Restrict actuator access based on read/write/delete operations via configuration #39046
Assignees
Labels
status: noteworthy
A noteworthy issue to call out in the release notes
theme: actuator
Issues related to actuator and the management context
type: enhancement
A general enhancement
Milestone
Comments
spring-projects-issues
added
the
status: waiting-for-triage
philwebb
added
for: team-meeting
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
philwebb
added
status: duplicate
philwebb
changed the title
philwebb
added
theme: actuator
philwebb
added
type: enhancement
|
We're reopening this to consider as part of our 3.4 actuator theme. We want to offer restrictions based on the operations, not necessarily the technologies used to expose them. |
wilkinsona
removed
the
status: pending-design-work
philwebb
added
the
status: noteworthy
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem Statement
There are situations where actuators are added to applications for enhancing troubleshooting and runtime management to Spring Boot applications. These actuators could have PUT, POST and DELETE endpoints (
@WriteOperation) that could be accessed on that application's actuator port. There are concerns about keeping these actuators, or even worse accidentally, getting into production environments with these accessible.Is it possible for actuators to automatically add a configuration option to enable/disable read or write operations? It would be nice to have this be configurable on:
/actuator/loggingCurrent Operations
Currently, there is
@ReadOperationand@WriteOperationannotations that map to HTTP verbs. Perhaps having the option of disabling write operations would help with this need.The text was updated successfully, but these errors were encountered: