_logged_events), [view_node_alerts](#view_node_alerts), [view_node_check](#view_node_check), [view_node_info](#view_node_info), [view_node_stats](#view_node_stats), [view_proxy_info](#view_proxy_info), [view_redis_acl_info](#view_redis_acl_info), [view_redis_pass](#view_redis_pass), [view_role_info](#view_role_info), [view_shard_stats](#view_shard_stats), [view_sso](#view_sso), [view_status_of_all_node_actions](#view_status_of_all_node_actions), [view_status_of_cluster_action](#view_status_of_cluster_action), [view_status_of_node_action](#view_status_of_node_action), [view_user_info](#view_user_info) | ## Roles list per permission @@ -51,6 +51,7 @@ Available management roles include: | cancel_node_action | admin | | config_ldap | admin
user_manager | | config_ocsp | admin | +| config_sso | admin | | create_bdb | admin
cluster_member
db_member | | create_crdb | admin
cluster_member
db_member | | create_ldap_mapping | admin
user_manager | @@ -135,6 +136,7 @@ Available management roles include: | view_redis_pass | admin
cluster_member
db_member
user_manager | | view_role_info | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | | view_shard_stats | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | +| view_sso | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | | view_status_of_all_node_actions | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | | view_status_of_cluster_action | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | | view_status_of_node_action | admin
cluster_member
cluster_viewer
db_member
db_viewer
user_manager | diff --git a/content/operate/rs/references/rest-api/requests/bdbs/actions/_index.md b/content/operate/rs/references/rest-api/requests/bdbs/actions/_index.md index 43f2d79e55..b464f24d30 100644 --- a/content/operate/rs/references/rest-api/requests/bdbs/actions/_index.md +++ b/content/operate/rs/references/rest-api/requests/bdbs/actions/_index.md @@ -32,6 +32,13 @@ weight: $weight | [PUT]({{< relref "./import_reset_status#put-bdbs-actions-import-reset-status" >}}) | `/v1/bdbs/{uid}/actions/import_reset_status` | Reset database import status | | [POST]({{< relref "./import#post-bdbs-actions-import" >}}) | `/v1/bdbs/{uid}/actions/import` | Initiate manual dataset import | +## Migrate slots + +| Method | Path | Description | +|--------|------|-------------| +| [POST]({{}}) | `/v1/bdbs/{uid}/actions/migrate_slots` | Migrate slots between Redis instances (shards) within a database | +| [POST]({{}}) | `/v1/bdbs/{uid}/actions/cancel_migrate_slots` | Cancel slot migrations between Redis instances (shards) within a database | + ## Optimize shards placement | Method | Path | Description | diff --git a/content/operate/rs/references/rest-api/requests/bdbs/actions/cancel_migrate_slots.md b/content/operate/rs/references/rest-api/requests/bdbs/actions/cancel_migrate_slots.md new file mode 100644 index 0000000000..571301b935 --- /dev/null +++ b/content/operate/rs/references/rest-api/requests/bdbs/actions/cancel_migrate_slots.md @@ -0,0 +1,79 @@ +--- +Title: Cancel migrate slots database action requests +alwaysopen: false +categories: +- docs +- operate +- rs +description: Cancel slot migrations between Redis instances (shards) within a database +headerRange: '[1-2]' +linkTitle: cancel_migrate_slots +weight: $weight +--- + +| Method | Path | Description | +|--------|------|-------------| +| [POST](#post-bdbs-actions-cancel-migrate-slots) | `/v1/bdbs/{uid}/actions/cancel_migrate_slots` | Cancel slot migrations between Redis instances (shards) within a database | + +## Cancel slot migrations {#post-bdbs-actions-cancel-migrate-slots} + +```sh +POST /v1/bdbs/{int: uid}/actions/cancel_migrate_slots +``` + +Cancel slot migrations. If no JSON is provided in the request body, all slot migrations on the current database will be canceled. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [update_bdb_with_action]({{< relref "/operate/rs/references/rest-api/permissions#update_bdb_with_action" >}}) | admin
cluster_member
db_member | + +### Request {#post-request} + +Include the following parameters in the request JSON body to cancel specific slot migrations. If no request body is provided, all slot migrations for the database will be canceled. + +| Field | Type | Description | +|-------|------|-------------| +| slots | string | Slot ranges to cancel migration for. | +| source_shard_uid | string | The unique ID of the source shard. | +| destination_shard_uid | string | The unique ID of the destination shard. | + +#### Example HTTP request + +```sh +POST /v1/bdbs/3/actions/cancel_migrate_slots + +{ + "slots": "0-10,17-18", + "source_shard_uid": "10", + "destination_shard_uid": "11" +} +``` + +#### URL parameters + +| Field | Type | Description | +|-------|------|-------------| +| uid | integer | The unique ID of the database. | + +### Response {#post-response} + +Returns a status indicating that the migration cancellation has been processed. + +#### Example response + +```json +{ + "status": "canceled" +} +``` + +#### Status codes {#post-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Migration canceled successfully. | +| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Invalid request parameters. | +| [404 Not Found](https://www.rfc-editor.org/rfc/rfc9110.html#name-404-not-found) | Database or Redis instance not found. | +| [500 Internal Server Error](https://www.rfc-editor.org/rfc/rfc9110.html#name-500-internal-server-error) | Internal server error. | diff --git a/content/operate/rs/references/rest-api/requests/bdbs/actions/migrate_slots.md b/content/operate/rs/references/rest-api/requests/bdbs/actions/migrate_slots.md new file mode 100644 index 0000000000..886feb0a39 --- /dev/null +++ b/content/operate/rs/references/rest-api/requests/bdbs/actions/migrate_slots.md @@ -0,0 +1,79 @@ +--- +Title: Migrate slots database action requests +alwaysopen: false +categories: +- docs +- operate +- rs +description: Migrate slots between Redis instances (shards) within a database +headerRange: '[1-2]' +linkTitle: migrate_slots +weight: $weight +--- + +| Method | Path | Description | +|--------|------|-------------| +| [POST](#post-bdbs-actions-migrate-slots) | `/v1/bdbs/{uid}/actions/migrate_slots` | Migrate slots between Redis instances (shards) within a database | + +## Migrate slots between shards {#post-bdbs-actions-migrate-slots} + +```sh +POST /v1/bdbs/{int: uid}/actions/migrate_slots +``` + +Migrate slots between Redis instances (shards) within a database. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [update_bdb_with_action]({{< relref "/operate/rs/references/rest-api/permissions#update_bdb_with_action" >}}) | admin
cluster_member
db_member | + +### Request {#post-request} + +Include the following parameters in the request JSON body: + +| Field | Type | Description | +|-------|------|-------------| +| slots | string | Slot ranges to migrate. | +| source_shard_uid | string | The unique ID of the source shard. | +| destination_shard_uid | string | The unique ID of the destination shard. | + +#### Example HTTP request + +```sh +POST /v1/bdbs/3/actions/migrate_slots + +{ + "slots": "0-10,17-18", + "source_shard_uid": "10", + "destination_shard_uid": "11" +} +``` + +#### URL parameters + +| Field | Type | Description | +|-------|------|-------------| +| uid | integer | The unique ID of the database. | + +### Response {#post-response} + +Returns a status indicating that the migration has been initiated. + +#### Example response + +```json +{ + "status": "initiated" +} +``` + +#### Status codes {#post-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Migration initiated successfully. | +| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Invalid request parameters. | +| [404 Not Found](https://www.rfc-editor.org/rfc/rfc9110.html#name-404-not-found) | Database or Redis instance not found. | +| [500 Internal Server Error](https://www.rfc-editor.org/rfc/rfc9110.html#name-500-internal-server-error) | Internal server error. | diff --git a/content/operate/rs/references/rest-api/requests/cluster/sso.md b/content/operate/rs/references/rest-api/requests/cluster/sso.md new file mode 100644 index 0000000000..49093f0dfe --- /dev/null +++ b/content/operate/rs/references/rest-api/requests/cluster/sso.md @@ -0,0 +1,331 @@ +--- +Title: Single sign-on requests +alwaysopen: false +categories: +- docs +- operate +- rs +description: Single sign-on (SSO) configuration requests +headerRange: '[1-2]' +linkTitle: sso +toc: 'true' +weight: $weight +--- + +| Method | Path | Description | +|--------|------|-------------| +| [GET](#get-cluster-sso) | `/v1/cluster/sso` | Get SSO configuration | +| [PUT](#put-cluster-sso) | `/v1/cluster/sso` | Set or update SSO configuration | +| [DELETE](#delete-cluster-sso) | `/v1/cluster/sso` | Clear SSO configuration | +| [GET](#get-cluster-sso-saml-metadata) | `/v1/cluster/sso/saml/metadata/sp` | Get SAML service provider metadata | +| [POST](#post-cluster-sso-saml-metadata) | `/v1/cluster/sso/saml/metadata/idp` | Upload SAML identity provider metadata | + +## Get SSO configuration {#get-cluster-sso} + + GET /v1/cluster/sso + +Get the single sign-on configuration as JSON. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [view_sso]({{< relref "/operate/rs/references/rest-api/permissions#view_sso" >}}) | admin
