I have implemented JWT with a fallback to HTTP and it’s working for both Elasticsearch and Kibana.
I am now looking at how i can lock this down further but so far have struggled to get my head around permissions, is it possible to implement the following:
A user that can only access Elasticsearch and will be denied authentication to Kibana.
You can use the Kibana_read_only role to take away everything but Dashboards and if they do not have any Dashboards in they will not be able to see anything - but this is a good feature request. I would also like to see the ability to grant and restrict access to Kibana features by Role (Console Access, Index Management, etc.).
I went ahead and created an issue for this here: https://github.com/opendistro-for-elasticsearch/security/issues/45
Feel free to +1 or further comment on the request.
Thank you for taking the time to look into this, and creating the Issue on git. I have +1’d and added some additional information.
You could use internal users for Elasticsearch access and backend authentication (SAML, LDAP, OpenID) for Kibana. Then set skip_users in backend authentication. Set Kibana to backend authentication (kibana.yml). The user listed in skip_users will fail to authenticate with Kibana but will succeed when directly accessing Elasticserach with REST.