[Feature]: Authentication support for Jaeger UI #4840
Comments
yurishkuro
added
enhancement
help wanted
|
I marked it as good-first-issue, which is probably overly optimistic given the scope, but I think there are stills steps that could be done by new contributors. |
|
Hello @yurishkuro I would like to work on this issue can you please guide me to solve these issues? |
|
I wrote a plan in the ticket. What specific questions do you have on the first item? |
|
@yurishkuro , do we need to develop a server in Go lang using external libraries for OAuth/LDAP authentication that can be integrated with Jaeger? I am new to open source and eager to begin my journey by working on this issue. Could you please guide me? |
|
No, we do not need any new servers. The goal is to implement an integration of Jaeger query-service with existing auth solutions like OAuth/LDAP. |
|
is this approach is correct @yurishkuro ? : To enable OAuth2 authentication in Jaeger, we must first configure the Jaeger components ( query-service ) to work with an OAuth2 provider. This may necessitate the use of a custom middleware or plugin to manage the OAuth2 authentication flow. Additionally, we should set up an OAuth2 authentication middleware that can validate access tokens from the OAuth provider, leveraging existing OAuth2 libraries in Go. Finally, we can secure the Jaeger endpoints by implementing the OAuth2 middleware within the routing layer, thereby ensuring that only authenticated and authorized users can access the Jaeger UI and its associated API endpoints. |
|
Looks right, except for the last sentence, that's not needed. |
okay I got it ,
as per my choice , I would suggest Google OAuth2 as google provides comprehensive documentation and libraries for various programming languages, including Golang. Integrating Google OAuth2 with Golang-based Jaeger application can be relatively straightforward, especially with the availability of Golang libraries for Google APIs and authentication. |
|
OAuth2 is a standard, it shouldn't matter which provider you use, our code should not change because of that. It's going to be up to the end user to choose whichever provider they use. |
okay okay , thanks |
|
I assume we'd want to use https://github.com/golang/oauth2 |
yeah sure ! |
|
"Hey @yurishkuro, could you please guide me on the user authentication flow? I've written some code link provided , - is this what you want, and I'd like to know how I can integrate it with Jaeger. You mentioned earlier that the authentication server depends on the user's choice. To address this, I've created a YAML configuration file "see" where we can configure our IdentityProvider. Could you please review it? Thank you!" |
|
@siddharthsingh025 figuring out the flow is the meat of this issue. I expect the coding to be relatively straightforward once we define the flow. I don't have an answer - you could look at how other tools with authentication do it, eg grafana, Signoz, elastic observability. |
yeah sure , I got your point . i will figureOut 😃 and let you know |
|
After doing a bit of reading, I think this is unnecessary. Using a well-supported sidecar like keycloak is better than reinventing the wheel. Closing. |
Requirement
As an operator of Jaeger installation
I want to be able to setup a user authentication mechanism
to restrict which users can access tracing data in Jaeger UI.
Problem
Jaeger does not support authentication for UI today
Proposal
We may want to model the approach on how Grafana does it: https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/grafana/.
We do not want to re-implement everything from scratch, there are probably existing libraries that provide auth support for basic methods like name/pwd, LDAP, and OAuth. If such library has sensible dependencies it may be worth incorporating it.
The execution plan would be:
Open questions
No response
The text was updated successfully, but these errors were encountered: