[ROR 1.18.9 Enterprise] [ES 7.2.0] Enable _cluster/health without authentication

Hello,

I tried to look on documentation for an option where I can expose _cluster/health without authentication but unfortunately I found something only on kibana with whitelistPath which is not really helpfull for me. ( I don’t know why but for me documentation is not easy to understand )

What I want:
curl -X GET https://elasticsearch_endpoint/_cluster/health?format=json ( for this specific endpoint ror should not ask for authentication )

By default the result of request will be :

    {
  "cluster_name": "Monitoring Cluster",
  "status": "green",
  "timed_out": false,
  "number_of_nodes": 3,
  "number_of_data_nodes": 3,
  "active_primary_shards": 9,
  "active_shards": 18,
  "relocating_shards": 0,
  "initializing_shards": 0,
  "unassigned_shards": 0,
  "delayed_unassigned_shards": 0,
  "number_of_pending_tasks": 0,
  "number_of_in_flight_fetch": 0,
  "task_max_waiting_in_queue_millis": 0,
  "active_shards_percent_as_number": 100
}

Also I don’t want the whole response from the api ( I want only “cluster_name” and “status” keys)

Yes I can process that json but there will be some cases where other guys may do same request and I don’t want to expose them all informations … only cluster_name and status.

Many thanks in advane

Hi @cristianr, thanks for reaching out, I think this might be a pretty common use case indeed (i.e. for load balancers health checks on Elasticsearch nodes).

Two examples of how you can “whitelist” this type of requests in your ACL:

readonlyrest:
   access_control_rules:

    - name: "health checks - no authentication needed (first method)"
      uri_re:  "^/_cluster/health?.*"
      type: "allow" # <-- this is implicit, can omit

    - name: "health checks - no authentication needed (second method)"
      actions: ["cluster:monitor/health"]
      type: "allow" # <-- this is implicit, can omit
   
    ..... other ACL blocks...

Notice how the is implicit.

Hello,

Thank you for response. It seems easy but still it won’t solve my entire problem.
1st question -> is ok you just responded
2nd question -> How I can expose only specific fields / json keys to response … ( as you know in response for that endpoint there will be many json keys but I want only 2 keys and also I don’t want to process the response from some custom scripts )
I was thinking something like allowed_fields: [“cluster_name”, “cluster_status”]

Many thanks again

We do have a fields rule, but it applies only to Get/MultiGet/Search/MultiSearch APIs. So unfortunately, what you ask is not possible at the moment with ReadonlyREST. However, it sounds like a cool feature. Will put it in Jira.

That would be a really nice feature. I believe that there is no chance for you to think more about that task and tell us that it may be available in 2 months or something like that.

Many thanks

I think it’s reasonable to have in 2 month :slight_smile:

Within the ROR plugin, we could think about implementing our own cluster health endpoint that accept a list of which parameters to return as a “fields” query parameter.

i.e.

GET https://ESHOST:9200/_readonlyrest/_cluster/health?fields=cluster_name,status
{
“cluster_name”: “elasticsearch”,
“status”: “yellow”
}

So that you can lock it down using something like:

uri_re: “^/_readonlyrest/_cluster/health?fields=cluster_name,status$”

Actually for now, if you are worried people call GET /_cluster/health?level=indices and see a list of indices, why don’t you lock the level to cluster?

uri_re:  "^/_cluster/health?format=json&level=cluster$"

So they only will see a few cluster stats, no indices. Or were you concerned with them seeing active shards info?

Or were you concerned with them seeing active shards info?
Exactly. I want to expose public only those 2 fields nothing more. For more details authentication will be needed

Hmm it seems that I cannot add fields query parameters because it is not supported ?
https://www.elastic.co/guide/en/elasticsearch/reference/current/cluster-health.html
I don’t see any fields parameter

No no, sorry I explained myself very badly. That “fields” query parameter introduction was my feature design proposal. I was running through you so that we reach consensus on the feature to be implemented.

Ohh now I get it :))
Yes something like that would be really nice to have also to include specific action like show cluster by hide indices. And is pretty easy to understand for guys who are not experts in es or ror … which is kinda great.