Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Boot Actuator endpoint configuration doesn't seem to be working as expected

I have a very simple spring boot application. It is just a zuul reverse proxy. there is no security or anything other than basic settings to discover our services via eureka and path mapping on a per service basis. I'm trying to prevent our actuator endpoints from being publicly exposed but still want the health check endpoint to be used for our ELB but want do not want it to report on the health of all the services it is aware of (i want it to be sensitive). While trying to figure out what properties i need to set to get the expected behavior, i am experiencing very unexpected behavior.

For example, when i set the property endpoints.sensitive=true, this DOES NOT change the default value of the health check endpoint to be sensitive. This seems to go against what the documentation says.

http://docs.spring.io/spring-boot/docs/1.4.2.RELEASE/reference/htmlsingle/#production-ready-customizing-endpoints

Likewise, you can also choose to globally set the “sensitive” flag of all endpoints. By default, the sensitive flag depends on the type of endpoint (see the table above). For example, to mark all endpoints as sensitive except info:

endpoints.sensitive=true

endpoints.info.sensitive=false

In fact, when running in debug, i never see the org.springframework.boot.actuate.endpoint.EndpointProperties#isSensitive get called.

To get health endpoint to be sensitive, i need to explicitly set the property endpoints.health.sensitive=true. Oddly, when this setting is provided, now org.springframework.boot.actuate.endpoint.EndpointProperties#isSensitive gets called.

So this is great, my health check endpoint is now just reporting UP or DOWN and nothing else. But now I want the health check endpoint to be the ONLY endpoint enabled. So i set endpoints.enabled=false and endpoints.health.enabled=true which should disable all the endpoints except health. However, this does not seem to be the case. In my instance, I am able to hit /routes, /resume, /pause, /hystrix.stream, and others. I was only able to determine this when i disabled all endpoints with endpoints.enabled=false and then enabled the actuator endpoint with endpoints.actuator.enabled=true and that allowed me to hit the actuator endpoint which then reported that these endpoints were enabled.

{
  "links": [
    {
      "rel": "self",
      "href": "http://localhost:9200/actuator"
    },
    {
      "rel": "resume",
      "href": "http://localhost:9200/resume"
    },
    {
      "rel": "pause",
      "href": "http://localhost:9200/pause"
    },
    {
      "rel": "hystrix.stream",
      "href": "http://localhost:9200/hystrix.stream"
    },
    {
      "rel": "env",
      "href": "http://localhost:9200/env"
    },
    {
      "rel": "routes",
      "href": "http://localhost:9200/routes"
    },
    {
      "rel": "health",
      "href": "http://localhost:9200/health"
    },
    {
      "rel": "refresh",
      "href": "http://localhost:9200/refresh"
    },
    {
      "rel": "restart",
      "href": "http://localhost:9200/restart"
    }
  ]
}

I would have expected to ONLY see the two endpoints I explicitly enabled.

{
  "links": [
    {
      "rel": "self",
      "href": "http://localhost:9200/actuator"
    },
    {
      "rel": "health",
      "href": "http://localhost:9200/health"
    }
  ]
}

disabling each endpoint individually does not seem remove them from the actuator endpoint but now when attempted to access, i get a "This endpoint is disabled" message which is an improvement. I however don't seem to be able to disable the routes or `hystrix.stream* endpoints as there seems to be no configuration that exposes this ability.

All this said, I am wondering if this is the expected behavior or is this a bug?

like image 562
loesak Avatar asked Nov 08 '22 06:11

loesak


1 Answers

I ran into the same problem as you described here. Please check your spring boot version first! There was a bug that global 'endpoints.sensitive' settings did NOT take effect at some specified spring boot version. (Not sure about the version number exactly. It seems a refactor regression in spring boot.)

Here are some references.

  • Allow global sensitive override #4419
  • Spring Boot Actuator: setting all endpoints as sensitive makes all accessible #4368

After I updated my spring boot to version 1.3.0 RELEASE, the setting 'endpoints.sensitive = true' works for me correctly. Hopes it will also work for you. Good luck, man.

like image 185
Benjamin Avatar answered Nov 15 '22 06:11

Benjamin