[GH-ISSUE #19401] issue: Redis Sentinel Authentication Bug - Password Not Passed to Sentinel Client #34391

New Issue

Closed

opened 2026-04-25 08:21:14 -05:00 by GiteaMirror · 1 comment

GiteaMirror commented 2026-04-25 08:21:14 -05:00

Owner

Copy Link

Originally created by @andrescabana86 on GitHub (Nov 23, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/19401

Check Existing Issues

• I have searched for any existing and/or related issues.
• I have searched for any existing and/or related discussions.
• I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
• I am using the latest version of Open WebUI.

Installation Method

Other

Open WebUI Version

v0.6.36

Ollama Version (if applicable)

No response

Operating System

Kubernetes on Debian 12

Browser (if applicable)

No response

Confirmation

• I have read and followed all instructions in README.md.
• I am using the latest version of both Open WebUI and Ollama.
• I have included the browser console logs.
• I have included the Docker container logs.
• I have provided every relevant configuration, setting, and environment variable used in my setup.
• I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
• I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
• Start with the initial platform/version/OS and dependencies used,
• Specify exact install/launch/configure commands,
• List URLs visited, user input (incl. example values/emails/passwords if needed),
• Describe all options and toggles enabled or changed,
• Include any files or environmental changes,
• Identify the expected and actual result at each stage,
• Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

When configuring Open WebUI to connect to Redis via Sentinel with authentication enabled, the application should:

1. Successfully authenticate with the Sentinel instances using the password from REDIS_URL
2. Discover the master Redis node through Sentinel
3. Connect to the master node and operate normally with automatic failover support

Actual Behavior

Open WebUI fails to authenticate with Redis Sentinel, resulting in a crash loop with the following error:

redis.sentinel.MasterNotFoundError: No master found for 'mymaster' : <redis.client.Redis(<redis.connection.ConnectionPool(<redis.connection.Connection(db=0,username=None,password=None,socket_timeout=None,encoding=utf-8,encoding_errors=strict,decode_responses=False,retry_on_error=[],retry=<redis.retry.Retry object>,health_check_interval=0,client_name=None,lib_name=redis-py,lib_version=7.0.1,redis_connect_func=None,credential_provider=None,protocol=2,host=redis.default.svc.cluster.local,port=26379,socket_connect_timeout=None,socket_keepalive=None,socket_keepalive_options=None)>)>)> - AuthenticationError('Authentication required.')

Key observation in error: username=None,password=None - the password is NOT being passed to Sentinel.

---

Steps to Reproduce

Environment Setup

1. Deploy Redis in HA mode using Bitnami Helm chart with Sentinel enabled:

architecture: replication
sentinel:
  enabled: true
  masterSet: mymaster
  quorum: 2
  replicas: 3
auth:
  enabled: true
  password: "your_redis_password"

2. Verify Sentinel is working correctly with authentication:

kubectl exec -n default redis-node-0 -c sentinel -- redis-cli -p 26379 -a your_redis_password SENTINEL masters
# Output shows master 'mymaster' correctly

3. Configure Open WebUI with the following environment variables:

REDIS_URL: "redis://:your_redis_password@mymaster:6379/0"
REDIS_SENTINEL_HOSTS: "redis.default.svc.cluster.local"
REDIS_SENTINEL_PORT: "26379"
WEBSOCKET_SENTINEL_HOSTS: "redis.default.svc.cluster.local"

4. Deploy Open WebUI

5. Observe application crash loop with authentication error

---

Logs & Screenshots

Error from container logs:

Traceback (most recent call last):
  File "/app/backend/open_webui/main.py", line 581, in lifespan
    app.state.redis = get_redis_connection(
  File "/app/backend/open_webui/utils/redis.py", line 136, in get_redis_connection
    sentinel = redis.sentinel.Sentinel(
  File "/usr/local/lib/python3.11/site-packages/redis/sentinel.py", line 335, in discover_master
    raise MasterNotFoundError(f"No master found for {service_name!r}{error_info}")
redis.sentinel.MasterNotFoundError: No master found for 'mymaster' : <redis.client.Redis(...username=None,password=None...)> - AuthenticationError('Authentication required.')

