[ROR 1.18.9 Enterprise] [ES 7.2.0] Enable _cluster/health without authentication

cristianr · June 2, 2020, 9:49am

Hello,

I tried to look on documentation for an option where I can expose _cluster/health without authentication but unfortunately I found something only on kibana with whitelistPath which is not really helpfull for me. ( I don’t know why but for me documentation is not easy to understand )

What I want:
curl -X GET https://elasticsearch_endpoint/_cluster/health?format=json ( for this specific endpoint ror should not ask for authentication )

By default the result of request will be :

    {
  "cluster_name": "Monitoring Cluster",
  "status": "green",
  "timed_out": false,
  "number_of_nodes": 3,
  "number_of_data_nodes": 3,
  "active_primary_shards": 9,
  "active_shards": 18,
  "relocating_shards": 0,
  "initializing_shards": 0,
  "unassigned_shards": 0,
  "delayed_unassigned_shards": 0,
  "number_of_pending_tasks": 0,
  "number_of_in_flight_fetch": 0,
  "task_max_waiting_in_queue_millis": 0,
  "active_shards_percent_as_number": 100
}

Also I don’t want the whole response from the api ( I want only “cluster_name” and “status” keys)

Yes I can process that json but there will be some cases where other guys may do same request and I don’t want to expose them all informations … only cluster_name and status.

Many thanks in advane

sscarduzio · June 2, 2020, 12:41pm

Hi @cristianr, thanks for reaching out, I think this might be a pretty common use case indeed (i.e. for load balancers health checks on Elasticsearch nodes).

Two examples of how you can “whitelist” this type of requests in your ACL:

readonlyrest:
   access_control_rules:

    - name: "health checks - no authentication needed (first method)"
      uri_re:  "^/_cluster/health?.*"
      type: "allow" # <-- this is implicit, can omit

    - name: "health checks - no authentication needed (second method)"
      actions: ["cluster:monitor/health"]
      type: "allow" # <-- this is implicit, can omit
   
    ..... other ACL blocks...

Notice how the is implicit.

cristianr · June 2, 2020, 12:56pm

Hello,

Thank you for response. It seems easy but still it won’t solve my entire problem.
1st question -> is ok you just responded
2nd question -> How I can expose only specific fields / json keys to response … ( as you know in response for that endpoint there will be many json keys but I want only 2 keys and also I don’t want to process the response from some custom scripts )
I was thinking something like allowed_fields: [“cluster_name”, “cluster_status”]

Many thanks again

sscarduzio · June 2, 2020, 1:10pm

We do have a fields rule, but it applies only to Get/MultiGet/Search/MultiSearch APIs. So unfortunately, what you ask is not possible at the moment with ReadonlyREST. However, it sounds like a cool feature. Will put it in Jira.

cristianr · June 2, 2020, 3:36pm

That would be a really nice feature. I believe that there is no chance for you to think more about that task and tell us that it may be available in 2 months or something like that.

Many thanks

sscarduzio · June 2, 2020, 6:48pm

I think it’s reasonable to have in 2 month

Within the ROR plugin, we could think about implementing our own cluster health endpoint that accept a list of which parameters to return as a “fields” query parameter.

i.e.

GET https://ESHOST:9200/_readonlyrest/_cluster/health?fields=cluster_name,status
{
“cluster_name”: “elasticsearch”,
“status”: “yellow”
}

So that you can lock it down using something like:

uri_re: “^/_readonlyrest/_cluster/health?fields=cluster_name,status$”

sscarduzio · June 2, 2020, 6:56pm

Actually for now, if you are worried people call GET /_cluster/health?level=indices and see a list of indices, why don’t you lock the level to cluster?

uri_re:  "^/_cluster/health?format=json&level=cluster$"

So they only will see a few cluster stats, no indices. Or were you concerned with them seeing active shards info?

cristianr · June 3, 2020, 8:44am

Or were you concerned with them seeing active shards info?
Exactly. I want to expose public only those 2 fields nothing more. For more details authentication will be needed

cristianr · June 3, 2020, 9:34am

Hmm it seems that I cannot add fields query parameters because it is not supported ?

I don’t see any fields parameter

sscarduzio · June 3, 2020, 10:10am

No no, sorry I explained myself very badly. That “fields” query parameter introduction was my feature design proposal. I was running through you so that we reach consensus on the feature to be implemented.

cristianr · June 3, 2020, 10:28am

Ohh now I get it :))
Yes something like that would be really nice to have also to include specific action like show cluster by hide indices. And is pretty easy to understand for guys who are not experts in es or ror … which is kinda great.

coutoPL · December 8, 2020, 7:18pm

Hi @cristianr

We’ve just implemented a new feature, which will help you to solve the issue mentioned in this post.

please take a look: readonlyrest-docs/elasticsearch.md at develop · beshu-tech/readonlyrest-docs · GitHub

Example usage:

github.com

sscarduzio/elasticsearch-readonlyrest-plugin/blob/2963c22b59ac1e899ebb5a2d9c5e91a7736a4ad1/integration-tests/src/test/resources/response_field_rules/readonlyrest.yml#L15


      
            keystore_pass: "readonlyrest"
            key_pass: "readonlyrest"
          
          
access_control_rules:
          
          
  - name: "CONTAINER ADMIN"
              verbosity: error
              type: allow
              auth_key: admin:container
          
          
  - name: "Filter cluster health response"
              auth_key: dev1:test
              uri_re: "^/_cluster/health"
              response_fields: ["cluster_*", "status"]
          
          
  - name: "Filter cat health response"
              auth_key: dev1:test
              uri_re: "^/_cat.*$"
              response_fields: ["~cluster"]
          
          
  - name: "Filter search response"

If you want to test it before release of ROR 1.26.0, I can send you a pre-build. Just let me know what ES version you use at the moment