To be able to use the cmk plugin mk_redis with redis ACL users and permissions, the plugin should send also username and password authentication to redis.
I patched the existing mk_redis agent plugin on a cmk 2.2.0p35 to get this working. Maybe this could be added into the cmk release.
$ diff mk_redis mk_redis.orig
45d44
< USER="REDIS_USER_$INSTANCE"
60,64c59
< if [[ "${!USER}" ]] && [[ "${!USER}" != "None" ]]; then
< REDIS_CLI_COMMAND="REDISCLI_AUTH='${!PASSWORD}' redis-cli --user ${!USER}"
< else
< REDIS_CLI_COMMAND="REDISCLI_AUTH='${!PASSWORD}' redis-cli"
< fi
---
> REDIS_CLI_COMMAND="REDISCLI_AUTH='${!PASSWORD}' redis-cli"
To create a redis monitoring user use the redis-cli:
acl setuser monitoring on >SecretPassWord ~ +info
the mk_redis plugin is only using the info redis command. So we restrict the user only to this cmd and do not allow any redis key access.
In /etc/check_mk/mk_redis.cfg add:
REDIS_HOST_myinstance="127.0.0.1"
REDIS_PORT_myinstance="4711"
REDIS_USER_myinstance='monitoring'
REDIS_PASSWORD_myinstance='SecretPassWord'
br