valkey-io · yang-z-o · Jun 10, 2026 · Jun 16, 2026 · Jun 16, 2026 · Jun 16, 2026
diff --git a/src/acl.c b/src/acl.c
diff --git a/src/commands.def b/src/commands.def
@@ -6852,6 +6852,31 @@ struct COMMAND_ARG ACL_CAT_Args[] = {
 {MAKE_ARG("category",ARG_TYPE_STRING,-1,NULL,NULL,NULL,CMD_ARG_OPTIONAL,0,NULL)},
 };
 
+/********** ACL DELROLE ********************/
+
+#ifndef SKIP_CMD_HISTORY_TABLE
+/* ACL DELROLE history */
+#define ACL_DELROLE_History NULL
+#endif
+
+#ifndef SKIP_CMD_TIPS_TABLE
+/* ACL DELROLE tips */
+const char *ACL_DELROLE_Tips[] = {
+"request_policy:all_nodes",
+"response_policy:all_succeeded",
+};
+#endif
+
+#ifndef SKIP_CMD_KEY_SPECS_TABLE
+/* ACL DELROLE key specs */
+#define ACL_DELROLE_Keyspecs NULL
+#endif
+
+/* ACL DELROLE argument table */
+struct COMMAND_ARG ACL_DELROLE_Args[] = {
+{MAKE_ARG("rolename",ARG_TYPE_STRING,-1,NULL,NULL,NULL,CMD_ARG_MULTIPLE,0,NULL)},
+};
+
 /********** ACL DELUSER ********************/
 
 #ifndef SKIP_CMD_HISTORY_TABLE
@@ -6923,6 +6948,28 @@ struct COMMAND_ARG ACL_GENPASS_Args[] = {
 {MAKE_ARG("bits",ARG_TYPE_INTEGER,-1,NULL,NULL,NULL,CMD_ARG_OPTIONAL,0,NULL)},
 };
 
+/********** ACL GETROLE ********************/
+
+#ifndef SKIP_CMD_HISTORY_TABLE
+/* ACL GETROLE history */
+#define ACL_GETROLE_History NULL
+#endif
+
+#ifndef SKIP_CMD_TIPS_TABLE
+/* ACL GETROLE tips */
+#define ACL_GETROLE_Tips NULL
+#endif
+
+#ifndef SKIP_CMD_KEY_SPECS_TABLE
+/* ACL GETROLE key specs */
+#define ACL_GETROLE_Keyspecs NULL
+#endif
+
+/* ACL GETROLE argument table */
+struct COMMAND_ARG ACL_GETROLE_Args[] = {
+{MAKE_ARG("rolename",ARG_TYPE_STRING,-1,NULL,NULL,NULL,CMD_ARG_NONE,0,NULL)},
+};
+
 /********** ACL GETUSER ********************/
 
 #ifndef SKIP_CMD_HISTORY_TABLE
@@ -6931,6 +6978,7 @@ commandHistory ACL_GETUSER_History[] = {
 {"6.2.0","Added Pub/Sub channel patterns."},
 {"7.0.0","Added selectors and changed the format of key and channel patterns from a list to their rule representation."},
 {"9.1.0","Added database permission rules."},
+{"10.0.0","Added roles."},
 };
 #endif
 
@@ -7030,6 +7078,23 @@ struct COMMAND_ARG ACL_LOG_Args[] = {
 {MAKE_ARG("operation",ARG_TYPE_ONEOF,-1,NULL,NULL,NULL,CMD_ARG_OPTIONAL,2,NULL),.subargs=ACL_LOG_operation_Subargs},
 };
 
+/********** ACL ROLES ********************/
+
+#ifndef SKIP_CMD_HISTORY_TABLE
+/* ACL ROLES history */
+#define ACL_ROLES_History NULL
+#endif
+
+#ifndef SKIP_CMD_TIPS_TABLE
+/* ACL ROLES tips */
+#define ACL_ROLES_Tips NULL
+#endif
+
+#ifndef SKIP_CMD_KEY_SPECS_TABLE
+/* ACL ROLES key specs */
+#define ACL_ROLES_Keyspecs NULL
+#endif
+
 /********** ACL SAVE ********************/
 
