Is it possible to exclude the health/status page from username/pwd when using buckler or xpac as my load balancer doesn’t support credentials

nandersen674 · January 24, 2020, 11:54pm

Is it possible to exclude the health/status page from username/pwd when using buckler or space as my load balancer doesn’t support credentials

Like an exclude tag in buckler.yml

dadoonet · January 25, 2020, 1:07am

Welcome !

Is that related to elasticsearch ?

nandersen674 · January 25, 2020, 9:17am

I use an avi load balancer in front of my els master nodes, the client nodes are integrated on the bitbucket side. I have data nodes behind the master nodes, but not presented on the load balancer.i have a quorum of 3 or 5 masters. I use the load balancer to direct traffic to the least loaded master node on http status 200 and ‘green’. From the _cluster/health (5.x) or /status (6.x,7.x) pages.

But if I enable username/password protection with the buckler plugin or with XPAC security, even the health check page requires a credential to be passed. Avi does not support passing credentials, and the whole idea of securing the site is not to then put the credentials in the load balancer.

The /status page on bitbucket is excluded from access control.

DavidTurner · January 25, 2020, 10:54am

It sounds like you have things the wrong way round. You should avoid sending any client traffic to master-eligible nodes if you can, so they can focus on managing the cluster. Expose your data nodes to the load balancer and not the master-eligible nodes.

Cluster health is a very coarse measure of availability, and requiring green health means that your load balancer will start rejecting requests if you have a single unassigned replica anywhere in the cluster. This sounds unnecessarily harsh and will likely cause you trouble in future.

That is a pretty enormous missing feature IMO. Some suggestions:

use a load balancer that supports this feature. There are lots out there.
use a different authentication mechanism (e.g. client certificates)
use a different health check (e.g. just check the port is open, don't request anything)
enable anonymous access to the routes you want

This doesn't make sense. The load balancer is a client of the cluster and needs to prove its identity somehow. It shouldn't have more permissions than it needs to do its job.

nandersen674 · January 25, 2020, 8:50pm

Hi David

Thanks for all the feedback.

I will switch the masters away from the lb.

I guess my question is about enabling the anonymous access on the status page only when using buckler or xpac, but you are right, I have seen nodes drop off when status changes to orange.

I really have only one source of data and one client, that is bitbucket. There are 8 nodes in the cluster, and I need to protect the data from being accessed by anyone other than bitbucket.

So I will change the health check to port 9200 up

Niels

system · February 22, 2020, 8:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.