Redis 哨兵搭建+ACL权限控制

📅 2026/7/11 16:54:55
Redis 哨兵搭建+ACL权限控制
edis常见有主从备份、Cluster、哨兵这三种集群部署模式。其中主从备份是后两者的实现基础。主从备份即从节点备份主节点的数据不能自动故障切换需要人为介入处理。Cluster是多个节点同时作为主节点每个主节点只保有部分分片数据每个主节点都有至少一个从节点来备份数据当任一主节点发生故障时对应的从节点会自动顶替故障主节点成为新的主节点。能完成自动故障切换不需人为介入。哨兵顾名思义是类似古代城墙上放哨的士兵一旦发现有节点故障则哨兵会主动切换从节点为主节点。这个机制中只有一个主节点有至少一个从节点至少一个哨兵节点。一般推荐的方案是一主二从三哨兵。这次记录的就是一主二从三哨兵的部署模式。ACL权限控制ACLAccess Control List访问控制列表Redis没启用ACL时所有客户端连接的都是默认用户default大家的权限都是一致的。ACL是用来限制用户权限的方案它可以分配账号、密码、权限实现严格控制每个用户的权限。该机制始于Redis 6.0版本可以理解为Redis服务端在启动时加载了一个记录acl文件其中密码是经过sha256加密的。部署规划IP 端口 用途 部署目录192.168.56.145 6379 Redis主节点 /opt/redis192.168.56.146 6379 Redis从节点 /opt/redis192.168.56.147 6379 Redis从节点 /opt/redis192.168.56.145 26379 Redis哨兵节点 /opt/redis-sentinel192.168.56.146 26379 Redis哨兵节点 /opt/redis-sentinel192.168.56.147 26379 Redis哨兵节点 /opt/redis-sentinel以最少3台服务器方式部署一主二从三哨兵Redis部署模式默认3台主机操作系统完全相同只需在主节点编译1次Redis复制出1个哨兵修改后同步到其他2个节点上需提前确保三台服务器间的6379/26379端口可以互访编译Redis#安装gcc c/c编译器yum -y install gcc gcc-c#创建安装目录mkdir -p /opt/redis#解压redis源码并编译redistar xf redis-8.6.3.tar.gzcd redis-8.6.3make PREFIX/opt/redis install MALLOCjemalloc#复制出哨兵节点目录cp -r /opt/redis /opt/redis-sentinel#删除哨兵节点目录中redis的配置rm -rf /opt/redis-sentinel/redis.conf配置Redis主节点/opt/redis/redis.confbind 0.0.0.0protected-mode noport 6379tcp-backlog 511timeout 300tcp-keepalive 300daemonize yessupervised nopidfile /var/run/redis.pidloglevel noticedatabases 16always-show-logo yessave 900 1save 300 10save 60 10000stop-writes-on-bgsave-error yesrdbcompression yesrdbchecksum yesdbfilename dump.rdbdir ./replica-serve-stale-data yesreplica-read-only yesrepl-diskless-sync norepl-diskless-sync-delay 5repl-disable-tcp-nodelay noreplica-priority 100maxmemory-policy allkeys-lrulazyfree-lazy-eviction yeslazyfree-lazy-expire yeslazyfree-lazy-server-del yesreplica-lazy-flush yesappendonly noappendfilename “appendonly.aof”appendfsync everysecno-appendfsync-on-rewrite noauto-aof-rewrite-percentage 100auto-aof-rewrite-min-size 64mbaof-load-truncated yesaof-use-rdb-preamble yeslua-time-limit 5000slowlog-log-slower-than 1000slowlog-max-len 1000latency-monitor-threshold 0notify-keyspace-events “”hash-max-ziplist-entries 512hash-max-ziplist-value 64list-max-ziplist-size -2list-compress-depth 0set-max-intset-entries 512zset-max-ziplist-entries 128zset-max-ziplist-value 64hll-sparse-max-bytes 3000stream-node-max-bytes 4096stream-node-max-entries 100activerehashing yesclient-output-buffer-limit normal 0 0 0client-output-buffer-limit replica 256mb 64mb 60client-output-buffer-limit pubsub 32mb 8mb 60hz 10dynamic-hz yesaof-rewrite-incremental-fsync yesrdb-save-incremental-fsync yeslogfile ./redis.log#主要是下边这三行masterauth replicapasswordmasteruser replica-useraclfile ./users.aclaclfile 配置指定acl文件路径。