Ι will try to explain what happened here for the benefit of anyone having the same issue:
To trigger this, one needs to either
- Run with X-Pack installed in Elasticsearch but not in Kibana
- Run with X-Pack installed in both but security explicitly disabled in Kibana
In this case, while trying to access Kibana the browser will prompt the user to provide a Basic Authentication username/password that is stored in the browser's cache. This will be sent in all subsequent requests to Kibana as an
When the user later enables security in Kibana X-Pack, they will get prompted for authentication via a form, but when submitting the form, the
Authorization header will be also sent, Kibana will read this and log them in with the credentials used in the original Basic Authentication event and not the ones entered in the login form.
Clearing the cookies doesn't help as the Authorization header value is stored in the Browser's cache that is cleared on restart.