Disable Access of Kibana Server Status API [api/status]

We have ElasticSearch Setup, and noticed that URL/api/status is being accessed publicly without being authenticated and this is sitting behind the load balancer.

However URL/api or URL/status throws unauthorised message as below


Do we need to have extra setting to disable public access on /api/status


Do you mean https://localhost:9200/api/status ?

If so, what response do you get?


Yes, but its not localhost:9200, rather it on the Production.

https://someProdURL/api/status gives me the complete JSON-formatted server status details in response as mentioned here :
Access Kibana | Kibana Guide [8.4] | Elastic

But https://someProdURL/api or https://someProdURL/status returns {“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}

We tried these below settings in kibana.yml but still no luck

server.xsrf.disableProtection: false
status.allowAnonymous: false
opendistro_security.auth.anonymous_auth_enabled: false

My original issue for opendistro:

I have not updated to opensearch yet but I think the solution is to set auth.unauthenticated_routes: [] in opensearch dashboard configuration.

@oscark auth.unauthenticated_routes: [] is this setting to be used in kibana.yml? and does opendistro support it?


Try opensearch_security.auth.unauthenticated_routes: []

@pablo @oscark I tried the above setting… Still able to access the api


Could you send your config?

This worked for me.
opensearch_security.auth.unauthenticated_routes: []

This option has to go with empty brackets.

So I think that opensearch should be (as Pablo wrote): opensearch_security.auth.unauthenticated_routes: []
And opendistro should use:
opendistro_security.auth.unauthenticated_routes: []

@oscark @pablo

Using opendistro_security.auth.unauthenticated_routes: [] did work for me but now the kubernetes kibana Deployment fails as readiness probe in kibana-deployment.yml file uses /api/status/ to check kibana pod readiness.

            path: /api/status
            port: http
            scheme: HTTPS
          initialDelaySeconds: 60
          periodSeconds: 30

Here are Logs of Kibana:

"method":"get","statusCode":401,"req":{"url":"/api/status","method":"get","headers":{"host":"10.xxx.x.xxx:5601","user-agent":"kube-pro │
│ be/1.19","accept-encoding":"gzip","connection":"close"},"remoteAddress":"10.xxx.x.xxx","userAgent":"kube-probe/1.19"},"res":{"statusCode":401,"responseTime":10,"contentLength":9},"message":"GET /api/status 401 10 │
│ ms - 9.0B"}

Do we have any reason Opendistro has bydefault open api/status endpoint not /api or /status,what is the intention behind keeping only api/status open and not others?

However was curious to explore on the response that we received from /api/status/ is it ok to expose to public users?