Anonymous user to access /_cluster/health?


#1

Hi everyone,

I want to enable anonymous users to access /_cluster/health. This would allow for automatic health checks without having to distribute a sensitive username/password.

But giving anonymous users the privilege "cluster: monitor" feels like overkill. My questions:

  1. Were do I find the docs on what "cluster: monitor" does entail precisely?
  2. Is there a way to define a user/role such that only read access for /_cluster/health is provided?

Thanks and greetings,
Malte


(Albert Zaharovits) #2

Hi Malte,

I will answer inline:

Were do I find the docs on what "cluster: monitor" does entail precisely?

There is no list mapping the privilege name (in this case 'monitor') to actions. Maybe there should be one.
Currently the only docs on the matter of privileges is here.

If you got the code handy you could run: find server x-pack -name '*Action.java' -print0 | xargs -0 grep 'cluster:monitor' in the source root dir. After all, the best documentation is the code. Here's my output:

server/src/main/java/org/elasticsearch/action/admin/cluster/tasks/PendingClusterTasksAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/health/ClusterHealthAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/state/ClusterStateAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/node/tasks/get/GetTaskAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/node/tasks/list/ListTasksAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/node/liveness/TransportLivenessAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/node/usage/NodesUsageAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/node/hotthreads/NodesHotThreadsAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/node/info/NodesInfoAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/node/stats/NodesStatsAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/stats/ClusterStatsAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/allocation/ClusterAllocationExplainAction.java
server/src/main/java/org/elasticsearch/action/admin/cluster/remote/RemoteInfoAction.java
server/src/main/java/org/elasticsearch/action/main/MainAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ssl/action/GetCertificateInfoAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/watcher/transport/actions/get/GetWatchAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/watcher/transport/actions/stats/WatcherStatsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/action/XPackInfoAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/action/XPackUsageAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetModelSnapshotsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetJobsStatsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetCategoriesAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetDatafeedsStatsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetBucketsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetRecordsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetDatafeedsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetOverallBucketsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetInfluencersAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetJobsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetCalendarsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/MlInfoAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/FindFileStructureAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ml/action/GetCalendarEventsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/rollup/action/GetRollupCapsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/rollup/action/GetRollupJobsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ccr/action/CcrStatsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/ccr/action/AutoFollowStatsAction.java
x-pack/plugin/core/src/main/java/org/elasticsearch/license/GetLicenseAction.java

A pretty benign privilege if you ask me.
You can create a role with this sole privilege

curl -X POST "localhost:9200/_xpack/security/role/monitor_role" -H 'Content-Type: application/json' -d'
{
  "cluster": ["monitor"]
}
'

and assign it to the user or xpack.security.authc.anonymous.roles . If this is the only role the user has then the credentials you distribute are not that sensitive.

Is there a way to define a user/role such that only read access for /_cluster/health is provided?

It is, but we don't document it. The way to do it is to replace monitor with cluster:monitor/health . We don't document it because we wish to have some leeway when mapping actions to privileges. In other words, we wish to be able to change them in a non-backwards compatible way.

Hope this is helpful,
Albert


#3

Hi Albert,

thanks a lot, especially for explaining how I solve similar questions in the future.

Kind regards,
Malte


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.