Sg_kibana_user role doesn't let users use Kibana

search-guard-6-6.8.4-25.5.zip
search-guard-kibana-plugin-6.8.4-18.5.zip

Install Demo per https://docs.search-guard.com/6.x-25/demo-installer

Define user alice in sg_internal_users.yml

alice:
  readonly: true
  hash: $2y$12$xGK4NJredact
  roles:
    - sg_kibana_user

sg_kibana_user role is as provided by demo installer:

sg_kibana_user:
  readonly: true
  cluster:
    - INDICES_MONITOR
    - CLUSTER_COMPOSITE_OPS
  indices:
    '?kibana':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?kibana-6':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?kibana_*':
      '*':
        - MANAGE
        - INDEX
        - READ
        - DELETE
    '?tasks':
      '*':
        - INDICES_ALL
    '?management-beats':
      '*':
        - INDICES_ALL
    '*':
      '*':
        - indices:data/read/field_caps*
        - indices:data/read/xpack/rollup*
        - indices:admin/mappings/get*
        - indices:admin/get

Log in to Kibana as alice and all that is displayed is this:

{"message":"no permissions for [indices:data/read/search] and User [name=alice, roles=[sg_kibana_user], requestedTenant=null]: [security_exception] no permissions for [indices:data/read/search] and User [name=alice, roles=[sg_kibana_user], requestedTenant=null]","statusCode":403,"error":"Forbidden"}

In /var/log/elasticsearch/searchguard_demo.log is

[2019-11-07T17:33:55,502][INFO ][c.f.s.p.PrivilegesEvaluator] [P053Uyn] No index-level perm match for User [name=alice, roles=[sg_kibana_user], requestedTenant=null] Resolved [aliases=[.kibana], indices=[], allIndices=[.kibana_1], types=[*], originalRequested=[.kibana], remoteIndices=[]] [Action [indices:data/read/search]] [RolesChecked [sg_own_index]]
[2019-11-07T17:33:55,502][INFO ][c.f.s.p.PrivilegesEvaluator] [P053Uyn] No permissions for [indices:data/read/search]

If I give alice the admin role then Kibana works fine. I’ve tried explicitly adding indices:data/read/search to the sg_kibana_user role but it doesn’t help. (Nor would I expect it to given what READ expands to.)

Please refer to https://docs.search-guard.com/latest/first-steps-mapping-users-roles#roles-mapping-concept and try

alice:
  readonly: true
  hash: $2y$12$xGK4NJredact
  roles:
    - kibanauser