Database-level access control

src/cli_commands.c

@@ -3,8 +3,8 @@
 
 /* Definitions to configure commands.c to generate the above structs. */
 #define MAKE_CMD(name, summary, complexity, since, doc_flags, replaced, deprecated, group, group_enum, history, \
-                 num_history, tips, num_tips, function, arity, flags, acl, key_specs, key_specs_num, get_keys,  \
-                 numargs)                                                                                       \
+                 num_history, tips, num_tips, function, arity, flags, acl, get_dbid_args, key_specs,            \
+                 key_specs_num, get_keys, numargs)                                                              \
     name, summary, group, since, numargs
 #define MAKE_ARG(name, type, key_spec_index, token, summary, since, flags, numsubargs, deprecated_since) \
     name, type, token, since, flags, numsubargs

src/commands.c

@@ -2,10 +2,10 @@
 #include "server.h"
 
 #define MAKE_CMD(name, summary, complexity, since, doc_flags, replaced, deprecated, group, group_enum, history, \
-                 num_history, tips, num_tips, function, arity, flags, acl, key_specs, key_specs_num, get_keys,  \
-                 numargs)                                                                                       \
+                 num_history, tips, num_tips, function, arity, flags, acl, get_dbid_args, key_specs,            \
+                 key_specs_num, get_keys, numargs)                                                              \
     name, summary, complexity, since, doc_flags, replaced, deprecated, group_enum, history, num_history, tips,  \
-        num_tips, function, arity, flags, acl, key_specs, key_specs_num, get_keys, numargs
+        num_tips, function, arity, flags, acl, get_dbid_args, key_specs, key_specs_num, get_keys, numargs
 #define MAKE_ARG(name, type, key_spec_index, token, summary, since, flags, numsubargs, deprecated_since) \
     name, type, key_spec_index, token, summary, since, flags, deprecated_since, numsubargs
 #define COMMAND_STRUCT serverCommand

src/commands/README.md

@@ -54,6 +54,7 @@ following keys. To be safe, assume all of them are optional.
   the command. (Don't use it for anything else.)
 * `"command_flags"`: An array of flags represented as strings. Command flags:
   * `"ADMIN"`
+  * `"ALL_DBS"`
   * `"ALLOW_BUSY"`
   * `"ASKING"`
   * `"BLOCKING"`
@@ -93,6 +94,9 @@ following keys. To be safe, assume all of them are optional.
   * `"STREAM"`
   * `"STRING"`
   * `"TRANSACTION"`
+* `"get_dbid_args"`: The name of the C function in Valkey's source code
+  implementing retrieval of database ID arguments from commands that accept
+  database ID as an argument.
 * `"command_tips"`: Optional. A list of one or more of these strings:
   * `"NONDETERMINISTIC_OUTPUT"`
   * `"NONDETERMINISTIC_OUTPUT_ORDER"`

src/commands/acl-getuser.json

@@ -15,6 +15,10 @@
             [
                 "7.0.0",
                 "Added selectors and changed the format of key and channel patterns from a list to their rule representation."
+            ],
+            [
+                "9.1.0",
+                "Added database permission rules."
             ]
         ],
         "command_flags": [
@@ -61,6 +65,10 @@
                             "description": "Root selector's channels.",
                             "type": "string"
                         },
+                        "databases": {
+                            "description": "Root selector's databases.",
+                            "type": "string"
+                        },
                         "selectors": {
                             "type": "array",
                             "items": {
@@ -75,6 +83,9 @@
                                     },
                                     "channels": {
                                         "type": "string"
+                                    },
+                                    "databases": {
+                                        "type": "string"
                                     }
                                 }
                             }

src/commands/acl-setuser.json

@@ -15,6 +15,10 @@
             [
                 "7.0.0",
                 "Added selectors and key based permissions."
+            ],
+            [
+                "9.1.0",
+                "Added database permission rules."
             ]
         ],
         "command_flags": [

src/commands/cluster-cancelslotmigrations.json

@@ -10,7 +10,8 @@
         "command_flags": [
             "NO_ASYNC_LOADING",
             "ADMIN",
-            "STALE"
+            "STALE",
+            "ALL_DBS"
         ],
         "reply_schema": {
             "const": "OK"

src/commands/cluster-migrateslots.json

@@ -10,7 +10,8 @@
         "command_flags": [
             "NO_ASYNC_LOADING",
             "ADMIN",
-            "STALE"
+            "STALE",
+            "ALL_DBS"
         ],
         "arguments": [
             {