masteruser 指定连接主节点时的用户replica-user是我后续打算创建的从节点备份用户可以先配出来masterauth 是连接主节点时用的密码这里暂用简单的从节点备份用户密码临时启动主节点配置ACL用户#生成default用户hash密码防止用户通过redis-cli查到命令历史echo -n “default密码” |sha256sum#启动主节点cd /opt/redis./bin/redis-server ./redis.conf#连接主节点执行ACL指令配置用户./bin/redis-cliACL SETUSER default on #admin密码hash sanitize-payload ~* * allACL SETUSER app-user on appuserpassword ~* * keyspace read write wait ping info eval keys pubsubACL SETUSER sentinel-user on sentinelpassword ~* * allchannels multi slaveof ping exec subscribe config|rewrite role publish info client|setname client|kill script|killACL setuser replica-user on replicapassword ~* * psync replconf pingACL SAVEquit以上命令为default用户设置了更复杂的密码创建了客户端用户app-user、哨兵用户sentinel-user、备份用户replica-user同时配置了这些用户的权限这里的备份用户和哨兵用户权限参考官方文档app-user用户权限仅供参考。注意ACL设置密码时#开头配置预哈希密码开头配置明文密码最终到acl中都是哈希密文。关闭redis主节点删去相关日志此时users.acl文件已经生成了acl文件只需存在主从节点即可。ps -ef|grep rediskill -9rm -f redis.log配置哨兵节点在145节点上配置第一个哨兵节点cd /opt/redis-sentinelvim sentinel.confcat sentinel.conf#参考以下配置修改哨兵配置port 26379protected-mode nodaemonize yespidfile /var/run/redis-sentinel.pidlogfile ./sentinel.logdir /tmpsentinel monitor mymaster 192.168.56.145 6379 2sentinel auth-user mymaster sentinel-usersentinel auth-pass mymaster sentinelpasswordsentinel down-after-milliseconds mymaster 30000acllog-max-len 128sentinel parallel-syncs mymaster 1sentinel failover-timeout mymaster 180000sentinel deny-scripts-reconfig yesSENTINEL resolve-hostnames noSENTINEL announce-hostnames no复制哨兵节点在145节点复制/opt/redis-sentinel到146、147节点scp -r /opt/redis-sentinel root192.168.56.146:/opt/redis-sentinelscp -r /opt/redis-sentinel root192.168.56.147:/opt/redis-sentinel复制创建从节点在145节点复制/opt/redis到146节点scp -r /opt/redis root192.168.56.146:/opt/redisscp -r /opt/redis root192.168.56.147:/opt/redis登录146、147节点修改/opt/redis/redis.confvim /opt/redis/redis.conf#追加一行同步配置指向主节点replicaof 192.168.56.145 6379登录147节点修改/opt/redis/redis.confvim /opt/redis/redis.conf#追加一行同步配置指向主节点replicaof 192.168.56.145 6379启动主从节点依次登录145、146、147节点执行启动redis命令cd /opt/redis./bin/redis-server ./redis.conf启动哨兵节点依次登录145、146、147节点执行启动哨兵命令cd /opt/redis-sentinel./bin/redis-sentinel ./sentinel.conf查看集群状态145主节点上查看主从信息cd /opt/redis./bin/redis-cli -p 6379AUTH default 密码info replication#输出示例的前5行检查connected_slaves为2state状态均为online即可Replicationrole:masterconnected_slaves:2slave0:ip192.168.56.146,port6379,stateonline,offset44565,lag0,io-thread0slave1:ip192.168.56.147,port6379,stateonline,offset44422,lag1,io-thread0quit任一哨兵节点上查看哨兵信息cd /opt/redis-sentinel./bin/redis-cli -p 26379info sentinel#输出示例检查master0的status为ok能看出adress为主节点地址slave为2sentinels为3即正常Sentinelsentinel_masters:1sentinel_tilt:0sentinel_tilt_since_seconds:-1sentinel_total_tilt:0sentinel_running_scripts:0sentinel_scripts_queue_length:0sentinel_simulate_failure_flags:0master0:namemymaster,statusok,address192.168.56.145:6379,slaves2,sentinels3quit官方文档中哨兵可以直接查看集群中的从节点和哨兵节点的状态这是在redis-cli鉴权后的命令SENTINEL replicas mymasterSENTINEL sentinels mymaster