Unauthenticated HTTP GET request for load balancing

We have Elasticsearch behind a load balancer that only supports HTTP GET health checks.
Security is enabled

Are there any existing (7.3.0+) API/paths that will respond to an unauthenticated HTTP GET request (while security is enabled)?

Currently we use the anonymous role to grant access to the base path i.e. https://node:port
but some people get nervous when there is talk of anonymous anything, so we were considering removing said anonymous access.

We like our current load balancer, so don't want to switch LBs just for TCP health checks. Adding TCP health checks is an open feature request with the current LB.

If there isn't an existing API/path should there be? That is, should this be a feature request?


1 Like

I don't understand the distinction you're making between "anonymous" and "unauthenticated". The people who get nervous around talk of anonymous access are surely also nervous about unauthenticated access?

Rather than expecting a response to an unauthenticated request, can your current load balancer not make authenticated health check requests? For instance, you may be able to include the username and password in the URL: https://user:password@node:port/, or you may be able to pass the Authorization header directly. The latter is how to do it in HAProxy AIUI.

Thanks for response.
Load balancer does support headers, but the "proper" way to use that would be with dedicated credentials which would lead to password management :frowning:

If there was an API specifically for this, it could be very intentional about the methods (only GET) and information exposed. The base path i.e. https://node:port provides a lot of information about the system, while a health check API should only need to provide a status code and a awesome tagline.

Minimum necessary privileges and minimum necessary information helps keep the info security team happy.

Worked with Elastic Support to create an enhancement request.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.