[Feature] Authentication & Authorization limitations block SkyWalking adoption in large-scale banking environment (Tracing via Grafana?)

[aliebrahimy]

Search before asking

• I had searched in the issues and found no similar feature requirement.

Description

Hello SkyWalking team 👋,

First of all, thank you for the great work on Apache SkyWalking.
We are currently evaluating SkyWalking as the main APM and observability platform in our organization, but we have encountered a critical blocker related to authentication and authorization.

Background

We are a large-scale banking organization with approximately 2000 servers and strict security and compliance requirements.
Due to the lack of built-in authentication and authorization mechanisms in SkyWalking (especially for UI and query access), our security team does not allow us to expose or adopt SkyWalking directly in our monitoring stack.

As a result, the migration of our enterprise monitoring system to SkyWalking is currently blocked.

Current Idea / Workaround

One workaround we are considering is:

Do NOT expose SkyWalking UI

Use Grafana as the only published UI

Rely on Grafana’s authentication & authorization mechanisms (LDAP / SSO / RBAC)

Connect Grafana to SkyWalking as a data source

This approach is more acceptable to our security team.

Problem with Tracing

While metrics and dashboards can be handled via Grafana, distributed tracing is a major concern:

As far as we know, Grafana does not fully support SkyWalking tracing features

We are especially concerned about TraceQL / trace querying / trace exploration

It is unclear whether:

Grafana currently supports SkyWalking tracing at all

TraceQL (or an equivalent) is supported or planned

There is a recommended way to visualize and query traces from SkyWalking inside Grafana

Questions

Is there an official or recommended way to visualize SkyWalking traces in Grafana?

Does Grafana support TraceQL (or SkyWalking trace query capabilities) today?

If not:

Is this support planned on the SkyWalking side or Grafana side?

Is there any ETA or roadmap?

Are there other recommended solutions or patterns for:

Securing SkyWalking in enterprise / banking environments

Providing authentication & authorization without exposing SkyWalking UI directly

Why this matters

SkyWalking fits our technical needs very well, but security compliance is mandatory in our environment.
Without a clear solution for authentication or a Grafana-based tracing strategy, it is difficult for us to move forward with SkyWalking adoption at enterprise scale.

Any guidance, best practices, or roadmap insights would be greatly appreciated 🙏

Thank you for your time and support.

Use case

No response

Related issues

No response

Are you willing to submit a pull request to implement this on your own?

• Yes I am willing to submit a pull request on my own!

Code of Conduct

• I agree to follow this project's Code of Conduct

[wu-sheng]

I converted this to a discussion. Here are some answers.

Grafana currently supports SkyWalking tracing at all
TraceQL (or an equivalent) is supported or planned

We have only TraceQL support for Zipkin/OTEL support, #13563. For native trace, we should be able to, but it will take time.

Use Grafana as the only published UI
Rely on Grafana’s authentication & authorization mechanisms (LDAP / SSO / RBAC)

What kind of auth are you enabled for now? If it is just LDAP + SSO, there are a lot of gateway solutions that can do login auth with LDAP. e.g. goauthentik, keycloak

[wu-sheng]

SkyWalking's data is centralized, and does not have isolation across cluster boundaries. I can't see how you can do that via Grafana, TBH. Even if we have TraceQL support. Still TraceQL, metrics Query, and topology query will clearly break your called tenancy boundaries.

[wu-sheng]

Such as in the skywalking.apache.org#demo we have the Grafana setup, but all data is still there, and visible for all.

[aliebrahimy]

SkyWalking's data is centralized, and does not have isolation across cluster boundaries. I can't see how you can do that via Grafana, TBH. Even if we have TraceQL support. Still TraceQL, metrics Query, and topology query will clearly break your called tenancy boundaries.

Thanks for the clarification — I fully understand your point about the centralized nature of SkyWalking and the lack of hard tenancy boundaries.

From a large-scale enterprise / banking perspective, I just want to emphasize that some level of isolation between teams is a real and unavoidable requirement, even if it initially starts at the UI level.

What I had in mind was not hard security isolation, but rather a pragmatic, UI-level restriction to reduce accidental cross-team visibility:

Users in Grafana would be read-only

Dashboards would be predefined and not editable

Queries would be written in a way that only shows data for a specific Kubernetes namespace

Explore mode and ad-hoc querying could be disabled

I fully agree that this does not provide strong, enforceable multi-tenancy, but in some organizations it can still be a useful intermediate step while a proper solution does not exist.

Given that, I’d really appreciate your opinion on two points:

From your experience, is there any reasonable way to implement UI-level namespace filtering (even if not security-grade) that you would consider acceptable or at least low-risk?

Looking forward, is namespace / tenant awareness something that could realistically be added to SkyWalking in the future (even incrementally), or is it fundamentally out of scope due to architectural reasons?

Understanding whether this is:

a short-term limitation,

or a permanent design decision,

would help us a lot in deciding how to proceed at scale.

Thanks again for the open and honest discussion — it’s very helpful for us

[wu-sheng]

There are two things.

1. TraceQL is on our plan. It could be 10.4 or 10.5. We are not sure yet. There is no tech block. Just take time.
2. About tenancy and data isolation, it is not in the skywalking landscape. It is typically provided by skywalking commercial distribution, as they have more time and ppl working on that.

[wu-sheng]

In all known commercial solution, they built their UI, rather than buildinh on the upstream UI. We all know the complexity and differences among companies. Only commercial vendors could have a unified and strong control to put strict mode for data isolation.

[wu-sheng]

We are happy to share, in the latest 10.4.0 release, we have TraceQL support(Tempo in Grafana) to query Zipkin/OTLP and SW native traces.

• https://skywalking.apache.org/docs/main/latest/en/api/traceql-service/#skywalking-native-trace-conversion