user_manager | + +### Request {#get-request} + +#### Example HTTP request + + GET /v1/cluster/sso + +#### Request headers + +| Key | Value | Description | +|-----|-------|-------------| +| Host | cnm.cluster.fqdn | Domain name | +| Accept | application/json | Accepted media type | + +### Response {#get-response} + +Returns an [SSO object]({{< relref "/operate/rs/references/rest-api/objects/sso" >}}). + +#### Example JSON body + +```json +{ + "control_plane": true, + "protocol": "saml2", + "enforce_control_plane": false, + "issuer": { + "id": "urn:sso:example:idp", + "login_url": "https://idp.example.com/sso/saml", + "logout_url": "https://idp.example.com/sso/slo", + "metadata": "" + }, + "service": { + "address": "https://hostname:port", + "saml2": { + "entity_id": "https://cnm.cluster.fqdn/sp", + "acs_url": "https://cnm.cluster.fqdn/v1/cluster/sso/saml/acs", + "slo_url": "https://cnm.cluster.fqdn/v1/cluster/sso/saml/slo" + } + } +} +``` + +### Status codes {#get-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success | + +## Update SSO configuration {#put-cluster-sso} + + PUT /v1/cluster/sso + +Set or update the cluster single sign-on configuration. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [config_sso]({{< relref "/operate/rs/references/rest-api/permissions#config_sso" >}}) | admin
user_manager | + +### Request {#put-request} + +#### Example HTTP request + + PUT /v1/cluster/sso + +#### Example JSON body + +```json +{ + "control_plane": false, + "protocol": "saml2", + "enforce_control_plane": false, + "issuer": { + "id": "urn:sso:example:idp", + "login_url": "https://idp.example.com/sso/saml", + "logout_url": "https://idp.example.com/sso/slo" + }, + "service": { + "address": "https://hostname:port" + } +} +``` + +#### Request headers + +| Key | Value | Description | +|-----|-------|-------------| +| Host | cnm.cluster.fqdn | Domain name | +| Accept | application/json | Accepted media type | + +#### Request body + +Include an [SSO object]({{< relref "/operate/rs/references/rest-api/objects/sso" >}}) with updated fields in the request body. + +### Response {#put-response} + +Returns a status code. If an error occurs, the response body can include an error code and message with more details. + +### Error codes {#put-error-codes} + +Possible `error_code` values: + +| Code | Description | +|------|-------------| +| missing_param | A required parameter is missing while SSO is being enabled | +| missing_certificate | SSO certificate is not found while SSO is being enabled | + +### Status codes {#put-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success, SSO config has been set | +| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Bad or missing configuration parameters | +| [406 Not Acceptable](https://www.rfc-editor.org/rfc/rfc9110.html#name-406-not-acceptable) | Missing required certificate | + +## Delete SSO configuration {#delete-cluster-sso} + + DELETE /v1/cluster/sso + +Clear the single sign-on configuration. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [config_sso]({{< relref "/operate/rs/references/rest-api/permissions#config_sso" >}}) | admin
user_manager | + +### Request {#delete-request} + +#### Example HTTP request + + DELETE /v1/cluster/sso + +#### Request headers + +| Key | Value | Description | +|-----|-------|-------------| +| Host | cnm.cluster.fqdn | Domain name | +| Accept | application/json | Accepted media type | + +### Response {#delete-response} + +Returns a status code. + +### Error codes {#delete-error-codes} + +Possible `error_code` values: + +| Code | Description | +|------|-------------| +| delete_certificate_error | An error occurred during SSO certificate deletion | + +### Status codes {#delete-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success | +| [500 Internal Server Error](https://www.rfc-editor.org/rfc/rfc9110.html#name-500-internal-server-error) | Error during deletion | + +## Get SAML service provider metadata {#get-cluster-sso-saml-metadata} + + GET /v1/cluster/sso/saml/metadata/sp + +Generates and returns the SAML2 service provider metadata XML. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [view_sso]({{< relref "/operate/rs/references/rest-api/permissions#view_sso" >}}) | admin
user_manager | + +### Request {#get-metadata-request} + +#### Example HTTP request + + GET /v1/cluster/sso/saml/metadata/sp + +#### Request headers + +| Key | Value | Description | +|-----|-------|-------------| +| Host | cnm.cluster.fqdn | Domain name | +| Accept | application/samlmetadata+xml | Accepted media type | + +### Response {#get-metadata-response} + +Returns SAML2 service provider metadata as XML. + +#### Example response body + +```xml + + + ... + +``` + +### Error codes {#get-metadata-error-codes} + +Possible `error_code` values: + +| Code | Description | +|------|-------------| +| missing_certificate | Service certificate is missing | +| saml_metadata_generation_error | An error occurred while generating the XML metadata | + +### Status codes {#get-metadata-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success | +| [406 Not Acceptable](https://www.rfc-editor.org/rfc/rfc9110.html#name-406-not-acceptable) | Missing required service certificate | +| [500 Internal Server Error](https://www.rfc-editor.org/rfc/rfc9110.html#name-500-internal-server-error) | Unexpected error when generating metadata | + +## Upload SAML identity provider metadata {#post-cluster-sso-saml-metadata} + + POST /v1/cluster/sso/saml/metadata/idp + +Uploads and validates the SAML2 identity provider metadata XML. + +#### Required permissions + +| Permission name | Roles | +|-----------------|-------| +| [config_sso]({{< relref "/operate/rs/references/rest-api/permissions#config_sso" >}}) | admin
user_manager | + +### Request {#post-metadata-request} + +#### Example HTTP request + + POST /v1/cluster/sso/saml/metadata/idp + +#### Example JSON body + +```json +{ + "idp_metadata": "YWp3cjkwcHR1eWF3MHJ0eTkwYXc0eXQwOW4..." +} +``` + +#### Request headers + +| Key | Value | Description | +|-----|-------|-------------| +| Host | cnm.cluster.fqdn | Domain name | +| Accept | application/json | Accepted media type | + +#### Request body + +| Name | Type/Value | Description | +|------|------------|-------------| +| idp_metadata | string | Base64-encoded SAML2 identity provider metadata XML | + +### Response {#post-metadata-response} + +Returns an [SSO object]({{< relref "/operate/rs/references/rest-api/objects/sso" >}}) with the updated configuration. + +#### Example JSON body + +```json +{ + "control_plane": true, + "protocol": "saml2", + "enforce_control_plane": false, + "issuer": { + "id": "urn:sso:example:idp", + "login_url": "https://idp.example.com/sso/saml", + "logout_url": "https://idp.example.com/sso/slo" + }, + "service": { + "saml2": { + "entity_id": "https://cnm.cluster.fqdn/sp", + "acs_url": "https://cnm.cluster.fqdn/v1/cluster/sso/saml/acs", + "slo_url": "https://cnm.cluster.fqdn/v1/cluster/sso/saml/slo" + } + } +} +``` + +### Error codes {#post-metadata-error-codes} + +Possible `error_code` values: + +| Code | Description | +|------|-------------| +| saml_metadata_validation_error | IdP metadata failed configuration validation checks | +| saml_metadata_parsing_error | IdP metadata is not a valid base64-encoded XML | +| missing_certificate | SSO certificate is not found while SSO is being enabled | + +### Status codes {#post-metadata-status-codes} + +| Code | Description | +|------|-------------| +| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Success | +| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Bad or missing parameters | +| [406 Not Acceptable](https://www.rfc-editor.org/rfc/rfc9110.html#name-406-not-acceptable) | Missing required service certificate | diff --git a/content/operate/rs/references/rest-api/requests/migrations/_index.md b/content/operate/rs/references/rest-api/requests/migrations/_index.md index 4d1b791287..ade34ab4f0 100644 --- a/content/operate/rs/references/rest-api/requests/migrations/_index.md +++ b/content/operate/rs/references/rest-api/requests/migrations/_index.md @@ -58,12 +58,26 @@ Returns a JSON array with all data required by the migration orchestrator. #### Example response body ```json -"migration": { - "status": "foo", - "lag": 123, - "run_id": "5", - "flush_counter": 2, - "source_shards": [{"replication_id": "1", "replication_offset": 2}] +{ + "migration": { + "status": "string", + "lag": 0, + "rdb_size": 0, + "rdb_transferred": 0, + "run_id": "string", + "flush_counter": 0, + "source_shards": [ + { + "replication_id": "string", + "replication_offset": 0 + } + ], + "error": { + "error_code": "string", + "message": "string", + "timestamp": "2019-08-24T14:15:22Z" + } + } } ``` diff --git a/content/operate/rs/release-notes/rs-8-0-releases/_index.md b/content/operate/rs/release-notes/rs-8-0-releases/_index.md index 50e14ac8e2..8c28720824 100644 --- a/content/operate/rs/release-notes/rs-8-0-releases/_index.md +++ b/content/operate/rs/release-notes/rs-8-0-releases/_index.md @@ -193,7 +193,7 @@ The following table provides a snapshot of supported platforms as of this Redis ## Known issues -- RS131972: Creating an ACL that contains a line break in the Cluster Manager UI can cause shard migration to fail due to ACL errors. +- RS131972: Creating an ACL that contains a line break in the Cluster Manager UI can cause shard migration to fail due to ACL errors. This issue was fixed in Redis Enterprise Software version 8.0.6. - RS155734: Endpoint availability metrics do not work as expected due to a calculation error. diff --git a/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-6-tba.md b/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-6-tba.md new file mode 100644 index 0000000000..04d8d1319d --- /dev/null +++ b/content/operate/rs/release-notes/rs-8-0-releases/rs-8-0-6-tba.md @@ -0,0 +1,417 @@ +--- +Title: Redis Enterprise Software release notes 8.0.6-tba (December 2025) +alwaysopen: false +categories: +- docs +- operate +- rs +compatibleOSSVersion: Redis 8.2.1, 8.0.2, 7.4.3, 7.2.7, 6.2.13 +description: Single sign-on for the Cluster Manager UI. Slot migration API. Error reports for Replica Of migration status. +linkTitle: 8.0.6-tba (December 2025) +weight: 88 +--- + +​[​Redis Enterprise Software version 8.0.6](https://redis.io/downloads/#Redis_Software) is now available! This release includes API enhancements that warranted a new minor version instead of a maintenance release for version 8.0.2. However, you can upgrade from 8.0.2 to 8.0.6 without issue. + +## Highlights + +This version offers: + +- Single sign-on for the Cluster Manager UI + +- Slot migration API + +- Error reports for Replica Of migration status + +## New in this release + +### New features + +#### Single sign-on for the Cluster Manager UI {#sso} + +Redis Enterprise Software now supports IdP-initiated and SP-initiated single sign-on (SSO) with SAML (Security Assertion Markup Language) 2.0 for the Cluster Manager UI. + +When SSO is activated: + +- Users can sign in to the Redis Enterprise Software Cluster Manager UI using their identity provider (IdP) instead of usernames and passwords. + +- Optionally, you can enforce SSO for the cluster, which means non-admin users can no longer sign in with their previous usernames and passwords and must use SSO instead. + +- With just-in-time (JIT) user provisioning, Redis Enterprise Software automatically creates a user account the first time a new user signs in with SSO. + +For more information and setup instructions, see [SAML single sign-on]({{}}). + +Known limitation: You cannot change the default service provider address using the Cluster Manager UI. You can only change this address using a REST API request. + +#### Slot migration API + +New database actions allow you to migrate and cancel slot migrations between Redis instances (shards) within a database. See the REST API references for [migrate slots]({{}}) and [cancel slot migrations]({{}}) for details. + +### Enhancements + +- Added error report to Replica Of [migration status]({{}}) REST API responses. + +### Redis database versions + +Redis Enterprise Software version 8.0.6 includes five Redis database versions: 8.2.1, 8.0.2, 7.4.3, 7.2.7, and 6.2.13. + +The [default Redis database version]({{}}) is 8.2. + +### Redis feature sets + +Redis Enterprise Software includes multiple feature sets, compatible with different Redis database versions. + +The following table shows which Redis modules are compatible with each Redis database version included in this release. + +| Redis database version | Compatible Redis modules | +|------------------------|--------------------------| +| 8.2 | RediSearch 8.2
RedisJSON 8.2
RedisTimeSeries 8.2
RedisBloom 8.2
See [What's new in Redis 8.2]({{}}) and [Redis Open Source 8.2 release notes]({{}}) | +| 8.0 | RediSearch 8.0
RedisJSON 8.0
RedisTimeSeries 8.0
RedisBloom 8.0
See [What's new in Redis 8.0]({{}}) and [Redis Open Source 8.0 release notes]({{}}) | +| 7.4 | [RediSearch 2.10]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisearch/redisearch-2.10-release-notes.md" >}})
[RedisJSON 2.8]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisjson/redisjson-2.8-release-notes.md" >}})
[RedisTimeSeries 1.12]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redistimeseries/redistimeseries-1.12-release-notes.md" >}})
[RedisBloom 2.8]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisbloom/redisbloom-2.8-release-notes.md" >}}) | +| 7.2 | [RediSearch 2.8]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisearch/redisearch-2.8-release-notes.md" >}})
[RedisJSON 2.6]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisjson/redisjson-2.6-release-notes.md" >}})
[RedisTimeSeries 1.10]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redistimeseries/redistimeseries-1.10-release-notes.md" >}})
[RedisBloom 2.6]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisbloom/redisbloom-2.6-release-notes.md" >}}) | +| 6.2 | [RediSearch 2.6]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisearch/redisearch-2.6-release-notes.md" >}})
[RedisJSON 2.4]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisjson/redisjson-2.4-release-notes.md" >}})
[RedisTimeSeries 1.8]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redistimeseries/redistimeseries-1.8-release-notes.md" >}})
