This page documents the existing security mechanisms in Jaeger, organized by the pairwise connections between Jaeger components. We ask for community help with implementing additional security measures (see issue-1718 ).

SDK to Agent

Deployments that involve jaeger-agent are meant for trusted environments where the agent is run as a sidecar within the container’s network namespace, or as a host agent. Therefore, there is currently no support for traffic encryption between clients and agents.

• ❌ Sending trace data over UDP - no TLS/authentication.
• ❌ Retrieving sampling configuration via HTTP - no TLS/authentication.

SDK to Collector

OpenTelemetry SDKs can be configured to communicate directly with jaeger-collector via gRPC or HTTP, with optional TLS enabled.

• ✅ HTTP - TLS with mTLS (client cert authentication) supported.
• ✅ gRPC - TLS with mTLS (client cert authentication) supported.
  • Covers both span export and sampling configuration querying.

Agent to Collector

• ✅ gRPC - TLS with client cert authentication supported.

Collector/Ingester/Query-Service to Storage

• ✅ Cassandra - TLS with mTLS (client cert authentication) supported.
• ✅ Elasticsearch - TLS with mTLS (client cert authentication) supported; bearer token propagation.
• ✅ Kafka - TLS with various authentication mechanisms supported (mTLS, Kerberos, plaintext).

Browser to UI

• ❌ HTTP - no TLS; bearer token authentication (pass-through to storage).
  • Blog post: Protecting Jaeger UI with an OAuth sidecar Proxy .
  • Blog post: Secure architecture for Jaeger with Apache httpd reverse proxy on OpenShift .

Consumers to Query Service

• ✅ HTTP - TLS with mTLS (client cert authentication) supported.
• ✅ gRPC - TLS with mTLS (client cert authentication) supported.