| Redis危险命令禁用keys、flushdb、flushall及解决方案 | 您所在的位置:网站首页 › 查看redis使用的配置文件 › Redis危险命令禁用keys、flushdb、flushall及解决方案 |
|
Redis的危险命令主要有以下几个 keys 查找所有符合给定模式pattern(正则表达式)的 key 。时间复杂度为O(N),N为数据库里面key的数量。速度极快,在一百万的key数据库中查询时间大约是40毫秒。 redis> MSET one 1 two 2 three 3 four 4 OK redis> KEYS *o* 1) "four" 2) "one" 3) "two" redis> KE警告:不建议使用!!! 对 Redis 稍微有点使用经验的人都知道线上是不能执行 keys * 相关命令的,虽然其模糊匹配功能使用非常方便也很强大,在小数据量情况下使用没什么问题,数据量大会导致 Redis 锁住及 CPU 飙升,在生产环境建议禁用或者重命名! 血的教训:某公司工程师在生产环境中直接执行:key * wxdb ... cf8* 命令,导致redis卡死锁住,CPU飙升,导致支付链路卡住,所有请求卡死在数据库中,导致数据库发生雪崩效应,发生了数据库宕机事件。 损失惨重! flushdb删除Redis中当前所在数据库中的所有记录,并且该命令是原子性的,不会终止执行,一旦执行,将不会执行失败。 flushall删除Redis中所有数据库中的所有记录,并且该命令是原子性的,不会终止执行,一旦执行,将不会执行失败。 config客户端可修改 Redis 配置 解决方案-命令禁用 在redis中修改配置文件redis.conf找到 SECURITY 区域,如下图 ################################## SECURITY ################################### # Require clients to issue AUTH before processing any other # commands. This might be useful in environments in which you do not trust # others with access to the host running redis-server. # # This should stay commented out for backward compatibility and because most # people do not need auth (e.g. they run their own servers). # # Warning: since Redis is pretty fast an outside user can try up to # 150k passwords per second against a good box. This means that you should # use a very strong password otherwise it will be very easy to break. # # requirepass foobared # Command renaming. # # It is possible to change the name of dangerous commands in a shared # environment. For instance the CONFIG command may be renamed into something # hard to guess so that it will still be available for internal-use tools # but not available for general clients. # # Example: # # rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52 # # It is also possible to completely kill a command by renaming it into # an empty string: # # rename-command CONFIG "" # # Please note that changing the name of commands that are logged into the # AOF file or transmitted to slaves may cause problems.注意其中的rename-command ,修改即可完成命令禁用 禁用命令 rename-command KEYS "" rename-command FLUSHALL "" rename-command FLUSHDB "" rename-command CONFIG ""重命名命令 rename-command KEYS "XXXXX" rename-command FLUSHALL "XXXXX" rename-command FLUSHDB "XXXXX" rename-command CONFIG "XXXXX"这样可以定义新命令,然后在客户端就不会执行危险命令了 |
| CopyRight 2018-2019 实验室设备网 版权所有 |