docs/content/v2.20/secure/enable-authentication/yedis.md
YEDIS authentication is based on passwords. Each client connecting using the YEDIS API should provide a valid password in order to execute any command successfully.
Note that YEDIS implements a password-only authentication scheme. From the Redis security docs page ("Authentication feature" section), the open source version of Redis does not try to implement authentication, providing a small layer of authentication that can optionally be enabled in the redis.conf file.
You can enable password-based authentication in YEDIS API using the CONFIG command.
To do so, connect to the cluster using redis-cli and run the following command:
127.0.0.1:6379> CONFIG SET requirepass "password"
"OK"
Next exit redis-cli, connect to the cluster again using redis-cli and run the PING command (or any other command).
127.0.0.1:6379> PING
(error) NOAUTH PING: Authentication required.
You would need to authenticate the client (redis-cli in this case) by running the AUTH command:
127.0.0.1:6379> AUTH password
"OK"
Subsequently, running any command would succeed:
127.0.0.1:6379> PING
PONG
YEDIS allows for multiple passwords (up to 2) to be accepted. This enables performing a graceful change of password without experiencing any application outage. Note that this requires knowing the old password.
Let us assume that the old password is old-password and the new password you intend to change it to is new-password. The preferred sequence is:
Add a new password.
127.0.0.1:6379> CONFIG SET requirepass "old-password,new-password"
This enables connecting to the database using both passwords.
Change password used by the application tier.
This would involve changing the configuration or pushing an updated binary to the application tier so that it now connects using new-password.
Drop old password.
127.0.0.1:6379> CONFIG SET requirepass "new-password"