Is it possible to exclude the health/status page from username/pwd when using buckler or space as my load balancer doesn’t support credentials
Like an exclude tag in buckler.yml
Is it possible to exclude the health/status page from username/pwd when using buckler or space as my load balancer doesn’t support credentials
Like an exclude tag in buckler.yml
Welcome !
Is that related to elasticsearch ?
I use an avi load balancer in front of my els master nodes, the client nodes are integrated on the bitbucket side. I have data nodes behind the master nodes, but not presented on the load balancer.i have a quorum of 3 or 5 masters. I use the load balancer to direct traffic to the least loaded master node on http status 200 and ‘green’. From the _cluster/health (5.x) or /status (6.x,7.x) pages.
But if I enable username/password protection with the buckler plugin or with XPAC security, even the health check page requires a credential to be passed. Avi does not support passing credentials, and the whole idea of securing the site is not to then put the credentials in the load balancer.
The /status page on bitbucket is excluded from access control.
It sounds like you have things the wrong way round. You should avoid sending any client traffic to master-eligible nodes if you can, so they can focus on managing the cluster. Expose your data nodes to the load balancer and not the master-eligible nodes.
Cluster health is a very coarse measure of availability, and requiring green
health means that your load balancer will start rejecting requests if you have a single unassigned replica anywhere in the cluster. This sounds unnecessarily harsh and will likely cause you trouble in future.
That is a pretty enormous missing feature IMO. Some suggestions:
This doesn't make sense. The load balancer is a client of the cluster and needs to prove its identity somehow. It shouldn't have more permissions than it needs to do its job.
Hi David
Thanks for all the feedback.
I will switch the masters away from the lb.
I guess my question is about enabling the anonymous access on the status page only when using buckler or xpac, but you are right, I have seen nodes drop off when status changes to orange.
I really have only one source of data and one client, that is bitbucket. There are 8 nodes in the cluster, and I need to protect the data from being accessed by anyone other than bitbucket.
So I will change the health check to port 9200 up
Niels
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.