All Products
Search
Document Center

SQLConsole for Redis

Last Updated: Jul 07, 2020

Data Management Service (DMS) provides the SQLConsole for you to manage relational databases and NoSQL databases. To control SQL execution for these two types of databases, you need to set different types of security rules that include different items. This topic describes security rules for controlling SQL execution in Redis databases.

Checkpoints

  • Permission Execution Statement Criteria: Under this checkpoint, you can specify whether to check specific users’ permissions when they submit commands.

    For example, this checkpoint checks whether a user has corresponding key permissions.

  • Statement Criteria: Keys: Under this checkpoint, you can set constraints on key-related commands.

  • Statement Criteria: String: Under this checkpoint, you can set constraints on string-related commands.

  • Statement Criteria: List: Under this checkpoint, you can set constraints on list-related commands.

  • Statement Criteria: SET: Under this checkpoint, you can set constraints on set-related commands.

  • Statement Criteria: SortedSet: Under this checkpoint, you can set constraints on sorted set-related commands.

  • Statement Criteria: Hash: Under this checkpoint, you can set constraints on hash-related commands.

  • Statement Criteria: Other: Under this checkpoint, you can set constraints on commands of other types.

You can use the default rules provided by DMS, or set custom rules as required. For more information, see Procedure of creating a security rule.

How checkpoints work

3

Commands that can be run in DMS

The following table lists the commands that can be identified through syntax parsing in DMS.

Category Subcategory and enumerated value
Key-related commands Read commands:
  • EXISTS
  • TTL
  • PTTL
  • RANDOMKEY
  • TYPE
  • SCAN
  • OBJECTS
Write commands:
  • DEL
  • DUMP
  • EXPIRE
  • EXPIREART
  • MOVE
  • PERSIST
  • PEXPIRE
  • PEXPIREAT
  • RENAME
  • RENAMENX
  • RESTORE
  • SORT
  • TOUCH
  • UNLIMK
  • WAIT
  • MIGRATE
String-related commands Read commands:
  • GET
  • GETRANGE
  • BITCOUNT
  • GETBIT
  • MGET
  • STRLEN
  • BITOPS
Write commands:
  • APPEND
  • BITFIELD
  • BITOP
  • DECR
  • DECRBY
  • GETSET
  • INCR
  • INCRBY
  • INCRBYFLOAT
  • MSET
  • MSETNX
  • PSETEX
  • SET
  • SETNX
List-related commands Read commands:
  • LINDEX
  • LLEN
  • LRANGE
Write commands:
  • BLPOP
  • BRPOP
  • BRPOPLPUSH
  • LINSERT
  • LPOP
  • LPUSH
  • LPUSHX
  • LREM
  • LSET
  • LTRIM
  • RTOP
  • RPOPLPUSH
  • RPUSH
  • RPUSHX
Set-related commands Read commands:
  • SCARD
  • SISMEMBER
  • SRANDMEMBER
  • SSCAN
Write commands:
  • SADD
  • SMOVE
  • SPOP
  • SREM
Sorted set-related commands Read commands:
  • ZCARD
  • ZCOUNT
  • ZLEXCOUNT
  • ZRANGE
  • ZRANGEBYLEX
  • ZRANGEBYSCORE
  • ZRANK
  • ZREVRNGE
  • ZREVRANGEBYLEX
  • ZREVRANGEBYSCORE
  • ZREVRANK
  • ZSCAN
  • ZSCORE
Write commands:
  • ZADD
  • ZINCRBY
  • ZINTERSTORE
  • ZPOPMAX
  • ZPOPMIN
  • ZREM
  • ZUNIONSTORE
  • BZPOPMIN
  • BZPOPMAX
Hash-related commands Read commands:
  • HEXISTS
  • HGET
  • HLEN
  • HMGET
  • HSCAN
  • HSTRLEN
Write commands:
  • HDEL
  • HINCRBY
  • HINCRBYFLOAT
  • HMESET
  • HSET
  • HSETNX
Other commands N/A

Factors and actions

  • Factor: A factor is a system built-in variable that is used to obtain the context to be validated by security rules, such as the subcategories of commands and the number of rows in which data is affected. A factor name starts with @fac., appended with the display name of the factor type. Each module of the Security Rules page offers different factors for different checkpoints. The following table describes the supported factors in the SQLConole module.

