chore: support backup and restore sentinel users for full method (#2444)

wangyelei · apecloud-bot · commit 3367888266a3 · 2026-02-10T08:12:52.000Z
(cherry picked from commit 79c445c)
diff --git a/addons/redis/dataprotection/backup.sh b/addons/redis/dataprotection/backup.sh
@@ -15,6 +15,32 @@ trap handle_exit EXIT
 
 export PATH="$PATH:$DP_DATASAFED_BIN_PATH"
 export DATASAFED_BACKEND_BASE_PATH="$DP_BACKUP_BASE_PATH"
+
+function save_sentinel_acl() {
+  if [ -z "$SENTINEL_POD_FQDN_LIST" ]; then
+     return
+  fi
+  for sentinel_fqdn in $(echo "$SENTINEL_POD_FQDN_LIST" | tr "," "\n"); do
+      echo "INFO: save sentinel ${sentinel_fqdn} ACL file"
+      sentinel_cmd="redis-cli $REDIS_CLI_TLS_CMD -h $sentinel_fqdn -p ${SENTINEL_SERVICE_PORT}"
+      if [ -n "$SENTINEL_PASSWORD" ]; then
+          sentinel_cmd="$sentinel_cmd -a $SENTINEL_PASSWORD"
+      fi
+      acl_list=$($sentinel_cmd ACL LIST)
+      if [ $? -eq 0 ]; then
+          break
+      fi
+  done
+  if [ -z "$acl_list" ]; then
+     return
+  fi
+  echo -n > /tmp/sentinel.acl
+  while IFS= read -r user_rule; do
+      echo "$user_rule" >> /tmp/sentinel.acl
+  done <<< "$acl_list"
+  datasafed push /tmp/sentinel.acl "sentinel.acl"
+}
+
 connect_url="redis-cli $REDIS_CLI_TLS_CMD -h ${DP_DB_HOST} -p ${DP_DB_PORT} -a ${DP_DB_PASSWORD}"
 if [ -z ${DP_DB_PASSWORD} ]; then
   connect_url="redis-cli $REDIS_CLI_TLS_CMD -h ${DP_DB_HOST} -p ${DP_DB_PORT}"
@@ -42,6 +68,7 @@ else
   # NOTE: if files changed during taring, the exit code will be 1 when it ends.
   # and will archive the aof file together.
   tar -cvf - ./ | datasafed push -z zstd-fastest - "${DP_BACKUP_NAME}.tar.zst"
+  save_sentinel_acl
 fi
 echo "INFO: save data file successfully"
 TOTAL_SIZE=$(datasafed stat / | grep TotalSize | awk '{print $2}')
diff --git a/addons/redis/dataprotection/restore-keys.sh b/addons/redis/dataprotection/restore-keys.sh
@@ -1,5 +1,51 @@
 #!/bin/bash
 
+function restore_sentinel_acl() {
+  export PATH="$PATH:$DP_DATASAFED_BIN_PATH"
+  export DATASAFED_BACKEND_BASE_PATH="$DP_BACKUP_BASE_PATH"
+
+  if [ -z "$SENTINEL_POD_FQDN_LIST" ]; then
+     echo "INFO: no sentinel found, skip restore sentinel ACL file"
+     return
+  fi
+
+  sentinel_acl_file="sentinel.acl"
+  if [ "$(datasafed list $sentinel_acl_file)" == "${sentinel_acl_file}" ]; then
+    datasafed pull "${sentinel_acl_file}" /tmp/sentinel.acl
+  fi
+
+  for sentinel_fqdn in $(echo "$SENTINEL_POD_FQDN_LIST" | tr "," "\n"); do
+      echo "INFO: restore sentinel ${sentinel_fqdn} ACL file"
+      sentinel_cmd="redis-cli $REDIS_CLI_TLS_CMD -h $sentinel_fqdn -p ${SENTINEL_SERVICE_PORT}"
+      if [ -n "$SENTINEL_PASSWORD" ]; then
+          sentinel_cmd="$sentinel_cmd -a $SENTINEL_PASSWORD"
+      fi
+      if [ "$($sentinel_cmd ping)" != "PONG" ]; then
+          echo "Waring: failed to connect sentinel ${sentinel_fqdn}, skip"
+          continue
+      fi
+      while IFS= read -r user_rule; do
+          [[ -z "$user_rule" ]] && continue
+
+          if [[ "$user_rule" =~ ^user[[:space:]]+([^[:space:]]+) ]]; then
+              username="${BASH_REMATCH[1]}"
+          else
+            # skip invalid user rule
+            continue
+          fi
+
+          if [[ "$username" == "default" ]]; then
+              continue
+          fi
+          rule_part="${user_rule#user $username }"
+          echo "$username" $rule_part
+          $sentinel_cmd ACL SETUSER "$username" $rule_part >&2
+      done < /tmp/sentinel.acl
+      break
+  done
+}
+# restore sentinel acl
+restore_sentinel_acl
 if [ -z "$DP_RESTORE_KEY_PATTERNS" ]; then
     echo "DP_RESTORE_KEY_PATTERNS is not set. Exiting..."
     exit 0
