Client-Cert-Login from Kibana to ES hides Kibana-User


I tried to setup client certificate authentication between kibana and elasticsearch (rpm based installation):

elasticsearch.ssl.verificationMode: full
elasticsearch.ssl.certificateAuthorities: /etc/kibana/root-ca.pem
elasticsearch.ssl.certificate: /etc/kibana/kibanaserver.crt
elasticsearch.ssl.key: /etc/kibana/kibanaserver.key
#elasticsearch.username: kibanaserver
#elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]

Certificate is signed by root ca and accepted on elasticsearch. So connection is functional.

But when I login to kibana using my ldap user/password my user is hidden by the kibanaserver user. Kibana shows the “kibanaserver” as user and if I e.g. try a simple search via console I get an error

"no permissions for [indices:data/read/search] and User [name=kibanaserver, backend_roles=, requestedTenant=user]

So effectively the end user is hidden to elasticsearch and therefore all user specific permissions are not effective.

If I comment out the elasticsearch.ssl.certificate and key and comment in the user/password everything works as expected.

But for security reasons we do not want to have technical users with password.

In config.yml the follworing providers are activated:

  • basic_internal_auth_domain
  • clientcert_auth_domain
  • ldap

I suspect that the reason is that because of the client cert the basic auth user entry is completely ignored

Am I missing something or is this a bug?

Regards Michael