[status] Allow unauthenticated users to see status

docs/settings.asciidoc

@@ -408,6 +408,10 @@ you are using a self-signed certificate so the certificate can be verified. Disa
 +
 *alias*: `log_file` deprecated[4.2]
 
+`status.allowAnonymous`:: If authentication is enabled, setting this to `true` allows unauthenticated users to access the Kibana server status API and status page.
++
+*default*: `false`
+
 [[managing-saved-objects]]
 === Managing Saved Searches, Visualizations, and Dashboards 
 

src/server/config/schema.js

@@ -110,6 +110,10 @@ module.exports = () => Joi.object({
       )
       .default(Joi.ref('$dev')),
     profile: Joi.boolean().default(false)
+  }).default(),
+
+  status: Joi.object({
+    allowAnonymous: Joi.boolean().default(false)
   }).default()
 
 }).default();

src/server/status/__tests__/wrap_auth_config.js

@@ -0,0 +1,42 @@
+import expect from 'expect.js';
+import wrapAuthConfig from '../wrap_auth_config';
+
+describe('Status wrapAuthConfig', () => {
+  let options;
+
+  beforeEach(() => {
+    options = {
+      method: 'GET',
+      path: '/status',
+      handler: function (request, reply) {
+        return reply();
+      }
+    };
+  });
+
+  it('should return a function', () => {
+    expect(wrapAuthConfig()).to.be.a('function');
+    expect(wrapAuthConfig(true)).to.be.a('function');
+    expect(wrapAuthConfig(false)).to.be.a('function');
+  });
+
+  it('should not add auth config by default', () => {
+    const wrapAuth = wrapAuthConfig();
+    const wrapped = wrapAuth(options);
+    expect(wrapped).to.not.have.property('config');
+  });
+
+  it('should not add auth config if allowAnonymous is false', () => {
+    const wrapAuth = wrapAuthConfig(false);
+    const wrapped = wrapAuth(options);
+    expect(wrapped).to.not.have.property('config');
+  });
+
+  it('should add auth config if allowAnonymous is true', () => {
+    const wrapAuth = wrapAuthConfig(true);
+    const wrapped = wrapAuth(options);
+    expect(wrapped).to.have.property('config');
+    expect(wrapped.config).to.have.property('auth');
+    expect(wrapped.config.auth).to.be(false);
+  });
+});

src/server/status/index.js

@@ -1,3 +1,5 @@
+import wrapAuthConfig from './wrap_auth_config';
+
 module.exports = function (kbnServer, server, config) {
   let _ = require('lodash');
   let ServerStatus = require('./ServerStatus');
@@ -9,7 +11,9 @@ module.exports = function (kbnServer, server, config) {
     kbnServer.mixin(require('./metrics'));
   }
 
-  server.route({
+  const wrapAuth = wrapAuthConfig(config.get('status.allowAnonymous'));
+
+  server.route(wrapAuth({
     method: 'GET',
     path: '/api/status',
     handler: function (request, reply) {
@@ -18,7 +22,7 @@ module.exports = function (kbnServer, server, config) {
         metrics: kbnServer.metrics
       });
     }
-  });
+  }));
 
   server.decorate('reply', 'renderStatusPage', function () {
     let app = kbnServer.uiExports.getHiddenApp('statusPage');
@@ -27,11 +31,11 @@ module.exports = function (kbnServer, server, config) {
     return resp;
   });
 
-  server.route({
+  server.route(wrapAuth({
     method: 'GET',
     path: '/status',
     handler: function (request, reply) {
       return reply.renderStatusPage();
     }
-  });
+  }));
 };

src/server/status/wrap_auth_config.js

@@ -0,0 +1,6 @@
+import {assign, identity} from 'lodash';
+
+export default (allowAnonymous) => {
+  if (allowAnonymous) return options => assign(options, {config: {auth: false}});
+  return identity;
+};