I am looking for a way to use token based authentication for Kibana to give end-users an ability to use Kibana in an embedded iframe. Here is the flow that has worked for me:
1- use a system-level user with sufficient privileges to create a role for an end-user with the sufficient document-level access
2- use a system-level user with sufficient privileges to create a corresponding user in Elasticsearch and assign it to the created role in the previous step
3- use the created user credential (created in step 2) to create access_token and refresh_token
4- use access_token to login to kibana
5- use refresh_token to refresh access_token whenever is expired.
My issue is to manage step 3, I need to maintain user-credentials in the corresponding service. I was wondering if there is a way I cannot create access_token and refresh_token without knowing the credentials for that user and just by using a super_user credentials instead. I am open to any other suggestions if there is a better way of handling this problem.