Restrict auth domain to certain subnet

Is it possible to restrict an auth domain to a given CIDR ?
This could for insance be used to prevent the kibanaserver user to use the REST API from outside the organization.
Or is there another way to achieve this ?

actually I’m pretty worried about having to enable basic auth: the kibanaserver user can remove all kibana indices

I see there’s the new blocking configuration options. That could help, if one could block users from certain net_masks or IPs, which it doesn’t seem to.

Yes, you can block by netmask: https://docs.search-guard.com/latest/main-concepts#block-user--ip-addressnet-mask. Also, you can use a firewall on the ES servers, for example, iptables if it is Linux.

but you can’t block a user from a certain mask only

the problem with the kibana user is that it’s granted access from everywhere, while it only needs access from the box running kibana. I don’t want to have world accessible basic auth just because of an Elasticsearch/Kibana limitation

You can allow the connection only from a secure subnet, for example

a_secure_subnet:
  type: "net_mask"
  value: ["192.168.1.0/24"]
  verdict: "allow"

but that will be effective for all users, not just the kibana server user