Restrict actuator access based on read/write/delete operations via configuration

[csterwa]

Problem Statement

There are situations where actuators are added to applications for enhancing troubleshooting and runtime management to Spring Boot applications. These actuators could have PUT, POST and DELETE endpoints (@WriteOperation) that could be accessed on that application's actuator port. There are concerns about keeping these actuators, or even worse accidentally, getting into production environments with these accessible.

Is it possible for actuators to automatically add a configuration option to enable/disable read or write operations? It would be nice to have this be configurable on:

• A per actuator condition. For instance, don't allow write operations on /actuator/logging
• Globally configurable for all actuators on the application
• Or globally configured but overridable for specific actuators (stretch option, not necessary)

Current Operations

Currently, there is @ReadOperation and @WriteOperation annotations that map to HTTP verbs. Perhaps having the option of disabling write operations would help with this need.

[wilkinsona]

I think this is probably a duplicate of https://github.com/spring-projects/spring-boot/pull/29596.

[philwebb]

I think so as well. Marking as a duplicate of #29596

[philwebb]

We're reopening this to consider as part of our 3.4 actuator theme. We want to offer restrictions based on the operations, not necessarily the technologies used to expose them.