Problem
Valkey 9.1 introduced database-level ACL permissions, allowing a user's access to be scoped to specific logical database indices. The full set of directives is:
db=<id>[,<id>...] — restrict the user to the listed database IDsalldbs — allow the user to access all databases (default for new users)resetdbs — clear all allowed databases and the alldbs flag; user cannot access any database until db= or alldbs is re-added
The current UserAclSpec in valkeyacls_types.go has no Databases field. Users who need db= scoping today must use the permissions (raw ACL) escape hatch, which gives up the structured API and validation.
Proposed fix
Add a DatabasesAclSpec struct and a Databases field to UserAclSpec, following the same pattern as KeysAclSpec and ChannelsAclSpec:
type DatabasesAclSpec struct {
// Specific database IDs the user is allowed to access.
// Maps to Valkey: db=0,1,2
// +optional
IDs []int `json:"ids,omitempty"`
// Allow the user to access all databases. Default for new users.
// Maps to Valkey: alldbs
// +kubebuilder:default=false
AllDbs bool `json:"allDbs,omitempty"`
// Clear allowed databases and the alldbs flag.
// Maps to Valkey: resetdbs
// +kubebuilder:default=false
ResetDbs bool `json:"resetDbs,omitempty"`
}buildUserAcl in internal/controller/users.go must be updated to emit the db= clause (or alldbs/resetdbs) when Databases is set.
Version requirement
db= ACL directives require Valkey 9.1+. The operator should guard this at reconcile time (ideally via a shared version-gating framework once that exists). If the detected version is < 9.1 and a user spec includes Databases, the operator should surface a condition warning rather than silently ignoring the field.
Acceptance criteria
References
- Valkey 9.1 ACL docs (database permissions)
- Existing pattern:
KeysAclSpec, ChannelsAclSpec in valkeyacls_types.go
buildUserAcl in internal/controller/users.go
Problem
Valkey 9.1 introduced database-level ACL permissions, allowing a user's access to be scoped to specific logical database indices. The full set of directives is:
db=<id>[,<id>...]— restrict the user to the listed database IDsalldbs— allow the user to access all databases (default for new users)resetdbs— clear all allowed databases and thealldbsflag; user cannot access any database untildb=oralldbsis re-addedThe current
UserAclSpecinvalkeyacls_types.gohas noDatabasesfield. Users who needdb=scoping today must use thepermissions(raw ACL) escape hatch, which gives up the structured API and validation.Proposed fix
Add a
DatabasesAclSpecstruct and aDatabasesfield toUserAclSpec, following the same pattern asKeysAclSpecandChannelsAclSpec:buildUserAclininternal/controller/users.gomust be updated to emit thedb=clause (oralldbs/resetdbs) whenDatabasesis set.Version requirement
db=ACL directives require Valkey 9.1+. The operator should guard this at reconcile time (ideally via a shared version-gating framework once that exists). If the detected version is < 9.1 and a user spec includesDatabases, the operator should surface a condition warning rather than silently ignoring the field.Acceptance criteria
DatabasesAclSpecadded tovalkeyacls_types.go;Databasesfield added toUserAclSpecbuildUserAclemitsdb=<id>[,<id>...]/alldbs/resetdbscorrectlyIDsandAllDbs/ResetDbsare mutually exclusive where appropriateDatabasesis set on a cluster running < 9.1buildUserAclwith all three directivesdb=0; verifyACL LISTon the pod reflects the restrictionReferences
KeysAclSpec,ChannelsAclSpecinvalkeyacls_types.gobuildUserAclininternal/controller/users.go