No restriction of access for everything except Kibana users


since I have a lot of services and different things writing documents to Elasticsearch I cannot give any kind of access restriction directly to Elasticsearch. Elasticsearch is not accessible to third party people.
Any kind of modification of authentication directly on Elasticsearch could break our application. All services and applications should still be able to connect to Elasticsearch as they did before.

The only interface between customers and Elasticsearch is Kibana. That is why I only want to give different restrictions to users that are accessing Elasticsearch through Kibana. Users of Kibana then would have to authenticate against Elasticsearch. Using version 5.6.7 with Own Home and reverse proxy right now.
Is this possible? How would you do that?

Thank you

Sorry, but how is ReadonlyREST involved in this?

I want to install ReadonlyREST on my Elasticsearch instance to control who can access which index through Kibana. Elasticsearch is not exposed to public and therefore does not really need to be secured and I need to leave the connection/authentication of those services to Elasticsearch untouched.

I guess you could add a dedicated local ES node (with no master eligibility, and no data) in the same server where Kibana is. Install ROR for ES only there, and point Kibana to it. So the rest of the cluster will not be aware of any restriction.

Yes that is probably what I am going to do. Then logstashing all needed indices to the new elasticsearch instance. Thank you