Currently, when security is turned on for the webui, eg. with --webserver_require_ldap or --webserver_require_spnego, authentication is applied to all webui endpoints.
However, there are some endpoints that expose low-sensitivity info, eg. /healthz, and which are scraped by other systems that it may be difficult to get credentials to in order to be able to authenticate, eg. a Kubernetes health check or prometheus monitoring. It would be useful to provide a way to allow unauthenticated access to those endpoints.
One option would be to run another instance of the webserver on another port. This instance could be unsecured and only expose a few low-sensitivity endpoints. This would allow for a configuration where Impala is run in a private network and the main webserver port could be exposed externally, eg. through an nginx gateway, while keeping the port for the second webserver only available to internal systems.