[RedisBloom 2.4]({{< relref "/operate/oss_and_stack/stack-with-enterprise/release-notes/redisbloom/redisbloom-2.4-release-notes.md" >}}) | + +### Resolved issues + +- RS131972: Fixed an issue where creating an ACL that contains a line break in the Cluster Manager UI could cause shard migration to fail due to ACL errors. + +- RS140424: Fixed an issue where configuration changes initiated topology updates even if the topology did not change. + +- RS144636: Improved support package generation to collect available database information even when some data collection steps fail. + +- RS162503: Fixed an issue where force-removed Active-Active database instances could not be re-added as participating members without purging. + +- RS155782: Improved logs and added validation to ensure operations are properly queued and prevent stuck state machines. + +- RS167151: Improved reliability of node removal operations by increasing retry attempts for failover and reshard operations. + +- RS167280: Fixed an issue where a subset of shards on a restarted node could fail to start due to temporary connection issues. + +- RS172813: Improved logging for Active-Active database failover scenarios to provide better visibility into data recovery processes. + +- RS173195: Fixed an issue where cluster operations could fail when attempting to communicate with unreachable nodes. + +- RS174154: Fixed an issue where EntraID authentication service was not properly enabled despite being configured and running. + +- RS174819: Fixed an issue where duplicate syncers could spawn on the same node. + +- RS176400: Fixed an issue where Google Cloud Storage backup locations could be set to the incorrect type when configured in the Cluster Manager UI. + +- RS165983: Fixed an issue where an incorrect value was printed for `region_name` in the event log. + +## Version changes + +### Supported platforms + +The following table provides a snapshot of supported platforms as of this Redis Enterprise Software release. See the [supported platforms reference]({{< relref "/operate/rs/references/supported-platforms" >}}) for more details about operating system compatibility. + + Supported – The platform is supported for this version of Redis Enterprise Software and Redis Stack modules. + +:warning: Deprecation warning – The platform is still supported for this version of Redis Enterprise Software, but support will be removed in a future release. + +| Redis Software
major versions | 8.0 | 7.22 | 7.8 | 7.4 | 7.2 | 6.4 | 6.2 | +|---------------------------------|:-----:|:-----:|:-----:|:-----:|:-----:|:-----:|:-----:| +| **Release date** | Oct 2025 | May 2025 | Nov 2024 | Feb 2024 | Aug 2023 | Feb 2023 | Aug 2021 | +| [**End-of-life date**]({{< relref "/operate/rs/installing-upgrading/product-lifecycle#endoflife-schedule" >}}) | Determined after
next major release | Oct 2027 | May 2027 | Nov 2026 | Feb 2026 | Aug 2025 | Feb 2025 | +| **Platforms** | | | | | | | | +| RHEL 9 &
compatible distros[1](#table-note-1) | | | | | – | – | – | +| RHEL 9
FIPS mode[5](#table-note-5) | | | | – | – | – | – | +| RHEL 8 &
compatible distros[1](#table-note-1) | | | | | | | | +| RHEL 7 &
compatible distros[1](#table-note-1) | – | – | – | – | :warning: | | | +| Ubuntu 22.04[2](#table-note-2) | | | | – | – | – | – | +| Ubuntu 20.04[2](#table-note-2) | | | | | | | – | +| Ubuntu 18.04[2](#table-note-2) | – | – | – | :warning: | :warning: | | | +| Ubuntu 16.04[2](#table-note-2) | – | – | – | – | :warning: | | | +| Amazon Linux 2 | | | | | | | – | +| Amazon Linux 1 | – | – | – | – | | | | +| Kubernetes[3](#table-note-3) | | | | | | | | +| Docker[4](#table-note-4) | | | | | | | | + +1. The RHEL-compatible distributions CentOS, CentOS Stream, Alma, and Rocky are supported if they have full RHEL compatibility. Oracle Linux running the Red Hat Compatible Kernel (RHCK) is supported, but the Unbreakable Enterprise Kernel (UEK) is not supported. + +2. The server version of Ubuntu is recommended for production installations. The desktop version is only recommended for development deployments. + +3. See the [Redis Enterprise for Kubernetes documentation]({{< relref "/operate/kubernetes/reference/supported_k8s_distributions" >}}) for details about support per version and Kubernetes distribution. + +4. [Docker images]({{< relref "/operate/rs/installing-upgrading/quickstarts/docker-quickstart" >}}) of Redis Enterprise Software are certified for development and testing only. + +5. Supported only if [FIPS was enabled during RHEL installation](https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/switching-rhel-to-fips-mode_security-hardening#proc_installing-the-system-with-fips-mode-enabled_switching-rhel-to-fips-mode) to ensure FIPS compliance. + +## Downloads + +The following table shows the SHA256 checksums for the available packages: + +| Package | SHA256 checksum (8.0.6-tba December release) | +|---------|---------------------------------------| +| Ubuntu 20 | | +| Ubuntu 22 (amd64) | | +| Ubuntu 22 (arm64) | | +| Red Hat Enterprise Linux (RHEL) 8 | | +| Red Hat Enterprise Linux (RHEL) 9 | | +| Amazon Linux 2 | | + +## Known issues + +- RS155734: Endpoint availability metrics do not work as expected due to a calculation error. + +## Known limitations + +#### Cannot change SP address for SSO in the Cluster Manager UI + +You cannot change the default service provider address using the Cluster Manager UI. You can only change this address using a REST API request. + +#### Rolling upgrade limitation for clusters with custom or deprecated modules + +Due to module handling changes introduced in Redis Enterprise Software version 8.0, upgrading a cluster that contains custom or deprecated modules, such as RedisGraph and RedisGears v2, can become stuck when adding a new node to the cluster during a rolling upgrade. + +#### Module commands limitation during Active-Active database upgrades to Redis 8.0 + +When upgrading an Active-Active database to Redis version 8.0, you cannot use module commands until all Active-Active database instances have been upgraded. Currently, these commands are not blocked automatically. + +#### Redis 8.0 database cannot be created with flash + +You cannot create a Redis 8.0 database with flash storage enabled. Create a Redis 8.0 database with RAM-only storage instead, or use Redis 8.2 for flash-enabled (Redis Flex) databases. + +#### Cluster Manager UI limitations + +The following legacy UI features are not yet available in the new Cluster Manager UI: + +- Purge an Active-Active instance. + + Use [`crdb-cli crdb purge-instance`]({{< relref "/operate/rs/references/cli-utilities/crdb-cli/crdb/purge-instance" >}}) instead. + +- Search and export the log. + +## Security + +#### Redis Open Source security fixes compatibility + +As part of Redis's commitment to security, Redis Enterprise Software implements the latest [security fixes](https://github.com/redis/redis/releases) available with [Redis Open Source](https://github.com/redis/redis). Redis Enterprise Software has already included the fixes for the relevant CVEs. + +Some CVEs announced for Redis Open Source do not affect Redis Enterprise Software due to different or additional functionality available in Redis Enterprise Software that is not available in Redis Open Source. + +Redis Enterprise Software 8.0.6-tba supports Redis Open Source 8.2, 8.0, 7.4, 7.2, and 6.2. Below is the list of Redis Open Source CVEs and other security vulnerabilities fixed by version. + +Redis 8.2.x: + +- RedisBloom: Restore invalid filter. + +- (CVE-2025-62507) A user can run the `XACKDEL` command with multiple IDs and trigger a stack buffer overflow, which can potentially lead to remote code execution. + +- The `HGETEX` command can lead to a buffer overflow. + +- Integer overflow in `hllPatLen`. + +- RedisBloom: Cuckoo filter counter overflow. + +- RedisBloom: Invalid Bloom filters can cause arbitrary memory reads and writes. + +- RedisBloom: Reachable assert in `TopK_Create` + +- RedisBloom: Out-of-bounds access with empty Bloom chains. + +- RedisBloom: Division by zero in Cuckoo filter insertion. + +- (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. + +- (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service. + +- (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution. + +- (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution. + +Redis 8.0.x: + +- RedisBloom: Restore invalid filter. + +- The `HGETEX` command can lead to a buffer overflow. + +- Integer overflow in `hllPatLen`. + +- RedisBloom: Cuckoo filter counter overflow. + +- RedisBloom: Invalid Bloom filters can cause arbitrary memory reads and writes. + +- RedisBloom: Reachable assert in `TopK_Create` + +- RedisBloom: Out-of-bounds access with empty Bloom chains. + +- RedisBloom: Division