Thanks!
I just installed the trial ROR License and setup the Kibana YM configurations as suggested. Previously, without the Kibana ROR - I was able to access the NGINX introduced custom headers correctly in ES:
[2018-05-25T09:20:23,994][INFO ][t.b.r.a.ACL ] ALLOWED by { name: '::NGINX-RESTRICTED-GROUP::', policy: ALLOW} req={ ID:1943907203-488986116#293, TYP:GetRequest, CGR:N/A, USR:ABC123, BRS:false, KDX:null, ACT:indices:data/read/get, OA:127.0.0.1, DA:127.0.0.1, IDX:.kibana, MET:GET, PTH:/.kibana/doc/config%3A6.2.4, CNT:<N/A>, HDR:{Connection=keep-alive, Content-Length=0, Host=localhost:9200, x-access-group=restricted, x-forwarded-user=ABC123}, HIS:[::KIBANA-SRV 1::->[auth_key->false]], [::RO::->[auth_key->false]], [::RW::->[auth_key->false]], [Global Write/Admin Access->[auth_key->false]], [Route53 Access->[x_forwarded_for->false]], [::NGINX-RESTRICTED-GROUP::->[kibana_access->true, headers->true, indices->true, proxy_auth->true, kibana_hide_apps->true]] }
[2018-05-25T09:20:26,132][INFO ][t.b.r.a.ACL ]
However, after setting up ROR and setting up the readonlyrest proxy settings as suggested, I am still getting the Login Page with a FORBIDDEN 403 on the Kibana after attempting the SAME NGINX>Kibana Redirect.
It looks like ES Logs are now showing a new error and feels like the custom headers injected by NGINX after installing ROR are not being passed:
[2018-05-25T10:36:34,380][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:2038995451-1543779375#12703, TYP:NodesInfoRequest, CGR:N/A, USR:ABC123, BRS:false, KDX:null, ACT:cluster:monitor/nodes/info, OA:127.0.0.1, DA:0.0.0.0, IDX:<N/A>, MET:GET, PTH:/_nodes/_local, CNT:<N/A>, HDR:{Connection=close, content-length=0, Host=localhost:9200, x-forwarded-user=ABC123}, HIS:[::KIBANA-SRV 1::->[auth_key->false]], [::RO::->[auth_key->false]], [::RW::->[auth_key->false]], [Global Write/Admin Access->[auth_key->false]], [Route53 Access->[x_forwarded_for->false]], [::NGINX-RESTRICTED-GROUP::->[kibana_access->true, headers->false, proxy_auth->true]], [::NGINX-READONLY-GROUP::->[headers->false, kibana_access->true, proxy_auth->true]], [::NGINX-READWRITE-GROUP::->[kibana_access->true, headers->false, proxy_auth->true]] }
This is my Kibana YML:
server.host: localhost
elasticsearch.url: http://localhost:9200
elasticsearch.username: “kibana”
elasticsearch.password: “kibana”
elasticsearch.requestHeadersWhitelist: [ authorization, x-forwarded-user, x-access-group ]
readonlyrest_kbn.proxy_auth_passthrough: true
readonlyrest_kbn.custom_logout_link: “https://localhost:5100/logout”