    Factor Description
    @fac.cmd_type The subcategory of the command. For more information about valid values, see Commands that can be run in DMS.
    @fac.env_type The type of the environment. The value is the display name of the environment type, such as DEV and PRODUCT. For more information, see Change the environment type of an instance.
    @fac.is_read A boolean value that indicates whether the current command is a read command. Valid values:
    • true
    • false
    @fac.is_write A boolean value that indicates whether the current command is a write command. Valid values:
    • true
    • false
    @fac.current_sql The current command.
    @fac.user_is_admin A boolean value that indicates whether the current user is a DMS administrator. Valid values:
    • true
    • false
    @fac.user_is_dba A boolean value that indicates whether the current user is a database administrator (DBA). Valid values:
    • true
    • false
    @fac.user_is_inst_dba A boolean value that indicates whether the current user is the DBA of the current instance. Valid values:
    • true
    • false
  • Action: An action is the operation that the system performs after the conditions specified in the if statement are met. For example, the system can perform the relevant action to forbid the submission of a ticket, select an approval process, approve a ticket, or reject a ticket. Actions show the purpose of setting security rules. An action name starts with @act., appended with the display name of the action type. Each module of the Security Rules page offers different actions for different checkpoints. The following table describes the supported actions in the SQLConsole module.

    Action Description
    @act.reject_execute Rejects the request to run the current command.
    @act.allow_execute Allows the current command to be run.

Templates of security rules

DMS provides you with various system built-in templates of security rules. You can directly use the templates or modify the templates based on your business requirements. The following table describes the supported rule templates in the SQLConsole module.

Checkpoint Feature of template
Permission Execution Statement Criteria
Specifies that DMS must validate common users’ permissions when they submit commands.
Specifies that all users can run SQL statements without their permissions being validated.
Statement Criteria: Keys
Specifies that the listed key-related read commands can be run in an offline environment.
Specifies that the listed key-related read commands can be run in an online environment.
Specifies that the listed key-related write commands can be run in an online environment.
Statement Criteria: String
Specifies that the listed string-related read commands can be run in an offline environment.
Specifies that the listed string-related read commands can be run in an online environment.
Specifies that the listed string-related write commands can be run in an online environment.
Statement Criteria: List
Specifies that the listed list-related read commands can be run in an offline environment.
Specifies that the listed list-related read commands can be run in an online environment.
Specifies that the listed list-related write commands can be run in an online environment.
Statement Criteria: SET
Specifies that the listed set-related read commands can be run in an offline environment.
Specifies that the listed set-related read commands can be run in an online environment.
Specifies that the listed set-related write commands can be run in an online environment.
Statement Criteria: SortedSet
Specifies that the listed sorted set-related read commands can be run in an offline environment.
Specifies that the listed sorted set-related read commands can be run in an online environment.
Specifies that the listed sorted set-related write commands can be run in an online environment.
Statement Criteria: Hash Specifies that the listed hash-related read commands can be run in an offline environment.
Specifies that the listed hash-related read commands can be run in an online environment.
Specifies that the listed hash-related write commands can be run in an online environment.
Statement Criteria: Other
Specifies that the listed read commands of other types can be run in an offline environment.
Specifies that the listed write commands of other types can be run in an offline environment.
Specifies that the listed read commands of other types can be run in an online environment.
Specifies that the listed write commands of other types can be run in an online environment.

Procedure of creating a security rule

  1. Log on to the DMS console.

  2. In the top navigation bar, choose System Management > Security > Security Rules.
    Security rules3

  3. On the Security Rules page that appears, find the target rule set and click Edit in the Actions column.

  4. On the Details page that appears, click the SQLConsole tab.

  5. On the SQLConsole tab, click Create Rule next to Actions.
    Security rules-redis1

  6. In the Create Rule - SQLConsole dialog box that appears, set the parameters as required. The following table describes the parameters.

    Parameter Description
    Checkpoints (Required)The checkpoint under which you want to create the security rule. For more information about checkpoints, see Checkpoints.
    Template Database (Optional) The template based on which you want to create the security rule. DMS provides you with various system built-in templates of security rules. After you select a checkpoint from the Checkpoints drop-down list, you can click Load from Template Database to select a template. For more information about the available templates, see Templates of security rules.
    Rule Name (Required) The name of the security rule. If you load a security rule from a template, the rule name is automatically filled in.
    Rule DSL (Required) The domain-specific language (DSL) statement used to set the security rule. For more information, see DSL syntax for security rules. If you load a security rule from a template, the statement is automatically filled in.
  7. Click Submit.

  8. Find the created security rule and click Enable in the Actions column. By default, the created security rule is in the Disabled state.

  9. In the message that appears, click OK.