by zero in Cuckoo filter insertion. + +- (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. + +- (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service. + +- (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution. + +- (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution. + +Redis 7.4.x: + +- RedisBloom: Restore invalid filter. + +- Integer overflow in `hllPatLen`. + +- RedisBloom: Cuckoo filter counter overflow. + +- RedisBloom: Invalid Bloom filters can cause arbitrary memory reads and writes. + +- RedisBloom: Reachable assert in `TopK_Create` + +- RedisBloom: Out-of-bounds access with empty Bloom chains. + +- RedisBloom: Division by zero in Cuckoo filter insertion. + +- (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. + +- (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service. + +- (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution. + +- (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution. + +- (CVE-2025-32023) An authenticated user can use a specially crafted string to trigger a stack/heap out-of-bounds write on HyperLogLog operations, which can lead to remote code execution. + +- (CVE-2025-21605) An unauthenticated client can cause unlimited growth of output buffers until the server runs out of memory or is terminated, which can lead to denial-of-service. + +Redis 7.2.x: + +- RedisBloom: Restore invalid filter. + +- Integer overflow in `hllPatLen`. + +- RedisBloom: Cuckoo filter counter overflow. + +- RedisBloom: Invalid Bloom filters can cause arbitrary memory reads and writes. + +- RedisBloom: Reachable assert in `TopK_Create` + +- RedisBloom: Out-of-bounds access with empty Bloom chains. + +- RedisBloom: Division by zero in Cuckoo filter insertion. + +- (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. + +- (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service. + +- (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution. + +- (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution. + +- (CVE-2025-32023) An authenticated user can use a specially crafted string to trigger a stack/heap out-of-bounds write on HyperLogLog operations, which can lead to remote code execution. + +- (CVE-2025-21605) An unauthenticated client can cause unlimited growth of output buffers until the server runs out of memory or is terminated, which can lead to denial-of-service. + +- (CVE-2024-31449) An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. + +- (CVE-2024-31228) An authenticated user can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST`, and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crashes. + +- (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers, which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution. + +- (CVE-2023-41053) Redis does not correctly identify keys accessed by `SORT_RO` and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. (Redis 7.2.1) + +Redis 7.0.x: + +- (CVE-2024-31449) An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. + +- (CVE-2024-31228) An authenticated user can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST`, and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crashes. + +- (CVE-2023-41056) In some cases, Redis may incorrectly handle resizing of memory buffers, which can result in incorrect accounting of buffer sizes and lead to heap overflow and potential remote code execution. + +- (CVE-2023-41053) Redis does not correctly identify keys accessed by `SORT_RO` and, as a result, may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. (Redis 7.0.13) + +- (CVE-2023-36824) Extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption, and potentially remote code execution. Specifically: using `COMMAND GETKEYS*` and validation of key names in ACL rules. (Redis 7.0.12) + +- (CVE-2023-28856) Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access. (Redis 7.0.11) + +- (CVE-2023-28425) Specially crafted `MSETNX` commands can lead to assertion and denial-of-service. (Redis 7.0.10) + +- (CVE-2023-25155) Specially crafted `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 7.0.9) + +- (CVE-2023-22458) Integer overflow in the Redis `HRANDFIELD` and `ZRANDMEMBER` commands can lead to denial-of-service. (Redis 7.0.8) + +- (CVE-2022-36021) String matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis can cause it to hang and consume 100% CPU time. (Redis 7.0.9) + +- (CVE-2022-35977) Integer overflow in the Redis `SETRANGE` and `SORT`/`SORT_RO` commands can drive Redis to OOM panic. (Redis 7.0.8) + +- (CVE-2022-35951) Executing an `XAUTOCLAIM` command on a stream key in a specific state, with a specially crafted `COUNT` argument, may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. The problem affects Redis versions 7.0.0 or newer. (Redis 7.0.5) + +- (CVE-2022-31144) A specially crafted `XAUTOCLAIM` command on a stream key in a specific state may result in heap overflow and potentially remote code execution. The problem affects Redis versions 7.0.0 or newer. (Redis 7.0.4) + +- (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 7.0.12) + +- (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result in a crash of the `redis-server` process. This issue affects all versions of Redis. (Redis 7.0.0) + +- (CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. (Redis 7.0.0) + +Redis 6.2.x: + +- RedisBloom: Restore invalid filter. + +- Integer overflow in `hllPatLen`. + +- RedisBloom: Cuckoo filter counter overflow. + +- RedisBloom: Invalid Bloom filters can cause arbitrary memory reads and writes. + +- RedisBloom: Reachable assert in `TopK_Create` + +- RedisBloom: Out-of-bounds access with empty Bloom chains. + +- RedisBloom: Division by zero in Cuckoo filter insertion. + +- (CVE-2025-46818) An authenticated user may use a specially crafted Lua script to manipulate different LUA objects and potentially run their own code in the context of another user. + +- (CVE-2025-46819) An authenticated user may use a specially crafted LUA script to read out-of-bound data or crash the server and lead to subsequent denial of service. + +- (CVE-2025-46817) An authenticated user may use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution. + +- (CVE-2025-49844) An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution. + +- (CVE-2025-32023) An authenticated user can use a specially crafted string to trigger a stack/heap out-of-bounds write on HyperLogLog operations, which can lead to remote code execution. + +- (CVE-2025-21605) An unauthenticated client can cause unlimited growth of output buffers until the server runs out of memory or is terminated, which can lead to denial-of-service. + +- (CVE-2024-31449) An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. + +- (CVE-2024-31228) An authenticated user can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST`, and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crashes. + +- (CVE-2023-28856) Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access. (Redis 6.2.12) + +- (CVE-2023-25155) Specially crafted `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. (Redis 6.2.11) + +- (CVE-2023-22458) Integer overflow in the Redis `HRANDFIELD` and `ZRANDMEMBER` commands can lead to denial-of-service. (Redis 6.2.9) + +- (CVE-2022-36021) String matching commands (like `SCAN` or `KEYS`) with a specially crafted pattern to trigger a denial-of-service attack on Redis can cause it to hang and consume 100% CPU time. (Redis 6.2.11) + +- (CVE-2022-35977) Integer overflow in the Redis `SETRANGE` and `SORT`/`SORT_RO` commands can drive Redis to OOM panic. (Redis 6.2.9) + +- (CVE-2022-24834) A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. (Redis 6.2.13) + +- (CVE-2022-24736) An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result in a crash of the `redis-server` process. This issue affects all versions of Redis. (Redis 6.2.7) + +- (CVE-2022-24735) By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. (Redis 6.2.7) + +- (CVE-2021-41099) Integer to heap buffer overflow handling certain string commands and network payloads, when `proto-max-bulk-len` is manually