[antirez]

I understand the sentiment, but things are a bit different than they may look. About SSL, there is no way out of this. I opposed to this feature for a long time, but simply now because of changes in regulations, policies and so forth, a lot of use cases are migrating to SSL internally even if Redis is not exposed. And frankly it is really a mess to handle SSL proxies now that everybody look like needs encryption. So what I did was the best I could do, when checking for PRs to merge: 1) Opt in, not compiled by default, no SSL libs requirements. 2) Connection abstraction, there is no SSL mentioned inside the code. Everything is in a different file.

About the "Kafka" thing, actually streams were wanted by myself, very strongly, and not suggested by Redis Labs. Let's start thinking at Redis ad a data structure server and at streams without the consumer groups part (which is totally optional). It was incredible we had no way to model a "log" in a serious way. No time series easily, using hacks and with huge memory usage because sorted sets are not the solution for this problem. But then why consumer groups? Because for a long time people had this problem of wanting a "persistent Pub/Sub": you can't lose messages just because clients disconnect in most use cases. Btw this Kafka monster is a total of 2775 lines of code, including comments. 1731 lines of code without comments. In other systems this is the prelude in the copyright notice.

But ACLs, in order to manage to survive 10 years without ACLs we had to resort to all kind of tricks: renaming commands to unguessable strings. Still with the panic of some library calling FLUSHALL for error because the developer was testing it in her/his laptop. Really ACLs have nothing to do with enterprise, but some safety is needed. The ACL monster is 1297 lines of code, and is one of the most user friendly security system you'll find in a database.

Actually all those features have a great impact on the users, huge impact on day to day operations, and are designed in order to be as simple as possible. And Redis Labs actually has only to lose from all this, because those were all potential "premium" features, instead now they are in and every other Redis provider will have it automatically as a standard. So... reality is a bit different, and it's not a conspiracy to gain market shares or alike.

[tedivm]

My company has no choice- we have to use ssl internally for regulatory purposes. Right now we're using an stunnel solution for having out clients connect to redis- I am super excited that I'll be able to remove this workaround in the future!

[olavgg]

There is a software named Hitch https://github.com/varnish/hitch that is super useful for enabling SSL to different services, like Redis.

[stephenr]

Putting the server behind TLS is a minor part of the process.

If you want any kind of HA, you'll have multiple instances of Redis, with changes replicated from the writable node to the others.

That traffic needs to be encrypted too - and redis (pre 6.0) knows nothing about TLS.

So now you need a tunnel to each other Redis node.

Oh but you also want Sentinel to make sure a failure means a new primary node is elected... and sentinel doesn't speak TLS either, and they need to both speak to each other, and the redis nodes... so that's another set of TLS tunnels you need to setup.

I setup redis on 3 nodes for a customer, if you tried to draw the stunnel setup on paper, it'd look like you're illustrating a plate of spaghetti.

[ancarda]

How is stunnel a workaround? Honestly that would seem like an ideal solution to me - "do one thing, do it well". Stunnel can focus on having a rock solid TLS implementation and Redis can focus on being a great DB.

Am I missing something?

[subhobroto]

Redis streams have been a phenomenal addition to my toolbelt in designing realtime ETL/ELT pipelines. Before I had to make do with a way more complicated Pub/Sub + job q (Tasktiger). That all became redundant thanks to Redis streams.

Thank you!

It would really be awesome if there was a built in way to attach/spill/persist individual streams to external data volumes (older/busy streams could run out of memory) and have it support hot swapping.

> Btw this Kafka monster is a total of 2775 lines of code, including comments. 1731 lines of code without comments. In other systems this is the prelude in the copyright notice.

Hilarious, funny and informative :D Upvoted!

[itamarhaber]

Great to hear you enjoying streams - you got my upvote :)

[leandot]

Do you mind sharing more how you use Redis streams for ETL pipelines?

[subhobroto]

Happy to talk shop anytime, feel free to reach out.

In short - I like to have audit-able dataflows in my pipelines. Streams are inherently timestamped and provide a great way to see how data changed over time. For one, if you had a bug or regression in the pipeline, you can precisely track down the impacted time window - no guessing needed.

[nabeards]

Just a quick thank you for your work. Redis has always been a fantastically easy-to-approach key storage for me and other people I’ve worked with.

[numbsafari]

> Really ACLs have nothing to do with enterprise, but some safety is needed.

Huzzah!

Let’s stop calling basic security features “enterprise”.

Locking basic security features behind a paywall is a protection racket, pure and simple.

Small companies, and lone developers, need security, too.

If we are making software for consumers who won’t know any better, why not encourage (and make it trivial) for fledglings to do the right thing from the very beginning?

Why does every single company have to go through the same security mistakes on their way to Series A/B/C? Why can’t we learn from our mistakes and make the doing the right thing not just accessible, but easily accessible.

Hat tip to antirez, et.al., on this one.

[PeterCorless]

1000%. Basic security (and that includes an evolving basket of features) are not just for "enterprise." Neither from the developer's POV nor a user's. How many database hacks do people have to have reported as front page news about unsecured databases — where users didn't even change default security credentials — before people finally get that any database running anywhere is at risk — even on-prem with only your own people accessing it. Security is not an "advanced" feature. It is a foundational requirement before you even load data into a cluster.

[badloginagain]

I find it funny that the SSL cert on antirez.com is throwing PR_END_OF_FILE_ERROR

[dsl]

I don't know what your browser is doing, but it is not behaving correctly. Maybe you are connected to a corporate VPN that is doing weird things to TLS?

   bash-3.2$ telnet antirez.com 443
   Trying 109.74.203.151...
   telnet: connect to address 109.74.203.151: Connection refused
   telnet: Unable to connect to remote host