 #ifndef SKIP_CMD_HISTORY_TABLE
@@ -7050,6 +7115,32 @@ const char *ACL_SAVE_Tips[] = {
 #define ACL_SAVE_Keyspecs NULL
 #endif
 
+/********** ACL SETROLE ********************/
+
+#ifndef SKIP_CMD_HISTORY_TABLE
+/* ACL SETROLE history */
+#define ACL_SETROLE_History NULL
+#endif
+
+#ifndef SKIP_CMD_TIPS_TABLE
+/* ACL SETROLE tips */
+const char *ACL_SETROLE_Tips[] = {
+"request_policy:all_nodes",
+"response_policy:all_succeeded",
+};
+#endif
+
+#ifndef SKIP_CMD_KEY_SPECS_TABLE
+/* ACL SETROLE key specs */
+#define ACL_SETROLE_Keyspecs NULL
+#endif
+
+/* ACL SETROLE argument table */
+struct COMMAND_ARG ACL_SETROLE_Args[] = {
+{MAKE_ARG("rolename",ARG_TYPE_STRING,-1,NULL,NULL,NULL,CMD_ARG_NONE,0,NULL)},
+{MAKE_ARG("rule",ARG_TYPE_STRING,-1,NULL,NULL,NULL,CMD_ARG_OPTIONAL|CMD_ARG_MULTIPLE,0,NULL)},
+};
+
 /********** ACL SETUSER ********************/
 
 #ifndef SKIP_CMD_HISTORY_TABLE
@@ -7058,6 +7149,7 @@ commandHistory ACL_SETUSER_History[] = {
 {"6.2.0","Added Pub/Sub channel patterns."},
 {"7.0.0","Added selectors and key based permissions."},
 {"9.1.0","Added database permission rules."},
+{"10.0.0","Added role assignment and removal."},
 };
 #endif
 
