To use transport level authentication with Search Guard do:
- Set up a transport client, and configure it to use a client certificate when talking to Elasticsearch
- Configure the Distinguished Name of the certificate as a Search Guard user. This user does not need any login credentials or roles since it is already identified by its certificate
- Send a Basic Authentication header with each request. This header contains the username and password and want to use for this request
- Search Guard will apply all security checks for the provided credentials, as if they would have been provided on the REST level
- This means you can implement access control based on indices and types, and also apply document- and field-level security on the transport level.
See also https://floragunn.com/transport-client-authentication-authorization/