Top DevOps Voice – Jaeger UI and Grafana
Part 1 | Authentication and Authorization
For initiation, Jaeger UI configures the authentication through a reverse proxy that sits in front of the UI service. Grafana applies built-in authentication providers or alternatively integrates external identity providers using OAuth, LDAP, or SAML. Grafana then defines user roles and permissions to control access to dashboards and data sources, while Jaeger UI manages permissions at the proxy level OR by integrating an external service to handle authorization (because of no built-in) Both Jaeger UI and Grafana then go thru ensured access, via HTTPS, to encrypt traffic between end-user and user services. User access rights are then updated, regularly, to ensure that permissions are granted according to the principle of least privilege.
Read and comment my post via LinkedIn community advice
Part 2 | Encryption and TLS
ONE method for TLS and encryption is as below: 1. Obtain domain SSL/TLS certificates from a trusted Certificate Authority (CA). 2. Configure TLS/SSL in both Jaeger UI and Grafana to use the certificates, to ensure encrypted communication. 3a. For Grafana, set up HTTPS by configuring server section in Grafana config file to include SSL certificates and private keys. 3b. For Jaeger UI, set up a reverse proxy (e.g. Nginx, Apache) for TLS termination. 4. Redirect all HTTP traffic to HTTPS ensure secure user connection. 4. Implement HSTS demand HTTPS browser interaction. All the above processes collectively securely encrypts and safeguards against attacks, including man-in-the-middle attacks. Explore MITRE as well.
Read and comment my post via LinkedIn community advice
Part 3 | Roles and Permission
As routine, so below: On Grafana, assign users to Viewer, Editor, or Admin roles, each with different levels of access and permissions. Control tasks users perform, including but not limited to managing dashboards, alerts, and data sources. Via the control tasks, add and manage users through Grafana’s UI or API, setting up roles and permissions. On Jaeger UI, integrate with a reverse proxy that supports authentication (I apply Nginx or Apache), to control access to Jaeger UI. Applied on Jaeger, either manage permissions at the proxy level or integrate an external service. Ultimately, only authorized admin has access to the observability of data, maintaining security and compliance within the relevant operations.
Read and comment my post via LinkedIn community advice
Part 4 | Audit Logs and Metrics
On Grafana, enable audit logging to track important changes in the system, including but not limited to logins, additions, deletions, and updates of dashboards or data sources. Alternatively, for Jaeger UI and its sans built-in audit logging, instead use a reverse proxy that logs all incoming requests. Prometheus comes in play to collect Jaeger and Grafana metrics by endpoint scraping. Then after, go for ELK Stack to aggregate and analyze logs from reverse proxy in front of Jaeger UI. Grafana’s dashboard, w/ Prometheus, will visualise security patterns (and issues). In essence, audit logs and metrics are for SecOps. I’m DevOps not DevSecOps in-depth, so I suggest myself to agile connect with SecOps throughout DevOps lifecycle.
Read and comment my post via LinkedIn community advice
Part 5 | Data Retention and Deletion
Because Jaeger stores data in a variety of backends (e.g. Elasticsearch, Cassandra, or Kafka, etc.), I’d configure data retention policies (DRP) directly in the backends to manage how long trace data is kept. That involves cron jobs that interact with the backend’s API to periodically delete old data according to the retention policy. I recommend cron mastery as it is rare breed. On Grafana and more so on Prometheus as data source, I’d set the DRP within data source settings via config within Prometheus itself. In tandem, for dashboard snapshots & logs, Grafana provides options to delete or set expiration times; managed through the UI or API. All the above, by DataOps side, ensure that only relevant, current data is accessible.
Read and comment my post via LinkedIn community advice
