I am still searching for a way, that my application with a build-in browser can access kibana without visible authentification (eg no login mask) as read only access and write access is granted only to specific users.
While the url authentification does not work, I had another idea. It is not ideal, but should do the trick:
2 Kibana instances, one with disabled write plugins (Dev Tools, Management…) and a normal one.
Search Guard allows everything from localhost, no authentification needed. Otherwise, If the request comes from another machine (eg someone contacting ES directly), authentification is needed.
I know, that it is not perfect and not even very safe, but at least the normal user cant do stuff within our application.
Is this possible? I cant really find anything about the part, where everything is allowed for localhost and the http_authentification is only used to external requests.