Problem Statement
Today, there is currently an option to put actuators all on a single management port separate from the application's main port. This does help to reduce access to actuators that may need access restrictions but it doesn't resolve the need to further provide options for situations where some actuators should be available there but some that need to be only accessible by particular parties.
There is an example of using management.endpoint.health.probes.add-additional-paths=true for the health actuator to allow health endpoints to be on the main port. This shows the need from users of Spring Boot actuators allow and restrict access to particular actuators. The problem is that there is a need with some users that we've talk to not have any actuators accessible on the main port of an application.
Proposal Ideas
Add a new restricted management port that actuators can be exposed on beyond the current management port configuration there is today. This would need to be configurable in multiple ways:
- A user could say only use the restricted management port
- A user could say use the management port but put these specific actuators on another restricted management port
- Could the restricted management port also have a way to configure a Spring Security context around it?
This is a difficult problem to solve so there may be some need to further explore the details of these proposed options and I'm sure that there are details missing in different scenarios. Hopefully this is sufficient to get the conversation started.
Comment From: philwebb
We discussed this today on our call and unfortunately we cannot see an easy way for the current designed to accommodate multiple actuator ports. With our current implementation, we offer a management port by creating a second ApplicationContext and a second WebServerFactory configuration. We can't see a way of offering multiple ports without a fundamental redesign which would be quite costly and could only happen in a major release.
One option that we have discussed in the past is moving actuators from a pull model to a push model. The idea is that applications send their actuator data to some other host rather then being polled. This might help with security concerns since they move to a central system, rather than needing to be configured per-application.
Could the restricted management port also have a way to configure a Spring Security context around it
Yes, this is already available. See https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#actuator.endpoints.security
Comment From: philwebb
I'm going to close this one since unfortunately I can't see a way for us to provide the feature as requested.