I have implemented JWT with a fallback to HTTP and it’s working for both Elasticsearch and Kibana.
I am now looking at how i can lock this down further but so far have struggled to get my head around permissions, is it possible to implement the following:
A user that can only access Elasticsearch and will be denied authentication to Kibana.
You can use the Kibana_read_only role to take away everything but Dashboards and if they do not have any Dashboards in they will not be able to see anything - but this is a good feature request. I would also like to see the ability to grant and restrict access to Kibana features by Role (Console Access, Index Management, etc.).
You could use internal users for Elasticsearch access and backend authentication (SAML, LDAP, OpenID) for Kibana. Then set skip_users in backend authentication. Set Kibana to backend authentication (kibana.yml). The user listed in skip_users will fail to authenticate with Kibana but will succeed when directly accessing Elasticserach with REST.