I want to enable anonymous users to access /_cluster/health. This would allow for automatic health checks without having to distribute a sensitive username/password.
But giving anonymous users the privilege "cluster: monitor" feels like overkill. My questions:
Were do I find the docs on what "cluster: monitor" does entail precisely?
Is there a way to define a user/role such that only read access for /_cluster/health is provided?
Were do I find the docs on what "cluster: monitor" does entail precisely?
There is no list mapping the privilege name (in this case 'monitor') to actions. Maybe there should be one.
Currently the only docs on the matter of privileges is here.
If you got the code handy you could run: find server x-pack -name '*Action.java' -print0 | xargs -0 grep 'cluster:monitor' in the source root dir. After all, the best documentation is the code. Here's my output:
and assign it to the user or xpack.security.authc.anonymous.roles . If this is the only role the user has then the credentials you distribute are not that sensitive.
Is there a way to define a user/role such that only read access for /_cluster/health is provided?
It is, but we don't document it. The way to do it is to replace monitor with cluster:monitor/health . We don't document it because we wish to have some leeway when mapping actions to privileges. In other words, we wish to be able to change them in a non-backwards compatible way.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.