Verification that Sentinel works with correct authentication:

$ kubectl exec redis-node-0 -c sentinel -- redis-cli -p 26379 -a your_password SENTINEL master mymaster
name
mymaster
ip
redis-node-0.redis-headless.default.svc.cluster.local
port
6379
flags
master
num-slaves
2
num-other-sentinels
2

---

The error logs show that the connection object has username=None,password=None, confirming that the credentials are being silently ignored by the Sentinel constructor.

---

The redis.sentinel.Sentinel() constructor does NOT accept password as a direct parameter. According to the redis-py documentation, authentication credentials must be passed via the sentinel_kwargs parameter:

sentinel = redis.sentinel.Sentinel(
    sentinels,
    sentinel_kwargs={'password': 'your_password'}  # ← Correct way
)

Additional Information

Until this is fixed, the only workaround is to connect directly to the master Redis node instead of using Sentinel:

REDIS_URL: "redis://:your_password@redis-node-0.redis-headless.default.svc.cluster.local:6379/0"
# Do NOT set REDIS_SENTINEL_HOSTS or REDIS_SENTINEL_PORT

Proposed Fix

Update /backend/open_webui/utils/redis.py to pass authentication credentials correctly:

Async Mode (Lines 136-145):

sentinel_auth = {}
if redis_config["password"]:
    sentinel_auth["password"] = redis_config["password"]
if redis_config["username"]:
    sentinel_auth["username"] = redis_config["username"]

sentinel = redis.sentinel.Sentinel(
    redis_sentinels,
    sentinel_kwargs=sentinel_auth,
    decode_responses=decode_responses,
)
connection = SentinelRedisProxy(
    sentinel,
    redis_config["service"],
    async_mode=async_mode,
    db=redis_config["db"],
)

Related Issues/PRs

• PR #11148 - Initial Sentinel support implementation
• PR #12366 - WebSocket Sentinel support
• Discussion #17007 - OpenTelemetry warnings with Sentinel (resolved)