src/commands/copy.json

@@ -15,6 +15,7 @@
             "SLOW",
             "WRITE"
         ],
+        "get_dbid_args": "copyDbIdArgs",
         "key_specs": [
             {
                 "flags": [

src/commands/flushall.json

@@ -17,7 +17,8 @@
             ]
         ],
         "command_flags": [
-            "WRITE"
+            "WRITE",
+            "ALL_DBS"
         ],
         "acl_categories": [
             "DANGEROUS",

src/commands/move.json

@@ -15,6 +15,7 @@
             "KEYSPACE",
             "WRITE"
         ],
+        "get_dbid_args": "moveDbIdArgs",
         "key_specs": [
             {
                 "flags": [

src/commands/select.json

@@ -15,6 +15,7 @@
             "CONNECTION",
             "FAST"
         ],
+        "get_dbid_args": "selectDbIdArgs",
         "reply_schema": {
             "const": "OK"
         },

src/commands/swapdb.json

@@ -16,6 +16,7 @@
             "KEYSPACE",
             "WRITE"
         ],
+        "get_dbid_args": "swapdbDbIdArgs",
         "arguments": [
             {
                 "name": "index1",

src/db.c

@@ -899,9 +899,14 @@ void selectCommand(client *c) {
 
     if (selectDb(c, id) == C_ERR) {
         addReplyError(c, "DB index is out of range");
-    } else {
-        addReply(c, shared.ok);
+        return;
     }
+
+    if (c->flag.multi) {
+        serverAssert(c->mstate != NULL);
+        c->mstate->transaction_db_id = id;
+    }
+    addReply(c, shared.ok);
 }
 
 void randomkeyCommand(client *c) {
@@ -2954,3 +2959,59 @@ int bitfieldGetKeys(struct serverCommand *cmd, robj **argv, int argc, getKeysRes
     }
     return 1;
 }
+
+int *selectDbIdArgs(robj **argv, int argc, int *count) {
+    if (argc < 2) return NULL;
+
+    long long dbid;
+    if (getLongLongFromObject(argv[1], &dbid) != C_OK) return NULL;
+    if (dbid < 0 || dbid >= server.dbnum) return NULL;
+
+    int *result = zmalloc(sizeof(int));
+    result[0] = (int)dbid;
+    *count = 1;
+    return result;
+}
+
+int *swapdbDbIdArgs(robj **argv, int argc, int *count) {
+    if (argc < 3) return NULL;
+
+    long long db1, db2;
+    if (getLongLongFromObject(argv[1], &db1) != C_OK ||
+        getLongLongFromObject(argv[2], &db2) != C_OK) return NULL;
+    if (db1 < 0 || db1 >= server.dbnum || db2 < 0 || db2 >= server.dbnum) return NULL;
+
+    int *result = zmalloc(2 * sizeof(int));
+    result[0] = (int)db1;
+    result[1] = (int)db2;
+    *count = 2;
+    return result;
+}
+
+int *moveDbIdArgs(robj **argv, int argc, int *count) {
+    if (argc < 3) return NULL;
+
+    long long dbid;
+    if (getLongLongFromObject(argv[2], &dbid) != C_OK) return NULL;
+    if (dbid < 0 || dbid >= server.dbnum) return NULL;
+
+    int *result = zmalloc(sizeof(int));
+    result[0] = (int)dbid;
+    *count = 1;
+    return result;
+}
+
+int *copyDbIdArgs(robj **argv, int argc, int *count) {
+    if (argc < 5) return NULL;
+
+    if (strcasecmp(argv[3]->ptr, "db") != 0) return NULL;
+
+    long long dbid;
+    if (getLongLongFromObject(argv[4], &dbid) != C_OK) return NULL;
+    if (dbid < 0 || dbid >= server.dbnum) return NULL;
+
+    int *result = zmalloc(sizeof(int));
+    result[0] = (int)dbid;
+    *count = 1;
+    return result;
+}

src/intset.c

@@ -335,3 +335,18 @@ int intsetValidateIntegrity(const unsigned char *p, size_t size, int deep) {
 
     return 1;
 }
+
+/* Free an intset */
+void intsetFree(intset *is) {
+    if (is) zfree(is);
+}
+
+/* Deep copy an intset */
+intset *intsetDup(intset *is) {
+    if (!is) return intsetNew();
+
+    size_t size = intsetBlobLen(is);
+    intset *copy = zmalloc(size);
+    memcpy(copy, is, size);
+    return copy;
+}

src/intset.h

@@ -49,5 +49,7 @@ uint8_t intsetGet(intset *is, uint32_t pos, int64_t *value);
 uint32_t intsetLen(const intset *is);
 size_t intsetBlobLen(intset *is);
 int intsetValidateIntegrity(const unsigned char *is, size_t size, int deep);
+void intsetFree(intset *is);
+intset *intsetDup(intset *is);
 