@@ -7117,16 +7209,20 @@ struct COMMAND_ARG ACL_SETUSER_Args[] = {
 /* ACL command table */
 struct COMMAND_STRUCT ACL_Subcommands[] = {
 {MAKE_CMD("cat","Lists the ACL categories, or the commands inside a category.","O(1) since the categories and commands are a fixed set.","6.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_CAT_History,0,ACL_CAT_Tips,0,aclCommand,-2,CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_SLOW,NULL,ACL_CAT_Keyspecs,0,NULL,1),.args=ACL_CAT_Args},
+{MAKE_CMD("delrole","Deletes one or more ACL roles. Fails if any role has members.","O(N). Where N is the number of roles to delete.","10.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_DELROLE_History,0,ACL_DELROLE_Tips,2,aclCommand,-3,CMD_ADMIN|CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_ADMIN|ACL_CATEGORY_DANGEROUS|ACL_CATEGORY_SLOW,NULL,ACL_DELROLE_Keyspecs,0,NULL,1),.args=ACL_DELROLE_Args},
 {MAKE_CMD("deluser","Deletes ACL users, and terminates their connections.","O(1) amortized time considering the typical user.","6.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_DELUSER_History,0,ACL_DELUSER_Tips,2,aclCommand,-3,CMD_ADMIN|CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_ADMIN|ACL_CATEGORY_DANGEROUS|ACL_CATEGORY_SLOW,NULL,ACL_DELUSER_Keyspecs,0,NULL,1),.args=ACL_DELUSER_Args},
 {MAKE_CMD("dryrun","Simulates the execution of a command by a user, without executing the command.","O(1).","7.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_DRYRUN_History,0,ACL_DRYRUN_Tips,0,aclCommand,-4,CMD_ADMIN|CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_ADMIN|ACL_CATEGORY_DANGEROUS|ACL_CATEGORY_SLOW,NULL,ACL_DRYRUN_Keyspecs,0,NULL,3),.args=ACL_DRYRUN_Args},
 {MAKE_CMD("genpass","Generates a pseudorandom, secure password that can be used to identify ACL users.","O(1)","6.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_GENPASS_History,0,ACL_GENPASS_Tips,0,aclCommand,-2,CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_SLOW,NULL,ACL_GENPASS_Keyspecs,0,NULL,1),.args=ACL_GENPASS_Args},
-{MAKE_CMD("getuser","Lists the ACL rules of a user.","O(N). Where N is the number of password, command and pattern rules that the user has.","6.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_GETUSER_History,3,ACL_GETUSER_Tips,0,aclCommand,3,CMD_ADMIN|CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_ADMIN|ACL_CATEGORY_DANGEROUS|ACL_CATEGORY_SLOW,NULL,ACL_GETUSER_Keyspecs,0,NULL,1),.args=ACL_GETUSER_Args},
+{MAKE_CMD("getrole","Returns the ACL rules of an ACL role.","O(N). Where N is the number of rules defined for the role.","10.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_GETROLE_History,0,ACL_GETROLE_Tips,0,aclCommand,3,CMD_ADMIN|CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_ADMIN|ACL_CATEGORY_DANGEROUS|ACL_CATEGORY_SLOW,NULL,ACL_GETROLE_Keyspecs,0,NULL,1),.args=ACL_GETROLE_Args},
+{MAKE_CMD("getuser","Lists the ACL rules of a user.","O(N). Where N is the number of password, command and pattern rules that the user has.","6.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_GETUSER_History,4,ACL_GETUSER_Tips,0,aclCommand,3,CMD_ADMIN|CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_ADMIN|ACL_CATEGORY_DANGEROUS|ACL_CATEGORY_SLOW,NULL,ACL_GETUSER_Keyspecs,0,NULL,1),.args=ACL_GETUSER_Args},
 {MAKE_CMD("help","Returns helpful text about the different subcommands.","O(1)","6.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_HELP_History,0,ACL_HELP_Tips,0,aclCommand,2,CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_SLOW,NULL,ACL_HELP_Keyspecs,0,NULL,0)},
 {MAKE_CMD("list","Dumps the effective rules in ACL file format.","O(N). Where N is the number of configured users.","6.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_LIST_History,0,ACL_LIST_Tips,0,aclCommand,2,CMD_ADMIN|CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_ADMIN|ACL_CATEGORY_DANGEROUS|ACL_CATEGORY_SLOW,NULL,ACL_LIST_Keyspecs,0,NULL,0)},
 {MAKE_CMD("load","Reloads the rules from the configured ACL file.","O(N). Where N is the number of configured users.","6.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_LOAD_History,0,ACL_LOAD_Tips,0,aclCommand,2,CMD_ADMIN|CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_ADMIN|ACL_CATEGORY_DANGEROUS|ACL_CATEGORY_SLOW,NULL,ACL_LOAD_Keyspecs,0,NULL,0)},
 {MAKE_CMD("log","Lists recent security events generated due to ACL rules.","O(N) with N being the number of entries shown.","6.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_LOG_History,1,ACL_LOG_Tips,0,aclCommand,-2,CMD_ADMIN|CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_ADMIN|ACL_CATEGORY_DANGEROUS|ACL_CATEGORY_SLOW,NULL,ACL_LOG_Keyspecs,0,NULL,1),.args=ACL_LOG_Args},
+{MAKE_CMD("roles","Lists all ACL roles.","O(N). Where N is the number of configured roles.","10.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_ROLES_History,0,ACL_ROLES_Tips,0,aclCommand,2,CMD_ADMIN|CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_ADMIN|ACL_CATEGORY_DANGEROUS|ACL_CATEGORY_SLOW,NULL,ACL_ROLES_Keyspecs,0,NULL,0)},
 {MAKE_CMD("save","Saves the effective ACL rules in the configured ACL file.","O(N). Where N is the number of configured users.","6.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_SAVE_History,0,ACL_SAVE_Tips,2,aclCommand,2,CMD_ADMIN|CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_ADMIN|ACL_CATEGORY_DANGEROUS|ACL_CATEGORY_SLOW,NULL,ACL_SAVE_Keyspecs,0,NULL,0)},
-{MAKE_CMD("setuser","Creates and modifies an ACL user and its rules.","O(N). Where N is the number of rules provided.","6.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_SETUSER_History,3,ACL_SETUSER_Tips,2,aclCommand,-3,CMD_ADMIN|CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_ADMIN|ACL_CATEGORY_DANGEROUS|ACL_CATEGORY_SLOW,NULL,ACL_SETUSER_Keyspecs,0,NULL,2),.args=ACL_SETUSER_Args},
+{MAKE_CMD("setrole","Creates and modifies an ACL role and its rules.","O(N). Where N is the number of rules provided.","10.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_SETROLE_History,0,ACL_SETROLE_Tips,2,aclCommand,-3,CMD_ADMIN|CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_ADMIN|ACL_CATEGORY_DANGEROUS|ACL_CATEGORY_SLOW,NULL,ACL_SETROLE_Keyspecs,0,NULL,2),.args=ACL_SETROLE_Args},
+{MAKE_CMD("setuser","Creates and modifies an ACL user and its rules.","O(N). Where N is the number of rules provided.","6.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_SETUSER_History,4,ACL_SETUSER_Tips,2,aclCommand,-3,CMD_ADMIN|CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_ADMIN|ACL_CATEGORY_DANGEROUS|ACL_CATEGORY_SLOW,NULL,ACL_SETUSER_Keyspecs,0,NULL,2),.args=ACL_SETUSER_Args},
 {MAKE_CMD("users","Lists all ACL users.","O(N). Where N is the number of configured users.","6.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_USERS_History,0,ACL_USERS_Tips,0,aclCommand,2,CMD_ADMIN|CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_ADMIN|ACL_CATEGORY_DANGEROUS|ACL_CATEGORY_SLOW,NULL,ACL_USERS_Keyspecs,0,NULL,0)},
 {MAKE_CMD("whoami","Returns the authenticated username of the current connection.","O(1)","6.0.0",CMD_DOC_NONE,NULL,NULL,"server",COMMAND_GROUP_SERVER,ACL_WHOAMI_History,0,ACL_WHOAMI_Tips,0,aclCommand,2,CMD_NOSCRIPT|CMD_LOADING|CMD_STALE|CMD_SENTINEL,ACL_CATEGORY_SLOW,NULL,ACL_WHOAMI_Keyspecs,0,NULL,0)},
 {0}

