Provide a way to filter or redact health information programatically

[jsight]

Description

We make health endpoints available without authentication, but we'd like to redact the details of the results depending upon the currently authenticated user.

We can do this programmatically by overriding SecureSmallRyeHealthReporter, but we need to override quite a few methods to do this.

Perhaps there could be a way to register a filter component instead?

Implementation ideas

No response

[quarkus-bot]

/cc @jmartisk (health), @xstefank (health)

[xstefank]

Hi @jsight. I'm sorry but I don't understand what you're asking. Filter only some health checks to be displayed programmatically?

[jsight]

Currently, the health checks return a result like this:

{
  "status": "UP",
  "checks": [
      {
          "name": "mycheckwithsensitiveinformation",
          "status": "UP",
          "data": {
              "connection.host": "super.secret.internal.hostname",
              "ownsLock": true,
              "hasAccessToCriticalThings": true
          }
      }
  ]
}

This is great for authenticated clients, as they might want information that is non-public.

In some cases, we'd like to share the results of this with parties that need to know up vs down, but not necessarily every detail. The differentiator should be authorization. We do this now by overriding smallrye to return this:

{
    "status": "UP",
    "checks": [
    ],
    "redacted": true
}

Currently, we do this by overriding SmallRyeHealthReporter and then overriding reportHealth. From in there, we can check the role and redact whatever we want. :) Unfortunately, this method is no longer possible with Quarkus 3.8 as the request context has been closed when that method is called. Now we are having to work around it by overriding every get* method, which is clumsy.

Ideally there would be a straightforward way to modify the reported results before the response has been committed.

Does that help?