configured to a non-default, very large value. (Redis 6.2.6) + +- (CVE-2021-32762) Integer to heap buffer overflow issue in `redis-cli` and `redis-sentinel` parsing large multi-bulk replies on some older and less common platforms. (Redis 6.2.6) + +- (CVE-2021-32761) An integer overflow bug in Redis version 2.2 or newer can be exploited using the `BITFIELD` command to corrupt the heap and potentially result with remote code execution. (Redis 6.2.5) + +- (CVE-2021-32687) Integer to heap buffer overflow with intsets, when `set-max-intset-entries` is manually configured to a non-default, very large value. (Redis 6.2.6) + +- (CVE-2021-32675) Denial Of Service when processing RESP request payloads with a large number of elements on many connections. (Redis 6.2.6) + +- (CVE-2021-32672) Random heap reading issue with Lua Debugger. (Redis 6.2.6) + +- (CVE-2021-32628) Integer to heap buffer overflow handling ziplist-encoded data types, when configuring a large, non-default value for `hash-max-ziplist-entries`, `hash-max-ziplist-value`, `zset-max-ziplist-entries` or `zset-max-ziplist-value`. (Redis 6.2.6) + +- (CVE-2021-32627) Integer to heap buffer overflow issue with streams, when configuring a non-default, large value for `proto-max-bulk-len` and `client-query-buffer-limit`. (Redis 6.2.6) + +- (CVE-2021-32626) Specially crafted Lua scripts may result with Heap buffer overflow. (Redis 6.2.6) + +- (CVE-2021-32625) An integer overflow bug in Redis version 6.0 or newer can be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix by CVE-2021-29477. (Redis 6.2.4) + +- (CVE-2021-29478) An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration value, creating a large set key that consists of integer values and using the COPY command to duplicate it. The integer overflow bug exists in all versions of Redis starting with 2.6, where it could result with a corrupted RDB or DUMP payload, but not exploited through COPY (which did not exist before 6.2). (Redis 6.2.3) + +- (CVE-2021-29477) An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. The integer overflow bug exists in all versions of Redis starting with 6.0. (Redis 6.2.3) diff --git a/content/operate/rs/security/_index.md b/content/operate/rs/security/_index.md index 9e128f82be..c4ce2bc129 100644 --- a/content/operate/rs/security/_index.md +++ b/content/operate/rs/security/_index.md @@ -19,6 +19,7 @@ Redis Enterprise Software provides various features to secure your Redis Enterpr | [Password expiration]({{}}) | [Create roles]({{}}) | [Configure cipher suites]({{}}) | [Update certificates]({{}}) | | [Default database access]({{}}) | [Redis ACLs]({{}}) | [Encrypt private keys on disk]({{}}) | [Enable OCSP stapling]({{}}) | | [Rotate user passwords]({{}}) | [Integrate with LDAP]({{}}) | [Internode encryption]({{}}) | [Audit database connections]({{}}) | +| [Single sign-on (SSO)]({{}}) | | | | ## Recommended security practices diff --git a/content/operate/rs/security/access-control/create-users.md b/content/operate/rs/security/access-control/create-users.md index 2c1b87f603..24a8e88e60 100644 --- a/content/operate/rs/security/access-control/create-users.md +++ b/content/operate/rs/security/access-control/create-users.md @@ -30,6 +30,10 @@ To add a user to the cluster: {{Create user panel with fields for username, email, password, and alerts.}} + {{< note >}} +To use [single sign-on (SSO)]({{< relref "/operate/rs/security/access-control/saml-sso" >}}), users must have email addresses. + {{< /note >}} + 1. Select the **Alerts** the user should receive by email: - **Receive alerts for databases** - The alerts that are enabled for the selected databases will be sent to the user. Choose **All databases** or **Customize** to select the individual databases to send alerts for. diff --git a/content/operate/rs/security/access-control/saml-sso.md b/content/operate/rs/security/access-control/saml-sso.md new file mode 100644 index 0000000000..48363490bb --- /dev/null +++ b/content/operate/rs/security/access-control/saml-sso.md @@ -0,0 +1,443 @@ +--- +Title: SAML single sign-on +alwaysopen: false +categories: +- docs +- operate +- rs +description: Set up single sign-on with SAML for the Redis Enterprise Software Cluster Manager UI. +hideListLinks: true +linkTitle: SAML SSO +weight: 60 +--- + + +Redis Enterprise Software supports both [IdP-initiated](#idp-initiated-sso) and [SP-initiated](#sp-initiated-sso) [single sign-on (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) with [SAML (Security Assertion Markup Language)](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) for the Cluster Manager UI. Redis Enterprise Software uses SAML 2.0, which is the latest SAML version and an industry standard. + +You cannot use [SCIM (System for Cross-domain Identity Management)](https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management) to provision Redis Enterprise Software users. However, Redis Enterprise Software supports just-in-time (JIT) user provisioning, which means Redis Enterprise Software automatically creates a user account the first time a new user signs in with SSO. + +## SSO overview + +When single sign-on is activated, users can sign in to the Redis Enterprise Software Cluster Manager UI using their [identity provider (IdP)](https://en.wikipedia.org/wiki/Identity_provider) instead of usernames and passwords. If [SSO is enforced](#enforce-sso), non-admin users can no longer sign in with their previous usernames and passwords and must use SSO instead. + +Before users can sign in to the Cluster Manager UI with SSO, the identity provider admin needs to set up these users on the IdP side with matching email addresses. + +With just-in-time (JIT) user provisioning, Redis Enterprise Software automatically creates user accounts for new users assigned to the SAML application in your identity provider when they sign in to the Cluster Manager UI for the first time. For these users, you must configure the `redisRoleMapping` attribute in your identity provider to assign appropriate roles for [role-based access control]({{}}) during account creation. + +### IdP-initiated SSO + +With IdP-initiated single sign-on, you can select the Redis Enterprise Software application after you sign in to your [identity provider (IdP)](https://en.wikipedia.org/wiki/Identity_provider). This redirects you to the Redis Enterprise Software Cluster Manager UI and signs you in. + +### SP-initiated SSO + +You can also initiate single sign-on from the Redis Enterprise Software Cluster Manager UI. This process is known as [service provider (SP)](https://en.wikipedia.org/wiki/Service_provider)-initiated single sign-on. + +On the Redis Enterprise Software Cluster Manager UI's sign-in screen, click **Sign in with SSO**. + +- If you already have an active SSO session with your identity provider, this signs you in. + +- Otherwise, the SSO flow redirects you to your identity provider's sign in screen. Enter your IdP user credentials to sign in. This redirects you back to the Redis Enterprise Software Cluster Manager UI and automatically signs you in. + +Authentication requests expire after 3 minutes. + +## IdP requirements + +You can use any identity provider to integrate with Redis Enterprise Software as long as it supports the following: + +- [SAML](https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language) 2.0 protocol. + +- Signed SAML responses since Redis Enterprise Software will not accept any unsigned SAML responses. + +- HTTP-Redirect binding for SP-initiated SSO. + +- HTTP-POST binding for SAML assertions. + +## Set up SAML SSO + +To set up SAML single sign-on for a Redis Enterprise Software cluster: + +1. [Upload the service provider certificate and private key](#upload-sp-certificate). + +1. [Download the service provider metadata](#download-sp-metadata). + +1. [Set up a SAML app](#set-up-app) to integrate Redis Enterprise Software with your identity provider. + +1. [Download identity provider metadata](#download-idp-metadata). + +1. [Configure SAML identity provider in Redis Enterprise Software](#configure-idp-metadata). + +1. [Assign