I tried a config like this:
readonlyrest:
enable: true
prompt_for_basic_auth: false
audit_collector: true
access_control_rules:
# MACHINES ##################
- name: "::Kafka::"
auth_key: kafka:kafka123
- name: "::LOGSTASH::"
auth_key: logstash:logstash
actions: ["indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
indices: ["logstash-*"]
- name: "::KIBANA-SRV::"
auth_key: kibana:kibana
verbosity: error
# GROUPS ####################
- name: "::PERSONAL_GRP::"
kibana_access: rw
kibana_hide_apps: ["readonlyrest_kbn", "timelion"]
kibana_index: ".kibana_@{user}"
proxy_auth:
proxy_auth_config: "proxy1"
users: ["*"]
groups_provider_authorization:
user_groups_provider: "GroupsService"
groups: ["Personal"]
- name: "::Infosec::"
kibana_access: rw
kibana_hide_apps: ["readonlyrest_kbn", "timelion"]
kibana_index: ".kibana_infosec"
proxy_auth:
proxy_auth_config: "proxy1"
users: ["*"]
groups_provider_authorization:
user_groups_provider: "GroupsService"
groups: ["Infosec"]
- name: "::Finance::"
kibana_access: rw
kibana_hide_apps: ["readonlyrest_kbn", "timelion"]
kibana_index: ".kibana_finance"
proxy_auth:
proxy_auth_config: "proxy1"
users: ["*"]
groups_provider_authorization:
user_groups_provider: "GroupsService"
groups: ["Finance"]
proxy_auth_configs:
- name: "proxy1"
user_id_header: "X-Forwarded-User"
# USERS TO GROUPS ############
user_groups_providers:
- name: "GroupsService"
groups_endpoint: "http://127.0.0.1:3001"
auth_token_name: "token"
auth_token_passed_as: QUERY_PARAM # HEADER OR QUERY_PARAM
response_groups_json_path: "$..groups[?(@.name)].name" # see: https://github.com/json-path/JsonPath
cache_ttl_in_sec: 60
And kibana.yml
elasticsearch.requestHeadersWhitelist: [ authorization, “X-Forwarded-User”, “X-Forwarded-For”]
readonlyrest_kbn.proxy_auth_passthrough: true
I set X-Forwarded-User to a user with multiple groups. When the login screen is bypassed, the user doesn’t see the drop down list as expected.