[Feature] Authentication & Authorization limitations block SkyWalking adoption in large-scale banking environment (Tracing via Grafana?) #13653
Replies: 1 comment 6 replies
-
|
I converted this to a discussion. Here are some answers.
We have only TraceQL support for Zipkin/OTEL support, #13563. For native trace, we should be able to, but it will take time.
What kind of auth are you enabled for now? If it is just LDAP + SSO, there are a lot of gateway solutions that can do login auth with LDAP. e.g. goauthentik, keycloak |
Beta Was this translation helpful? Give feedback.
-
|
SkyWalking's data is centralized, and does not have isolation across cluster boundaries. I can't see how you can do that via Grafana, TBH. Even if we have TraceQL support. Still TraceQL, metrics Query, and topology query will clearly break your called tenancy boundaries. |
Beta Was this translation helpful? Give feedback.
-
|
Such as in the skywalking.apache.org#demo we have the Grafana setup, but all data is still there, and visible for all. |
Beta Was this translation helpful? Give feedback.
-
Thanks for the clarification — I fully understand your point about the centralized nature of SkyWalking and the lack of hard tenancy boundaries. From a large-scale enterprise / banking perspective, I just want to emphasize that some level of isolation between teams is a real and unavoidable requirement, even if it initially starts at the UI level. What I had in mind was not hard security isolation, but rather a pragmatic, UI-level restriction to reduce accidental cross-team visibility: Users in Grafana would be read-only Dashboards would be predefined and not editable Queries would be written in a way that only shows data for a specific Kubernetes namespace Explore mode and ad-hoc querying could be disabled I fully agree that this does not provide strong, enforceable multi-tenancy, but in some organizations it can still be a useful intermediate step while a proper solution does not exist. Given that, I’d really appreciate your opinion on two points: From your experience, is there any reasonable way to implement UI-level namespace filtering (even if not security-grade) that you would consider acceptable or at least low-risk? Looking forward, is namespace / tenant awareness something that could realistically be added to SkyWalking in the future (even incrementally), or is it fundamentally out of scope due to architectural reasons? Understanding whether this is: a short-term limitation, or a permanent design decision, would help us a lot in deciding how to proceed at scale. Thanks again for the open and honest discussion — it’s very helpful for us |
Beta Was this translation helpful? Give feedback.
-
|
There are two things.
|
Beta Was this translation helpful? Give feedback.
-
|
In all known commercial solution, they built their UI, rather than buildinh on the upstream UI. We all know the complexity and differences among companies. Only commercial vendors could have a unified and strong control to put strict mode for data isolation. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Search before asking
Description
Hello SkyWalking team 👋,
First of all, thank you for the great work on Apache SkyWalking.
We are currently evaluating SkyWalking as the main APM and observability platform in our organization, but we have encountered a critical blocker related to authentication and authorization.
Background
We are a large-scale banking organization with approximately 2000 servers and strict security and compliance requirements.
Due to the lack of built-in authentication and authorization mechanisms in SkyWalking (especially for UI and query access), our security team does not allow us to expose or adopt SkyWalking directly in our monitoring stack.
As a result, the migration of our enterprise monitoring system to SkyWalking is currently blocked.
Current Idea / Workaround
One workaround we are considering is:
Do NOT expose SkyWalking UI
Use Grafana as the only published UI
Rely on Grafana’s authentication & authorization mechanisms (LDAP / SSO / RBAC)
Connect Grafana to SkyWalking as a data source
This approach is more acceptable to our security team.
Problem with Tracing
While metrics and dashboards can be handled via Grafana, distributed tracing is a major concern:
As far as we know, Grafana does not fully support SkyWalking tracing features
We are especially concerned about TraceQL / trace querying / trace exploration
It is unclear whether:
Grafana currently supports SkyWalking tracing at all
TraceQL (or an equivalent) is supported or planned
There is a recommended way to visualize and query traces from SkyWalking inside Grafana
Questions
Is there an official or recommended way to visualize SkyWalking traces in Grafana?
Does Grafana support TraceQL (or SkyWalking trace query capabilities) today?
If not:
Is this support planned on the SkyWalking side or Grafana side?
Is there any ETA or roadmap?
Are there other recommended solutions or patterns for:
Securing SkyWalking in enterprise / banking environments
Providing authentication & authorization without exposing SkyWalking UI directly
Why this matters
SkyWalking fits our technical needs very well, but security compliance is mandatory in our environment.
Without a clear solution for authentication or a Grafana-based tracing strategy, it is difficult for us to move forward with SkyWalking adoption at enterprise scale.
Any guidance, best practices, or roadmap insights would be greatly appreciated 🙏
Thank you for your time and support.
Use case
No response
Related issues
No response
Are you willing to submit a pull request to implement this on your own?
Code of Conduct
Beta Was this translation helpful? Give feedback.
All reactions