Hi everyone,
I want to enable anonymous users to access /_cluster/health. This would allow for automatic health checks without having to distribute a sensitive username/password.
But giving anonymous users the privilege "cluster: monitor" feels like overkill. My questions:
Thanks and greetings,
Malte
Hi Malte,
I will answer inline:
Were do I find the docs on what "cluster: monitor" does entail precisely?
There is no list mapping the privilege name (in this case 'monitor') to actions. Maybe there should be one.
Currently the only docs on the matter of privileges is here.
If you got the code handy you could run: find server x-pack -name '*Action.java' -print0 | xargs -0 grep 'cluster:monitor' in the source root dir. After all, the best documentation is the code. Here's my output:
server/src/main/java/org/elasticsearch/action/admin/cluster/tasks/PendingClusterTasksAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/health/ClusterHealthAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/state/ClusterStateAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/node/tasks/get/GetTaskAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/node/tasks/list/ListTasksAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/node/liveness/TransportLivenessAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/node/usage/NodesUsageAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/node/hotthreads/NodesHotThreadsAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/node/info/NodesInfoAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/node/stats/NodesStatsAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/stats/ClusterStatsAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/allocation/ClusterAllocationExplainAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/remote/RemoteInfoAction.java
server/src/main/java/org/elasticsearch/action/main/MainAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/action/GetCertificateInfoAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/watcher/transport/actions/get/GetWatchAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/watcher/transport/actions/stats/WatcherStatsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/action/XPackInfoAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/action/XPackUsageAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetModelSnapshotsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetJobsStatsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetCategoriesAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetDatafeedsStatsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetBucketsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetRecordsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetDatafeedsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetOverallBucketsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetInfluencersAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetJobsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetCalendarsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/MlInfoAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/FindFileStructureAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetCalendarEventsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/rollup/action/GetRollupCapsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/rollup/action/GetRollupJobsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ccr/action/CcrStatsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ccr/action/AutoFollowStatsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/license/GetLicenseAction.java
A pretty benign privilege if you ask me.
You can create a role with this sole privilege
curl -X POST "localhost:9200/_xpack/security/role/monitor_role" -H 'Content-Type: application/json' -d'
{
"cluster": ["monitor"]
}
'
and assign it to the user or xpack.security.authc.anonymous.roles . If this is the only role the user has then the credentials you distribute are not that sensitive.
Is there a way to define a user/role such that only read access for /_cluster/health is provided?
It is, but we don't document it. The way to do it is to replace monitor with cluster:monitor/health . We don't document it because we wish to have some leeway when mapping actions to privileges. In other words, we wish to be able to change them in a non-backwards compatible way.
Hope this is helpful,
Albert
Hi Albert,
thanks a lot, especially for explaining how I solve similar questions in the future.
Kind regards,
Malte
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.