Originally created by @andrescabana86 on GitHub (Nov 23, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/19401 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Other ### Open WebUI Version v0.6.36 ### Ollama Version (if applicable) No response ### Operating System Kubernetes on Debian 12 ### Browser (if applicable) No response ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior When configuring Open WebUI to connect to Redis via Sentinel with authentication enabled, the application should: 1. Successfully authenticate with the Sentinel instances using the password from `REDIS_URL` 2. Discover the master Redis node through Sentinel 3. Connect to the master node and operate normally with automatic failover support ### Actual Behavior Open WebUI fails to authenticate with Redis Sentinel, resulting in a crash loop with the following error: ``` redis.sentinel.MasterNotFoundError: No master found for 'mymaster' : <redis.client.Redis(<redis.connection.ConnectionPool(<redis.connection.Connection(db=0,username=None,password=None,socket_timeout=None,encoding=utf-8,encoding_errors=strict,decode_responses=False,retry_on_error=[],retry=<redis.retry.Retry object>,health_check_interval=0,client_name=None,lib_name=redis-py,lib_version=7.0.1,redis_connect_func=None,credential_provider=None,protocol=2,host=redis.default.svc.cluster.local,port=26379,socket_connect_timeout=None,socket_keepalive=None,socket_keepalive_options=None)>)>)> - AuthenticationError('Authentication required.') ``` **Key observation in error**: `username=None,password=None` - **the password is NOT being passed to Sentinel**. --- ### Steps to Reproduce ### Environment Setup 1. Deploy Redis in HA mode using Bitnami Helm chart with Sentinel enabled: ```yaml architecture: replication sentinel: enabled: true masterSet: mymaster quorum: 2 replicas: 3 auth: enabled: true password: "your_redis_password" ``` 2. Verify Sentinel is working correctly with authentication: ```bash kubectl exec -n default redis-node-0 -c sentinel -- redis-cli -p 26379 -a your_redis_password SENTINEL masters # Output shows master 'mymaster' correctly ``` 3. Configure Open WebUI with the following environment variables: ```yaml REDIS_URL: "redis://:your_redis_password@mymaster:6379/0" REDIS_SENTINEL_HOSTS: "redis.default.svc.cluster.local" REDIS_SENTINEL_PORT: "26379" WEBSOCKET_SENTINEL_HOSTS: "redis.default.svc.cluster.local" ``` 4. Deploy Open WebUI 5. Observe application crash loop with authentication error --- ### Logs & Screenshots ### Error from container logs: ``` Traceback (most recent call last): File "/app/backend/open_webui/main.py", line 581, in lifespan app.state.redis = get_redis_connection( File "/app/backend/open_webui/utils/redis.py", line 136, in get_redis_connection sentinel = redis.sentinel.Sentinel( File "/usr/local/lib/python3.11/site-packages/redis/sentinel.py", line 335, in discover_master raise MasterNotFoundError(f"No master found for {service_name!r}{error_info}") redis.sentinel.MasterNotFoundError: No master found for 'mymaster' : <redis.client.Redis(...username=None,password=None...)> - AuthenticationError('Authentication required.') ``` ### Verification that Sentinel works with correct authentication: ```bash $ kubectl exec redis-node-0 -c sentinel -- redis-cli -p 26379 -a your_password SENTINEL master mymaster name mymaster ip redis-node-0.redis-headless.default.svc.cluster.local port 6379 flags master num-slaves 2 num-other-sentinels 2 ``` --- The error logs show that the connection object has `username=None,password=None`, confirming that the credentials are being silently ignored by the Sentinel constructor. --- The `redis.sentinel.Sentinel()` constructor does **NOT accept `password` as a direct parameter**. According to the [redis-py documentation](https://redis-py.readthedocs.io/en/stable/connections.html#redis.sentinel.Sentinel), authentication credentials must be passed via the `sentinel_kwargs` parameter: ```python sentinel = redis.sentinel.Sentinel( sentinels, sentinel_kwargs={'password': 'your_password'} # ← Correct way ) ``` ### Additional Information Until this is fixed, the only workaround is to connect directly to the master Redis node instead of using Sentinel: ```yaml REDIS_URL: "redis://:your_password@redis-node-0.redis-headless.default.svc.cluster.local:6379/0" # Do NOT set REDIS_SENTINEL_HOSTS or REDIS_SENTINEL_PORT ``` ## Proposed Fix Update `/backend/open_webui/utils/redis.py` to pass authentication credentials correctly: ### Async Mode (Lines 136-145): ```python sentinel_auth = {} if redis_config["password"]: sentinel_auth["password"] = redis_config["password"] if redis_config["username"]: sentinel_auth["username"] = redis_config["username"] sentinel = redis.sentinel.Sentinel( redis_sentinels, sentinel_kwargs=sentinel_auth, decode_responses=decode_responses, ) connection = SentinelRedisProxy( sentinel, redis_config["service"], async_mode=async_mode, db=redis_config["db"], ) ``` ### Related Issues/PRs - PR #11148 - Initial Sentinel support implementation - PR #12366 - WebSocket Sentinel support - Discussion #17007 - OpenTelemetry warnings with Sentinel (resolved)

GiteaMirror added the bug label 2026-04-25 08:21:15 -05:00

GiteaMirror closed this issue 2026-04-25 08:21:18 -05:00

GiteaMirror commented 2026-04-25 08:21:19 -05:00

Author

Owner

Copy Link

@tjbck commented on GitHub (Nov 25, 2025):

Open to reviewing PRs!

<!-- gh-comment-id:3573982894 --> @tjbck commented on GitHub (Nov 25, 2025): Open to reviewing PRs!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#34391