4lw commands are not authenticated, because they don't expose sensitive information. They provide generic information about cluster health, znode count, roles, state, etc.
However only a few of them are enabled in the default configuration to stay on the safe side. You can enable more or disable the feature completely. 4lw commands don't need encryption in general, because no sensitive information transfered over the wire, but since they're enabled on the standard client port, same configuration applies. Andor On Wed, 2024-11-06 at 17:02 +0530, arjun s v wrote: > Able to hit 4lw (added to whitelist) without authentication even when > auth > is enforced. Why authentication check not done here? > > Do 4lw commands provide only insensitive metrics? > > I could not find any document stating 4lw commands does not return > sensitive information. > > if it does return sensitive information why not do authentication > checks > while executing the commands? > > We have a setup which already has SASL authentication enforced. just > to run > 'stat' command should we enable TLS?