diff --git a/src/commands/acl-delrole.json b/src/commands/acl-delrole.json
@@ -0,0 +1,38 @@
+{
+    "DELROLE": {
+        "summary": "Deletes one or more ACL roles. Fails if any role has members.",
+        "complexity": "O(N). Where N is the number of roles to delete.",
+        "group": "server",
+        "since": "10.0.0",
+        "arity": -3,
+        "container": "ACL",
+        "function": "aclCommand",
+        "command_flags": [
+            "ADMIN",
+            "NOSCRIPT",
+            "LOADING",
+            "STALE",
+            "SENTINEL"
+        ],
+        "command_tips": [
+            "REQUEST_POLICY:ALL_NODES",
+            "RESPONSE_POLICY:ALL_SUCCEEDED"
+        ],
+        "reply_schema": {
+            "type": "integer",
+            "description": "The number of roles deleted."
+        },
+        "arguments": [
+            {
+                "name": "rolename",
+                "type": "string",
+                "multiple": true
+            }
+        ],
+        "acl_categories": [
+            "ADMIN",
+            "DANGEROUS",
+            "SLOW"
+        ]
+    }
+}
diff --git a/src/commands/acl-getrole.json b/src/commands/acl-getrole.json
@@ -0,0 +1,88 @@
+{
+    "GETROLE": {
+        "summary": "Returns the ACL rules of an ACL role.",
+        "complexity": "O(N). Where N is the number of rules defined for the role.",
+        "group": "server",
+        "since": "10.0.0",
+        "arity": 3,
+        "container": "ACL",
+        "function": "aclCommand",
+        "command_flags": [
+            "ADMIN",
+            "NOSCRIPT",
+            "LOADING",
+            "STALE",
+            "SENTINEL"
+        ],
+        "reply_schema": {
+            "oneOf": [
+                {
+                    "description": "A set of ACL rule definitions for the role.",
+                    "type": "object",
+                    "additionalProperties": false,
+                    "properties": {
+                        "commands": {
+                            "description": "Root selector's commands.",
+                            "type": "string"
+                        },
+                        "keys": {
+                            "description": "Root selector's keys.",
+                            "type": "string"
+                        },
+                        "channels": {
+                            "description": "Root selector's channels.",
+                            "type": "string"
+                        },
+                        "databases": {
+                            "description": "Root selector's databases.",
+                            "type": "string"
+                        },
+                        "selectors": {
+                            "type": "array",
+                            "items": {
+                                "type": "object",
+                                "additionalProperties": false,
+                                "properties": {
+                                    "commands": {
+                                        "type": "string"
+                                    },
+                                    "keys": {
+                                        "type": "string"
+                                    },
+                                    "channels": {
+                                        "type": "string"
+                                    },
+                                    "databases": {
+                                        "type": "string"
+                                    }
+                                }
+                            }
+                        },
+                        "members": {
+                            "description": "List of usernames assigned to this role.",
+                            "type": "array",
+                            "items": {
+                                "type": "string"
+                            }
+                        }
+                    }
+                },
+                {
+                    "description": "Role not found.",
+                    "type": "null"
+                }
+            ]
+        },
+        "arguments": [
+            {
+                "name": "rolename",
+                "type": "string"
+            }
+        ],
+        "acl_categories": [
+            "ADMIN",
+            "DANGEROUS",
+            "SLOW"
+        ]
+    }
+}
diff --git a/src/commands/acl-getuser.json b/src/commands/acl-getuser.json
@@ -19,6 +19,10 @@
             [
                 "9.1.0",
                 "Added database permission rules."
+            ],
+            [
+                "10.0.0",
+                "Added roles."
             ]
         ],
         "command_flags": [
@@ -89,6 +93,13 @@
                                     }
                                 }
                             }
+                        },
+                        "roles": {
+                            "description": "List of role names assigned to this user.",
+                            "type": "array",
+                            "items": {
+                                "type": "string"
+                            }
                         }
                     }
                 },

