Add AUTH (username) and SSL/TLS support for Redis Integration

[ishleenk17]

Add support for AUTH so that if firewalling or any other system implemented to protect Redis from external attackers fail, an external client will still not be able to access the Redis instance without knowledge of the authentication password.

The AUTH command authenticates the current connection in two cases:

• If the Redis server is password protected via the requirepass option.
• A Redis 6.0 instance, or greater, is using the Redis ACL system.

Redis versions prior of Redis 6 were only able to understand password:

AUTH <password>

With Redis ACL in Redis 6+, AUTH also takes username as an argument but it is optional to honour the backward compatibility.

AUTH <username> <password>

To accept username, we have to make changes to beats as well so that redis client used there considers username as well for AUTH. It already does consider password.

SSL/TLS is supported by Redis starting with version 6 as an optional feature that needs to be enabled at compile time. To support connecting to Redis servers that are running in TLS mode and fetching the metrics, we need to add SSL/TLS support to metricbeat. Read more: https://redis.io/docs/management/security/encryption/

[lalit-satapathy]

@shmsr, Are the changes still TBD in the integration? I see beats changes done here - elastic/beats#35240. Can we keep the issue open?

[shmsr]

@lalit-satapathy Yes. I also noticed that the changes were not done on the integrations side. So I put this in the backlog a couple of weeks back but forgot to reopen the issue. I'll do this; thanks!

[otteryoudoing]

Hello team, do you have any estimates on when our customers may see this available in the wild? Presently I am working with a customer who is interested in this functionality

When you find a moment please let me know your thoughts @shmsr @lalit-satapathy

[ishleenk17]

@shmsr : any timelines for this addition to the Redis Integration ?

[lalit-satapathy]

Assigned @harnish-elastic for the integration changes as the beats side changes are already done.

[harnish-elastic]

@shmsr, In redis integration, there are 5 data_streams currently present. Out of them 3 data_stream stands for metrics which has support for username, password and SSL currently in metricbeat. So I am planning to raise PR for those 3 data_streams (key, keyspace, and info) Now from the 2 logs data_stream, there is 1 log data_stream named slowlog that has currently support of password only. Please refer this. Can we also provide support of username and SSL for slowlog fileset? Please let me know if there are any reason for not providing support for it?

[harnish-elastic]

PR: #9777

[shmsr]

@shmsr, In redis integration, there are 5 data_streams currently present. Out of them 3 data_stream stands for metrics which has support for username, password and SSL currently in metricbeat. So I am planning to raise PR for those 3 data_streams (key, keyspace, and info) Now from the 2 logs data_stream, there is 1 log data_stream named slowlog that has currently support of password only. Please refer this. Can we also provide support of username and SSL for slowlog fileset? Please let me know if there are any reason for not providing support for it?

@harnish-elastic Ideally, support should have been available. I didn't intentionally leave it, but it was a result of me not knowing enough like how integrations and beats connect and every detail of it. This was probably the first PR I worked on after joining Elastic. I only knew that changes were required for metricbeat, but I didn't have much experience back then to know that I also had to make changes in filebeat.

[ishleenk17]

@shmsr, In redis integration, there are 5 data_streams currently present. Out of them 3 data_stream stands for metrics which has support for username, password and SSL currently in metricbeat. So I am planning to raise PR for those 3 data_streams (key, keyspace, and info) Now from the 2 logs data_stream, there is 1 log data_stream named slowlog that has currently support of password only. Please refer this. Can we also provide support of username and SSL for slowlog fileset? Please let me know if there are any reason for not providing support for it?

@harnish-elastic Ideally, support should have been available. I didn't intentionally leave it, but it was a result of me not knowing enough like how integrations and beats connect and every detail of it. This was probably the first PR I worked on after joining Elastic. I only knew that changes were required for metricbeat, but I didn't have much experience back then to know that I also had to make changes in filebeat.

@harnish-elastic : Let's use this ticket to add support for the 3 metric datastream.

Raise another beats issue for adding support for SSL in beats filesets. And another corresponding Integrations issue for it.
Since, this beats change will be available as part of next release , we will be able to push the log datastream Integrations change post that.

[harnish-elastic]

Future enhancements:

• Beats: filebeat/input/redis: Add AUTH (username) and SSL/TLS support beats#39412
• Integration: [O11y][Redis] Add AUTH (username) and SSL/TLS support #9787

[harnish-elastic]

Closing as completed #9777