 #endif // __INTSET_H

src/module.c

@@ -1261,6 +1261,7 @@ int64_t commandFlagsFromString(char *s) {
         else if (!strcasecmp(t,"no-cluster")) flags |= CMD_MODULE_NO_CLUSTER;
         else if (!strcasecmp(t,"no-mandatory-keys")) flags |= CMD_NO_MANDATORY_KEYS;
         else if (!strcasecmp(t,"allow-busy")) flags |= CMD_ALLOW_BUSY;
+        else if (!strcasecmp(t,"all-dbs")) flags |= CMD_ALL_DBS;
         else break;
         /* clang-format on */
     }
@@ -1352,6 +1353,8 @@ ValkeyModuleCommand *moduleCreateCommandProxy(struct ValkeyModule *module,
  * * **"allow-busy"**: Permit the command while the server is blocked either by
  *                     a script or by a slow module command, see
  *                     VM_Yield.
+ * * **"all-dbs"**:     The command accesses all databases and to execute this
+ *                      command user has to have `alldbs`
  * * **"getchannels-api"**: The command implements the interface to return
  *                          the arguments that are channels.
  *
@@ -3975,9 +3978,12 @@ int VM_PublishMessageShard(ValkeyModuleCtx *ctx, ValkeyModuleString *channel, Va
     return pubsubPublishMessageAndPropagateToCluster(channel, message, 1);
 }
 
-/* Return the currently selected DB. */
+/* Return the currently selected DB.
+ * When inside a MULTI/EXEC transaction, returns transaction_db_id which tracks
+ * the DB selected within the transaction (may differ from client->db->id).
+ * Otherwise, returns the client's actual DB. */
 int VM_GetSelectedDb(ValkeyModuleCtx *ctx) {
-    return ctx->client->db->id;
+    return (ctx->client->flag.multi) ? ctx->client->mstate->transaction_db_id : ctx->client->db->id;
 }
 
 
@@ -6612,7 +6618,8 @@ ValkeyModuleCallReply *VM_Call(ValkeyModuleCtx *ctx, const char *cmdname, const
         int acl_errpos;
         int acl_retval;
 
-        acl_retval = ACLCheckAllUserCommandPerm(user, c->cmd, c->argv, c->argc, &acl_errpos);
+        int dbid = (c->flag.multi) ? c->mstate->transaction_db_id : c->db->id;
+        acl_retval = ACLCheckAllUserCommandPerm(user, c->cmd, c->argv, c->argc, dbid, &acl_errpos);
         if (acl_retval != ACL_OK) {
             int context = scriptIsRunning() ? ACL_LOG_CTX_SCRIPT : ACL_LOG_CTX_MODULE;
             sds object = (acl_retval == ACL_DENIED_CMD) ? sdsdup(c->cmd->fullname) : sdsdup(c->argv[acl_errpos]->ptr);
@@ -10129,6 +10136,14 @@ ValkeyModuleUser *VM_GetModuleUserFromUserName(ValkeyModuleString *name) {
  *
  * * ENOENT: Specified command does not exist.
  * * EACCES: Command cannot be executed, according to ACL rules
+ *
+ * NOTE: Since 9.1, the underlying ACL check will NOT validate the user's access to the database.
+ * For users WITHOUT the `alldbs` flag: VALKEYMODULE_ERR will be returned for any
+ * READ or WRITE command, even if the user has permission to access the current database.
+ *
+ * For comprehensive ACL validation that handles all types of permissions for users, it is
+ * recommended to use VM_ACLCheckPermissions() instead, which accepts a dbid parameter
+ * and properly validates access.
  */
 int VM_ACLCheckCommandPermissions(ValkeyModuleUser *user, ValkeyModuleString **argv, int argc) {
     int keyidxptr;
@@ -10140,7 +10155,7 @@ int VM_ACLCheckCommandPermissions(ValkeyModuleUser *user, ValkeyModuleString **a
         return VALKEYMODULE_ERR;
     }
 
