I have a 5 node elasticsearch cluster (2.3.1-1) with Kibana app (4.5.0-1), and marvel and Sense plugins installed running on OEL 7. I have used iptables and nginx to secure elasticsearch and the Kibana ui utilizing ldap credentials. BOth Developers & QA connect to https://es1-test.example.com and are authenticated using ldap. I need to be able to allow our developers to access any elasticsearch endpoint over port 8080 but restrict our qa folks to just the search endpoint over 8443. I have this working using a client such as curl but cannot figure out how to get it working successfully using sense in Kibana over port 443. A user restricted to the search endpoint can do anything in Sense once authenticated to Kibana if they just change the port to 9200. I am not sure how to restrict access to this port in Sense/Kibana since it seems like Kibana needs to be able to communicate with ES over port 9200. I think I am doubly confused since Kibana acts like a proxy to ES.
Kibana is, as you say, a proxy to ES. You didn't say whether you have Shield installed but if you do, the privileges of the authenticated Shield user are taken to authenticate queries made to Elasticsearch.
how to get it working successfully using sense in Kibana over port 443. A user restricted to the search endpoint can do anything in Sense once authenticated to Kibana if they just change the port to 9200
One thing that might help to know is that in Kibana 5.0, where Sense is renamed to Console, there isn't a way to change the address of the Elasticsearch node. It will just use the address and port given in
kibana.yml as the only Elasticsearch connection it can know about.