EDIT:
ReadonlyREST plugins for Kibana (Enterprise and PRO) are finally able compensate the Kibana bug and X-Pack Monitoring works normally out of the box. No need for hacks!
WARNING
THE SOLUTION BELOW IS A HACK AND MAY MESS UP YOUR ACL, PLEASE MIND THE ORDER OF THE ACL BLOCKS AND THINK ABOUT ALL THE RAMIFICATIONS
Finally I had a break through but via work around rule.
Based on the kibana error log, I checked their clusters.js code. This is internally calling verify_monitoring_auth.js to get the authorization info. The way they have coded it is either there is xpack security or nothing. Because of this, when we disable xpack security, they assume that there is no security. I am not sure how it works on other tabs in kibana. But atleast that is what I saw in the verify_monitoring_auth.js file.
When such a request hits ROR from monitoring page with no basic auth info, ROR will definitely reject that request. So as a work around, i put in a IP based rule and have given readonly access to different indexes used in monitoring. I might have to further refine this rule to restrict it to bare minimum requirement for monitoring. But this is what I have as of now and seems to be working fine.
Here the IP belongs to the machine running Kibana.
- name: "::Monitoring::"
type: allow
actions: ["cluster:monitor/*","indices:admin/types/exists","indices:data/read/*"]
indices: [".kibana*", ".kibana-devnull", "readonlyrest-*", ".monitoring*"]
hosts: ["123.123.123.123"]
verbosity: error
I got this idea based on a similar suggestion that was given in below thread.
Thanks!