-    if (ACLCheckAllUserCommandPerm(user->user, cmd, argv, argc, &keyidxptr) != ACL_OK) {
+    if (ACLCheckAllUserCommandPerm(user->user, cmd, argv, argc, -1, &keyidxptr) != ACL_OK) {
         errno = EACCES;
         return VALKEYMODULE_ERR;
     }
@@ -10211,6 +10226,61 @@ int VM_ACLCheckChannelPermissions(ValkeyModuleUser *user, ValkeyModuleString *ch
     return VALKEYMODULE_OK;
 }
 
+/* Check if the command with its arguments can be executed by the user, according to the
+ * ACLs associated with it. This function performs a comprehensive ACL check including:
+ * - Command permissions
+ * - Key permissions
+ * - Channel permissions
+ * - Database permissions
+ *
+ * On success VALKEYMODULE_OK is returned, otherwise VALKEYMODULE_ERR is returned and
+ * errno is set to one of the following values:
+ * * EINVAL: Invalid arguments (e.g., negative dbid or dbid >= server.dbnum, command does not exist)
+ * * EACCES: Permission denied (for any ACL violation)
+ *
+ * The optional denial_reason parameter can be used to get more specific information about
+ * why the permission was denied. If provided (not NULL), it will be set to one of:
+ * * VALKEYMODULE_ACL_LOG_CMD: User does not have permission to execute the command
+ * * VALKEYMODULE_ACL_LOG_KEY: User does not have permission to access a key
+ * * VALKEYMODULE_ACL_LOG_CHANNEL: User does not have permission to access a channel
+ * * VALKEYMODULE_ACL_LOG_DB: User does not have permission to access the database
+ */
+int VM_ACLCheckPermissions(ValkeyModuleUser *user,
+                           ValkeyModuleString **argv,
+                           int argc,
+                           int dbid,
+                           ValkeyModuleACLLogEntryReason *denial_reason) {
+    int keyidxptr;
+    struct serverCommand *cmd;
+
+    if (dbid < 0 || dbid >= server.dbnum) {
+        errno = EINVAL;
+        return VALKEYMODULE_ERR;
+    }
+
+    if ((cmd = lookupCommand(argv, argc)) == NULL) {
+        errno = EINVAL;
+        return VALKEYMODULE_ERR;
+    }
+
+    int acl_retval = ACLCheckAllUserCommandPerm(user->user, cmd, argv, argc, dbid, &keyidxptr);
+    if (acl_retval != ACL_OK) {
+        errno = EACCES;
+        if (denial_reason) {
+            switch (acl_retval) {
+            case ACL_DENIED_CMD: *denial_reason = VALKEYMODULE_ACL_LOG_CMD; break;
+            case ACL_DENIED_KEY: *denial_reason = VALKEYMODULE_ACL_LOG_KEY; break;
+            case ACL_DENIED_CHANNEL: *denial_reason = VALKEYMODULE_ACL_LOG_CHANNEL; break;
+            case ACL_DENIED_DB: *denial_reason = VALKEYMODULE_ACL_LOG_DB; break;
+            default: *denial_reason = VALKEYMODULE_ACL_LOG_CMD; break;
+            }
+        }
+        return VALKEYMODULE_ERR;
+    }
+
+    return VALKEYMODULE_OK;
+}
+
 /* Helper function to map a ValkeyModuleACLLogEntryReason to ACL Log entry reason. */
 int moduleGetACLLogEntryReason(ValkeyModuleACLLogEntryReason reason) {
     int acl_reason = 0;
@@ -10219,6 +10289,7 @@ int moduleGetACLLogEntryReason(ValkeyModuleACLLogEntryReason reason) {
     case VALKEYMODULE_ACL_LOG_KEY: acl_reason = ACL_DENIED_KEY; break;
     case VALKEYMODULE_ACL_LOG_CHANNEL: acl_reason = ACL_DENIED_CHANNEL; break;
     case VALKEYMODULE_ACL_LOG_CMD: acl_reason = ACL_DENIED_CMD; break;
+    case VALKEYMODULE_ACL_LOG_DB: acl_reason = ACL_DENIED_DB; break;
     default: break;
     }
     return acl_reason;
@@ -14620,6 +14691,7 @@ void moduleRegisterCoreAPI(void) {
     REGISTER_API(ACLCheckCommandPermissions);
     REGISTER_API(ACLCheckKeyPermissions);
     REGISTER_API(ACLCheckChannelPermissions);
+    REGISTER_API(ACLCheckPermissions);
     REGISTER_API(ACLAddLogEntry);
     REGISTER_API(ACLAddLogEntryByUserName);
     REGISTER_API(FreeModuleUser);