We have Elasticsearch behind a load balancer that only supports HTTP GET health checks.
Security is enabled
Are there any existing (7.3.0+) API/paths that will respond to an unauthenticated HTTP GET request (while security is enabled)?
Currently we use the anonymous role to grant access to the base path i.e. https://node:port
but some people get nervous when there is talk of anonymous anything, so we were considering removing said anonymous access.
We like our current load balancer, so don't want to switch LBs just for TCP health checks. Adding TCP health checks is an open feature request with the current LB.
If there isn't an existing API/path should there be? That is, should this be a feature request?
I don't understand the distinction you're making between "anonymous" and "unauthenticated". The people who get nervous around talk of anonymous access are surely also nervous about unauthenticated access?
Rather than expecting a response to an unauthenticated request, can your current load balancer not make authenticated health check requests? For instance, you may be able to include the username and password in the URL: https://user:password@node:port/, or you may be able to pass the Authorization header directly. The latter is how to do it in HAProxy AIUI.
Thanks for response.
Load balancer does support headers, but the "proper" way to use that would be with dedicated credentials which would lead to password management
If there was an API specifically for this, it could be very intentional about the methods (only GET) and information exposed. The base path i.e. https://node:port provides a lot of information about the system, while a health check API should only need to provide a status code and a awesome tagline.
Minimum necessary privileges and minimum necessary information helps keep the info security team happy.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
