This page documents the existing security mechanisms in Jaeger, organized by the pairwise connections between Jaeger components. We ask for community help with implementing additional security measures (see issue-1718 ).

SDK to Collector

OpenTelemetry SDKs can be configured to communicate directly with jaeger-collector via gRPC or HTTP, with optional TLS enabled.

• ✅ HTTP - TLS with mTLS (client cert authentication) supported.
• ✅ gRPC - TLS with mTLS (client cert authentication) supported.
  • Covers both span export and sampling configuration querying.

Collector/Ingester/Query-Service to Storage

• ✅ Cassandra - TLS with mTLS (client cert authentication) supported.
• ✅ Elasticsearch - TLS with mTLS (client cert authentication) supported; bearer token propagation.
• ✅ Kafka - TLS with various authentication mechanisms supported (mTLS, Kerberos, plaintext).

Browser to UI

• ❌ HTTP - no TLS; bearer token authentication (pass-through to storage).
  • Blog post: Protecting Jaeger UI with an OAuth sidecar Proxy .
  • Blog post: Secure architecture for Jaeger with Apache httpd reverse proxy on OpenShift .

Consumers to Query Service

• ✅ HTTP - TLS with mTLS (client cert authentication) supported.
• ✅ gRPC - TLS with mTLS (client cert authentication) supported.