Redis 8 introduces a major update to Access Control Lists (ACLs) by integrating module commands—Search (FT.*), JSON, TimeSeries, and probabilistic data structures (Bloom, Cuckoo, Top-K, CMS, T-Digest) into Redis’ standard ACL categories.
These commands now fall under the familiar groupings such as @read, @write, @fast, @slow, @admin, and @dangerous and each module also has its own new category: @search, @json, @timeseries, @bloom, @cuckoo, @topk, @cms, and @tdigest, for finer-grained control.
The change unifies access control across Redis Cloud, Redis Software, and Redis Open Source, simplifying role management but also altering how existing ACLs behave. Depending on current definitions, some users may gain or lose access to specific commands after upgrading to Redis 8.
This guide explains what changed, who is impacted, how to audit and migrate ACLs safely, and how to validate permissions in both Redis Cloud and Redis Software through the following sections: Breaking Change Summary, Who’s Impacted, Quick Reference, Safe Migration Steps, Post-Upgrade ACL Patterns, Product-Specific Guidance, and Troubleshooting.
Quick Reference: Check and Validate ACLs in Redis 8
Task |
Command |
Works In |
|---|---|---|
List all ACL categories |
|
All Redis 8 products |
Test whether a user can run a command |
|
All Redis 8 products |
Export ACLs before upgrade |
|
Redis Software |
Reload ACLs cluster-wide |
|
Redis Software |
Review roles visually |
Redis Cloud Console → Access Control → Roles |
Redis Cloud |
Verify JSON write access |
|
All Redis 8 products |
Prerequisites
Redis 8.0 or later (Cloud, Software, or Open Source)
Admin or Security role with ACL management permissions
Familiarity with:
ACL CAT,ACL LIST,ACL DRYRUN,ACL LOAD
Breaking Change Summary
Scope |
Description |
Impact |
|---|---|---|
Expanded standard categories |
|
|
New module-specific categories |
|
Enables precise control ( |
|
Continues to include all commands |
No change required |
Legacy rule shift |
|
Roles may be more permissive or restrictive |
Who’s Impacted
Any environment using custom ACLs or roles
Databases leveraging Search, JSON, TimeSeries, or probabilistic data types
Deployments defining broad categories (
+@read,+@write,+@all) without explicit module controls
Before upgrading to Redis 8, review and adjust ACLs to prevent unexpected access changes.
Safe Migration Steps
-
Inventory existing ACLs
Run
ACL LISTto export users and rules.Focus on entries containing
@read,@write, or module commands (FT.*, JSON.*, TS.*, etc.).
-
Confirm new categories in Redis 8
ACL CATYou should see module categories such as
@searchand@json. -
Dry-run permission tests
ACL DRYRUN <user> <command> [args…]Use this to preview grants and denies safely.
-
Choose your strategy
Accept expanded coverage: Keep ACLs simpler but broader.
Replicate pre-8 intent: Add targeted denies (e.g.,
-@json,-@search).
Validate before production rollout
Test service accounts and automation users in staging.
Optional Tools for Validating ACL Rules
If you prefer a visual way to construct or validate ACL rules across Redis 7.x and 8.x, you can also use the Redis ACL Builder. This tool provides interactive feedback when combining categories such as @read, @write, @json, and @search
Note: ACL DRYRUN remains the authoritative method for validating permissions in Redis Cloud and Redis Software
Post-Upgrade ACL Patterns
Use Case |
Recommended ACL Rule |
|---|---|
Read-only Search analyst |
|
JSON writer limited to app data |
|
Preserve pre-8 behavior (no JSON writes) |
|
Validate permission outcome |
|
Product-Specific Guidance
Redis Cloud
Redis Cloud 8.0 applies ACL category expansion automatically to all databases.
Before or after upgrading:
-
Export current roles
Console: Access Control → Roles → Export
REST API: GET
/v1/roles
-
Validate permissions
ACL CAT ACL DRYRUN <user> FT.SEARCH index "*"` -
Adjust roles
-
Expand capabilities as needed:
+@read +@search— adds Search read/write beyond standard @read.+@write +@json— adds JSON read/write beyond standard @write.If you rely on default Redis 8 behavior,
@readand@writealready include these module commands, so the explicit module category is optional.
Restore older limits:
+@read +@write -@search -@json
-
Reapply after upgrade
Re-assign or re-sync roles via the Console or API.
Redis Software
Redis Software 8.0 extends the same ACL expansion to both cluster- and database-level users.
Upgrade Workflow:
-
Backup ACLs
rladmin export acl -
Review categories
ACL CAT -
Dry-run validation
ACL DRYRUN <user> JSON.SET key {} -
Adjust and reload
Modify ACLs as needed (
+@write -@json,+@read +@search)-
Propagate changes:
ACL LOAD
Troubleshooting
Symptom |
Likely Cause |
Resolution |
|---|---|---|
Users can now run FT.SEARCH unexpectedly |
|
Add |
JSON writes blocked unexpectedly |
|
Add |
Role behavior differs across nodes |
ACLs not synchronized cluster-wide |
Run |
App logs “permission denied” for module commands |
Post-upgrade coverage mismatch |
Use |
References
Version Scope
Applies to: Redis 8.0 and later (Open Source, Cloud, Enterprise)
Prior behavior: Redis ≤ 7.4 kept module commands outside standard categories
Action required: Review and test ACLs post-upgrade to confirm expected access
0 comments
Please sign in to leave a comment.