Hi We have tried to enable Basic Authentication for the Pekko Management endpoints following the instructions provided in Enabling Basic Authentication <https://pekko.apache.org/docs/pekko-management/current/pekko-management.html#enabling-basic-authentication>. So far, we have only tested this by sending requests (using curl) towards the /alive, /ready and /bootstrap/seed-nodes endpoints.
For all requests, the basic authenticator (myUserPassAuthenticator) is invoked: 1. When correct user credentials are provided, the expected '200 OK' response is returned. 2. When incorrect credentials are provided, the expected '401 Unauthorized' response is returned. 3. However, if *no credentials* are provided (i.e. no Authorization header in request), we still receive a '200 OK' response. Debugging the Basic Authenticator function, we can see that the function returns the expected Optional.empty() also in this case (i.e. same as in 2 above). The above indicates to us that the Authentication is done first and that the issue is that said management endpoints allow anonymous access. However, we cannot find any documentation on how to disallow anonymous access for the above management endpoints. The only reference we can find is the documentation for authenticateBasicAsync <https://pekko.apache.org/docs/pekko-http/1.1/routing-dsl/directives/security-directives/authenticateBasicAsync.html>. But, that does not explain how we (as Pekko users) may protect existing management endpoints created by management extensions (health-check, bootstrap and cluster-management). Any additional advice (Java code example preferred) regarding how to solve this? We find a solution to the above, how can we configure the internal HTTP client <https://github.com/apache/pekko-management/blob/main/management-cluster-bootstrap/src/main/scala/org/apache/pekko/management/cluster/bootstrap/contactpoint/HttpClusterBootstrapRoutes.scala#L81> used in the bootstrap management extension (or any other internal clients used by Pekko; like for Discovery maybe) to use the appropriate credentials? Finally, we also intend to enable TLS following the instructions provided in Enabling TLS/SSL (HTTPS) for Cluster HTTP Management <https://pekko.apache.org/docs/pekko-management/current/pekko-management.html#enabling-tls-ssl-https-for-cluster-http-management>. The certificate will most likely be issued by untrusted CA. Hence, in addition to providing the credentials mentioned above, we suspect we will also need to set up a trust store for all internal Pekko clients (bootstrap, etc.). Is this described anywhere or at all possible? Best regards, Per-Ivar Bakke
