I just configured security to interact with my AD.
I discovered that any user (someone not in role_mapping.yml) can login to kibana.
Of course, he won't be able to to anything in it, but he can still reach the interface.
It's a current limitation of Kibana and the Security plugin. A user without the kibana_user role (the default, so that's the case you're seeing) will still be able to log in, but they won't be able to interact with anything. Every page will show a permissions error message, but nothing stops them from logging in.
There's some discussion happening right now to figure out how to stop the user from being able to log in in the first place, but it's a known limitation right now.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.