Authentication flow

    1. To identify a user who wants to access the cluster, the security plugin needs the user’s credentials.

      These credentials differ depending on how you’ve configured the plugin. For example, if you use basic authentication, the credentials are a user name and password. If you use a JSON web token, the credentials are stored within the token itself. If you use TLS certificates, the credentials are the distinguished name (DN) of the certificate.

    2. After a backend verifies the user’s credentials, the plugin collects any backend roles. These roles can be arbitrary strings in the internal user database, but in most cases, these backend roles come from LDAP/Active Directory.

    3. The user can now perform actions as defined by the mapped security roles. For example, a user might map to the kibana_user role and thus have permissions to access OpenSearch Dashboards.