I was able to setup my searchguard to auth from HTTP headers, and therefore pass the auth through kibana. It is a quite complex, and frankly I hope there is a cleaner way that I just didn't know how to setup.
For anyone else curious, my current setup required doing the following:
-Users connect to http webserver with nginx ldap authentation.
--If user auths succeed, HTTP headers entered for username and request passed to the actual kibana port on localhost
-Kibana is configured to talk to another local nginx host and not the elasticsearch cluster directly
--Nginx checks for the HTTP auth header, and if missing, inserts one with "kibana" as the user. (the only requests which do not have http auth are ones that kibana it self generates when trying to access it's own settings on startup). These requests are then forwarded to the actual elasticsearch cluster.
-search guard in the elasticsearch is configued with all the following settings for authorization/authentication
searchguard.http.xforwardedfor.header: X-Forward-For
searchguard.http.xforwardedfor.trustedproxies: 127.0.0.1
searchguard.http.xforwardedfor.enforce: false
searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.AlwaysSucceedAuthenticationBackend
searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.SettingsBasedAuthorizator
searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.proxy.HTTPProxyAuthenticator
searchguard.authentication.authorization.settingsdb.roles.kibana: ["admin"]
searchguard.authentication.authorization.settingsdb.roles.<Insert user name here>: ["admin"]
searchguard.authentication.authorization.settingsdb.roles.<Insert another user here>: ["dev"]
searchguard.authentication.proxy.header: x-authenticated-user
searchguard.authentication.proxy.trusted_ips: 127.0.0.1
I am still hoping there is a better way. Running a second nginx head just to give requests coming from Kibana access to it's own index is quite complex. Still using this I can auth users from LDAP, then group them manually in the configuration file and create ACL's based on these groups and specific indexes. So for example a dev group could have access to the dev index while admin's get all.
I would love to know if there is a better way. I don't know that I can do my groups from LDAP since I am doing HTTP auth for the user authentication. Is that possible?