Ability to specify health endpoint not-sensitive w/o disabling security

[dwelch2344]

Currently, the only way to get the health endpoint to show the details of a downed service is to set endpoints.health.sensitive=false and management.security.enabled=false

The latter seems overly restrictive to me. We'd still like to keep the majority of our endpoints (env, trace, etc) secured, but it'd be nice to have health give more details.

Maybe having a third state like sensitive, insensitive, and detailed (for lack of a better word) where the health beans could determine how much detail to provide based on setting?

Open to any suggestions, just know I've run up to this many times and others have shared my thoughts. Also, happy to contribute to whatever is determined to be the best course :)

[snicoll]

This table in the documentation summarizes the current situation. Given that sensitive is not going to change from a boolean to some Enum what would you suggest @dwelch2344 ?

I am asking because while I agree it would be nice to have, I fail to see how we could implement that consistently without more headache...

[dsyer]

Seems like we ran out of time to get any change into 1.4. There's always a workaround if you want to set up your own security for /health. E.g. a quick and dirty way to do it is to just add /health to the security.ignored.

[dwelch2344]

@snicoll Perhaps an additional option? Even just exposing the name of the health checks that failed would be enough. Basically a way to say "DB is down, but Rabbit + Redis are still looking good." without having to worry about authentication.

What if endpoints.health.publish-downed or something and another attribute on the response of downed: [ 'rabbit', 'db'] or something of the like? Could default to false but still be available to those of us who are less concerned about exposing those details publicly.

@dsyer I tried that quick and dirty a while back and ran into issues, as some of the common checks throw NPEs w/o a user in the context (forget which – need to log an issue for that independently either way now that I think about it)

[snicoll]

I don't think we should be that fine-grained as it'll add more confusion for something that is already hard to grasp for beginners. What we need is essentially an additional flag that states "just show everything". I would very much prefer that sensitive becomes an enum but that's not going to happen in 1.4

[dwelch2344]

Fair enough. I agree that's the best solution. We can definitely wait on this for now.

I'm happy to contribute a PR to this, if you all want to weigh in on how this should go about. Would the enum route apply only to health?

[snicoll]

I don't know at this point. How about giving that a try and report here? Thanks!