Skip to content

Commit 2a0eb9e

Browse files
git-hulkgit-hulk
authored
fix(command): RESET should be only allowed to run with admin role (#3191)
1 parent 210abd6 commit 2a0eb9e

File tree

2 files changed

+29
-1
lines changed

2 files changed

+29
-1
lines changed

src/commands/cmd_server.cc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1586,7 +1586,7 @@ REDIS_REGISTER_COMMANDS(
15861586
MakeCmdAttr<CommandSlaveOf>("replicaof", 3, "read-only exclusive no-script admin", NO_KEY),
15871587
MakeCmdAttr<CommandStats>("stats", 1, "read-only", NO_KEY),
15881588
MakeCmdAttr<CommandRdb>("rdb", -3, "write exclusive admin", NO_KEY),
1589-
MakeCmdAttr<CommandReset>("reset", 1, "ok-loading bypass-multi no-script", NO_KEY),
1589+
MakeCmdAttr<CommandReset>("reset", 1, "ok-loading bypass-multi no-script admin", NO_KEY),
15901590
MakeCmdAttr<CommandApplyBatch>("applybatch", -2, "write no-multi", NO_KEY),
15911591
MakeCmdAttr<CommandDump>("dump", 2, "read-only", 1, 1, 1),
15921592
MakeCmdAttr<CommandPollUpdates>("pollupdates", -2, "read-only admin", NO_KEY),

tests/gocase/unit/reset/reset_test.go

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ import (
2525
"testing"
2626

2727
"github.com/apache/kvrocks/tests/gocase/util"
28+
"github.com/redis/go-redis/v9"
2829
"github.com/stretchr/testify/require"
2930
)
3031

@@ -65,3 +66,30 @@ func TestReset(t *testing.T) {
6566
require.Equal(t, rdb.Do(ctx, "subscribe", "chan2").Val(), []interface{}{"subscribe", "chan2", (int64)(1)})
6667
})
6768
}
69+
70+
func TestResetAdminOnly(t *testing.T) {
71+
srv := util.StartServer(t, map[string]string{
72+
"requirepass": "admin",
73+
})
74+
defer srv.Close()
75+
76+
ctx := context.Background()
77+
78+
t.Run("RESET command with namespace token should be forbidden", func(t *testing.T) {
79+
adminClient := srv.NewClientWithOption(&redis.Options{
80+
Password: "admin",
81+
})
82+
defer func() { require.NoError(t, adminClient.Close()) }()
83+
84+
require.NoError(t, adminClient.Do(ctx, "NAMESPACE", "ADD", "test_ns", "test_token").Err())
85+
require.NoError(t, adminClient.Do(ctx, "RESET").Err())
86+
87+
tokenClient := srv.NewClientWithOption(&redis.Options{
88+
Password: "test_token",
89+
})
90+
defer func() { require.NoError(t, tokenClient.Close()) }()
91+
92+
r := tokenClient.Do(ctx, "RESET")
93+
require.ErrorContains(t, r.Err(), "admin permission required to perform the command")
94+
})
95+
}

0 commit comments

Comments
 (0)