diff --git a/src/commands/acl-roles.json b/src/commands/acl-roles.json
@@ -0,0 +1,30 @@
+{
+    "ROLES": {
+        "summary": "Lists all ACL roles.",
+        "complexity": "O(N). Where N is the number of configured roles.",
+        "group": "server",
+        "since": "10.0.0",
+        "arity": 2,
+        "container": "ACL",
+        "function": "aclCommand",
+        "command_flags": [
+            "ADMIN",
+            "NOSCRIPT",
+            "LOADING",
+            "STALE",
+            "SENTINEL"
+        ],
+        "reply_schema": {
+            "type": "array",
+            "description": "List of existing ACL roles.",
+            "items": {
+                "type": "string"
+            }
+        },
+        "acl_categories": [
+            "ADMIN",
+            "DANGEROUS",
+            "SLOW"
+        ]
+    }
+}
diff --git a/src/commands/acl-setrole.json b/src/commands/acl-setrole.json
@@ -0,0 +1,42 @@
+{
+    "SETROLE": {
+        "summary": "Creates and modifies an ACL role and its rules.",
+        "complexity": "O(N). Where N is the number of rules provided.",
+        "group": "server",
+        "since": "10.0.0",
+        "arity": -3,
+        "container": "ACL",
+        "function": "aclCommand",
+        "command_flags": [
+            "ADMIN",
+            "NOSCRIPT",
+            "LOADING",
+            "STALE",
+            "SENTINEL"
+        ],
+        "command_tips": [
+            "REQUEST_POLICY:ALL_NODES",
+            "RESPONSE_POLICY:ALL_SUCCEEDED"
+        ],
+        "reply_schema": {
+            "const": "OK"
+        },
+        "arguments": [
+            {
+                "name": "rolename",
+                "type": "string"
+            },
+            {
+                "name": "rule",
+                "type": "string",
+                "optional": true,
+                "multiple": true
+            }
+        ],
+        "acl_categories": [
+            "ADMIN",
+            "DANGEROUS",
+            "SLOW"
+        ]
+    }
+}
diff --git a/src/commands/acl-setuser.json b/src/commands/acl-setuser.json
@@ -19,6 +19,10 @@
             [
                 "9.1.0",
                 "Added database permission rules."
+            ],
+            [
+                "10.0.0",
+                "Added role assignment and removal."
             ]
         ],
         "command_flags": [