Restrict Settings panel to authorized users


We're currently working on upgrading our elasticsearch cluster to kibana4, and something we would like to do is restrict most users from accessing the 'settings' panel. We've attempted to do this through nginx unsuccessfully, as the settings panel is not populated by a second request (so restricting location becomes impossible).

Is this possible without the use of Shield?


I was able to get this sorted, for anyone who is interested. Since it seems that kibana loads everything at once, including the settings - having authentication for settings at the nginx level doesn't really work.

That said, individual POST requests are sent for settings changes, so you CAN require auth for post requests.

To do so (or, regex to match the path to _update)-

location ~ ^/elasticsearch/.kibana/config/4.1.3/_update$ {
limit_except GET {
auth_basic "Restricted";
auth_basic_user_file /path/to/passwd/file;


We're working on releasing this sort of functionality into KB as well, though I don't have a timeframe.