the SAML app to existing users](#assign-saml-app-to-existing-users). + +1. [Activate SSO](#activate-sso). + +### Upload SP certificate + +1. Create a service provider certificate for Redis Enterprise Software. See [Create certificates ]({{}}) for instructions. + +1. Upload the service provider certificate and key to the Redis Enterprise Software cluster: + + {{< multitabs id="upload-sp-cert" + tab1="Cluster Manager UI" + tab2="REST API" >}} + +1. Sign in to the Redis Enterprise Software Cluster Manager UI using admin credentials. + +1. Go to **Access Control > Single Sign-On**. + + The single sign-on configuration screen. + +1. In the **Service Provider (Redis) metadata** section, find **Service-provider's public certificate + private key** and click **Upload**. + +1. Enter or upload the private key and certificate for your service provider. + +1. Click **Upload** to save. + +-tab-sep- + +To upload a certificate using the REST API, use an [update cluster certificates]({{}}) request. + +```sh +PUT https://:/v1/cluster/certificates +{ + "certificates": [ + { + "name": "", + "certificate": "sso_service", + "key": "" + } + ] +} +``` + + {{< /multitabs >}} + +### Download SP metadata + +You need to download the service provider metadata for Redis Enterprise Software and use it to configure the SAML integration app for your identity provider. + +{{< multitabs id="download-sp-metadata" +tab1="Cluster Manager UI" +tab2="REST API" >}} + +To download the service provider's metadata using the Cluster Manager UI: + +1. Go to **Access Control > Single Sign-On**. + +1. In the **Service Provider (Redis) metadata** section, click the following buttons to download the service provider files needed to set up a SAML app: + + 1. **Public certificate** + + 1. **Metadata file** + + The service provider Redis metadata section. + +1. Optionally copy the following values for future SAML app setup in the identity provider. You can also find these values in the service provider's metadata file. + + 1. **SP entity ID**: `https:///sp` + + 1. **Assertion Consumer Service (ACS)**: `https://:8443/cluster/sso/saml/acs` + + 1. **Single Logout Service**: `https://:8443/cluster/sso/saml/slo` + +-tab-sep- + +To download the service provider's metadata using the REST API, use a [get SAML service provider metadata]({{}}) request. + +```sh +GET https://:/v1/cluster/sso/saml/metadata/sp +``` + +{{< /multitabs >}} + +Here's an abridged example of the service provider metadata XML: + +```xml + + ... + + ... + + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + + + Redis Cluster Enterprise - + Redis Cluster Enterprise SSO + + + + + + + +``` + +See [Metadata for the OASIS Security +Assertion Markup Language (SAML) +V2.0](https://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf) for more information about the metadata fields. + +{{< note >}} +Redis Enterprise Software metadata expiration time is equivalent to the SSO service certificate's expiration time. The service provider metadata will only change if the service address used for the Assertion Consumer Service (ACS) and the single logout (SLO) URL is modified. +{{< /note >}} + +### Set up SAML app {#set-up-app} + +Set up a SAML app to integrate Redis Enterprise Software with your identity provider: + +1. Sign in to your identity provider's admin console. + +1. Create or add a SAML integration app for the service provider Redis Enterprise Software. For detailed setup instructions, see your identity provider's documentation. + +1. Configure the SAML app with the service provider metadata. + + - Some identity providers let you upload the XML file directly. + + - Others require you to manually configure the service provider app with specific metadata fields, such as: + + | Setting | Value | Description | + |---------|-------|-------------| + | Audience URI (SP Entity ID) | `https://:8443/sp` | Unique URL that identifies the Redis Enterprise Software service provider.

Copy the **SP entity ID** from the **Access Control > Single Sign-On** page in the Cluster Manager UI or `EntityDescriptor`'s `entityID` in the metadata XML. | + | Single sign-on URL | `https://:8443/cluster/sso/saml/acs` | The service provider endpoint where the identity provider sends a SAML assertion that authenticates a user.

Copy the **Assertion Consumer Service (ACS)** from the **Access Control > Single Sign-On** page in the Cluster Manager UI or `AssertionConsumerService`'s `Location` in the metadata XML. | + | Name ID format | EmailAddress | | + | Application username | Email | | + +1. For the signature certificate, upload the Service Provider (Redis) public certificate. + +1. Enable signed requests. + +1. Optionally, you can enable single log-out (SLO) to allow users to automatically sign out of the the identity provider when they sign out of the Redis Enterprise Software Cluster Manager UI. Copy the **Single Logout Service** from the **Access Control > Single Sign-On** page in the Cluster Manager UI (`https://:8443/cluster/sso/saml/slo`) and configure it in the SAML app. + + {{< note >}} +Redis Enterprise Software only supports SP-initiated logout, where the user logs out from the Redis Enterprise Software Cluster Manager UI. IdP-initiated logout requests are not supported. + {{< /note >}} + +1. Set up your SAML service provider app so the SAML assertion contains the following attributes: + + | Attribute name (case-sensitive) | Description | + |-------------------------------------------|-------------| + | firstName | User's first name | + | lastName | User's last name | + | email | User's email address (used as the username in the Redis Enterprise Software Cluster Manager UI) | + | redisRoleMapping | String array that includes the role UID for role-based access control in Redis Enterprise Software. Only used for just-in-time (JIT) user provisioning. If a user already exists in Redis Enterprise Software, this attribute is ignored and their existing roles are preserved. | + + {{}} +To confirm the identity provider's SAML assertions contain the required attributes, you can use a SAML-tracer web developer tool to inspect them. + {{}} + +1. Set up any additional configuration required by your identity provider to ensure you can configure the `redisRoleMapping` attribute for SAML users. + + If your identity provider lets you configure custom attributes with workflows or group rules, you can set up automation to configure the `redisRoleMapping` field automatically instead of manually. + +### Download IdP metadata + +After you create the SAML app in your identity provider, retrieve the following information: + +| Setting | Description | +|---------|-------------| +| Issuer (IdP entity ID) | The unique entity ID for the identity provider | +| IdP server URL | The identity provider's HTTPS URL for SAML SSO | +| Single logout URL | The URL used to sign out of the identity provider and connected apps (optional) | +| Assertion signing certificate | Public SHA-256 certificate used to validate SAML assertions from the identity provider | + +You will use this certificate and metadata to configure the identity provider metadata in Redis Enterprise Software. To find these metadata values, see your identity provider's documentation. + +### Configure IdP metadata in Redis Enterprise Software {#configure-idp-metadata} + +After you set up the SAML integration app, you need to configure the identity provider metadata in your Redis Enterprise Software cluster. + +{{< multitabs id="configure-idp-metadata" +tab1="Cluster Manager UI" +tab2="REST API" >}} + +1. Sign in to the Redis Enterprise Software Cluster Manager UI using admin credentials. + +1. Go to **Access Control > Single Sign-On**. + +1. In the **Identity Provider metadata** section, click **Edit**. + +1. Enter the **Identity Provider metadata** settings. + + The identity provider metadata dialog. + +1. Click **Save**. + +-tab-sep- + +1. Upload your SAML app's assertion signing certificate using an [update cluster certificates]({{}}) REST API request. + + ```sh + PUT https://:/v1/cluster/certificates + { + "certificates": [ + { + "name": "", + "certificate": "sso_issuer", + "key": "" + } + ] + } + ``` + +1. Configure the identity provider metadata using an [update SSO configuration]({{}}) REST API request. + + ```sh + PUT https://:/v1/cluster/sso + { + "protocol": "saml2", + "issuer": { + "id": "urn:sso:example:idp", + "login_url": "https://idp.example.com/sso/saml", + "logout_url": "https://idp.example.com/sso/slo" + } + } + ``` + +{{< /multitabs >}} + +### Assign SAML app to existing users + +In the identity provider's admin console: + +1. Create user profiles in the identity provider for existing Redis Enterprise Software users. Make sure each user's email address matches in the identity provider and Redis Enterprise Software. + + {{}} +You do not need to configure the `redisRoleMapping` attribute for existing Redis Enterprise Software users. Their current roles will be preserved, and the `redisRoleMapping` attribute is ignored if provided. + {{}} + +2. Assign the new SAML integration app to each user. + +See your identity provider's documentation for detailed instructions. + +### Activate SSO {#activate-sso} + +After you finish the required SAML SSO configuration between your identity provider and Redis Enterprise Software cluster, you can activate SSO. + +{{< multitabs id="activate-sso" +tab1="Cluster Manager UI" +tab2="REST API" >}} + +To activate single sign-on using the Cluster Manager UI: + +1. Go to **Access Control > Single Sign-On**. + +1. Click **Activate SSO**. + +-tab-sep- + +To activate single sign-on using the REST API, use an [update SSO configuration]({{}}) request. + +```sh +PUT https://:/v1/cluster/sso +{ + "control_plane": true +} +``` + +{{< /multitabs >}} + +## Add new users with JIT provisioning + +After single sign-on is activated for Redis Enterprise Software, you can create new Redis Enterprise Software users on the identity provider side using just-in-time (JIT) provisioning. + +1. In the identity provider's admin console, create a new user profile with a valid email address. See your identity provider's documentation for detailed instructions. + +1. Configure the `redisRoleMapping` and assign a Redis Enterprise Software role UID to the user. + + {{}} +To see a list of available role UIDs in your cluster, use a REST API request to [get all roles]({{}}): + +```sh +GET https://:/v1/roles +``` + {{}} + +1. Assign the new SAML integration app to the user. + +1. Redis Enterprise Software will create a new user with the mapped role the first time the new user signs in to the Cluster Manager UI using SSO. + + +## Enforce SSO + +If SSO is enforced for the cluster, non-admin users can no longer sign in with their previous usernames and passwords and must use SSO instead. + +{{< multitabs id="enforce-sso" +tab1="Cluster Manager UI" +tab2="REST API" >}} + +To enforce single sign-on using the Cluster Manager UI: + +1. Go to **Access Control > Single Sign-On**. + +1. Find **Fallback behavior** and click **Edit**. + +1. Select **Enforce SSO-only login**. + + Enforce SSO-only login is selected. + +1. Click **Save**. + +-tab-sep- + +To enforce single sign-on using the REST API, use an [update SSO configuration]({{}}) request. + +```sh +PUT https://:/v1/cluster/sso +{ + "enforce_control_plane": true +} +``` + +{{< /multitabs >}} + +## Update configuration {#update-config} + +If you change certain metadata or configuration settings after you set up SSO, such as the assertion signing certificate, remember to do the following: + +1. [Update the SAML SSO configuration](#configure-idp-metadata) with the new values. + +1. [Download the updated service provider metadata](#download-sp) and use it to update the Redis Enterprise Software service provider app. + +### Change SP address + +If your deployment's default service provider address is not accessible to external identity providers, you can change it to an external hostname. + +{{}} +If you change the service address, the existing SSO integration will break because the metadata file, SP login and logout URLs, and entity ID will change to match the new address. You must update the service provider configuration on the identity provider's side after this change. +{{}} + +To change the service provider address, use an [update SSO configuration]({{}}) REST API request: + +```sh +PUT https://:/v1/cluster/sso +{ + "service": { + "address": "https://" + } +} +``` + +## Deactivate SSO + +{{< multitabs id="deactivate-sso" +tab1="Cluster Manager UI" +tab2="REST API" >}} + +To deactivate single sign-on using the Cluster Manager UI: + +1. Go to **Access Control > Single Sign-On**. + +1. Click **Deactivate SSO**. + +1. Click **Confirm**. + +-tab-sep- + +To deactivate single sign-on using the REST API, use an [update SSO configuration]({{}}) request. + +```sh +PUT https://:/v1/cluster/sso +{ + "control_plane": false +} +``` + +{{< /multitabs >}} diff --git a/content/operate/rs/security/certificates/_index.md b/content/operate/rs/security/certificates/_index.md index 7bb5c12c06..e7f700453d 100644 --- a/content/operate/rs/security/certificates/_index.md +++ b/content/operate/rs/security/certificates/_index.md @@ -29,9 +29,11 @@ Here's the list of supported certificates that create secure, encrypted connecti | `metrics_exporter` | | Sends Redis Enterprise metrics to external [monitoring tools]({{< relref "/operate/rs/monitoring/" >}}) over a secure connection. | | `mtls_trusted_ca` | :x: | Required to enable certificate-based authentication for secure, passwordless access to the REST API. | | `proxy` | | Creates secure, encrypted connections between clients and databases. | +| `sso_issuer` | :x: | Identity provider certificate for [single sign-on (SSO)]({{< relref "/operate/rs/security/access-control/saml-sso" >}}). | +| `sso_service` | :x: | Service provider certificate for [single sign-on (SSO)]({{< relref "/operate/rs/security/access-control/saml-sso" >}}). | | `syncer` | | For [Active-Active]({{< relref "/operate/rs/databases/active-active/" >}}) or [Replica Of]({{< relref "/operate/rs/databases/import-export/replica-of/" >}}) databases, encrypts data during the synchronization of participating clusters. | -Certificates that are not autogenerated are optional unless you want to use certain features. For example, you must provide your own `ldap_client` certificate to enable [LDAP authentication]({{}}) or an `mtls_trusted_ca` certificate to enable certificate-based authentication. +Certificates that are not autogenerated are optional unless you want to use certain features. For example, you must provide your own `ldap_client` certificate to enable [LDAP authentication]({{}}), an `mtls_trusted_ca` certificate to enable certificate-based authentication, or `sso_issuer` and `sso_service` certificates for [single sign-on (SSO)]({{}}). ## Accept self-signed certificates to access the Cluster Manager UI diff --git a/static/images/rs/screenshots/access-control/sso/edit-idp-metadata.png b/static/images/rs/screenshots/access-control/sso/edit-idp-metadata.png new file mode 100644 index 0000000000..a19c5055f1 Binary files /dev/null and b/static/images/rs/screenshots/access-control/sso/edit-idp-metadata.png differ diff --git a/static/images/rs/screenshots/access-control/sso/enforce-sso.png b/static/images/rs/screenshots/access-control/sso/enforce-sso.png new file mode 100644 index 0000000000..086971027f Binary files /dev/null and b/static/images/rs/screenshots/access-control/sso/enforce-sso.png differ diff --git a/static/images/rs/screenshots/access-control/sso/sp-metadata-after-cert-upload.png b/static/images/rs/screenshots/access-control/sso/sp-metadata-after-cert-upload.png new file mode 100644 index 0000000000..3cb0adee82 Binary files /dev/null and b/static/images/rs/screenshots/access-control/sso/sp-metadata-after-cert-upload.png differ diff --git a/static/images/rs/screenshots/access-control/sso/sso-before-config.png b/static/images/rs/screenshots/access-control/sso/sso-before-config.png new file mode 100644 index 0000000000..d4267bffe8 Binary files /dev/null and b/static/images/rs/screenshots/access-control/sso/sso-before-config.png differ