We're currently working on upgrading our elasticsearch cluster to kibana4, and something we would like to do is restrict most users from accessing the 'settings' panel. We've attempted to do this through nginx unsuccessfully, as the settings panel is not populated by a second request (so restricting location becomes impossible).
I was able to get this sorted, for anyone who is interested. Since it seems that kibana loads everything at once, including the settings - having authentication for settings at the nginx level doesn't really work.
That said, individual POST requests are sent for settings changes, so you CAN require auth for post requests.
To do so (or, regex to match the path to _update)-
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.