docs: Add explicit notes about authentication

CHANGELOG.md

@@ -1,5 +1,6 @@
 ## main / unreleased
 
+* [CHANGE] docs: Add explicit notes about authentication [#5735](https://github.com/grafana/tempo/pull/5735) (@electron0zero)
 * [ENHANCEMENT] On startup, first record for live store to consume is not older than two complete block timeouts [#5693](https://github.com/grafana/tempo/pull/5693) (@ruslan-mikhailov)
 * [ENHANCEMENT] Add secure connection support to tempo-cli [#5692](https://github.com/grafana/tempo/pull/5692) (@TheoBrigitte)
 * [ENHANCEMENT] Add config to enable instance label for spanmetrics series [#5706](https://github.com/grafana/tempo/pull/5706) (@ie-pham)

docs/sources/tempo/configuration/_index.md

@@ -16,43 +16,44 @@ Instructions for configuring Tempo data sources are available in the [Grafana Cl
 The Tempo configuration options include:
 
 - [Configure Tempo](#configure-tempo)
-  - [Use environment variables in the configuration](#use-environment-variables-in-the-configuration)
-  - [Server](#server)
-  - [Distributor](#distributor)
-    - [Set max attribute size to help control out of memory errors](#set-max-attribute-size-to-help-control-out-of-memory-errors)
-    - [gRPC compression](#grpc-compression)
-  - [Ingester](#ingester)
-    - [Ingester configuration block](#ingester-configuration-block)
-  - [Metrics-generator](#metrics-generator)
-  - [Query-frontend](#query-frontend)
-    - [Limit query size to improve performance and stability](#limit-query-size-to-improve-performance-and-stability)
-      - [Limit the spans per spanset](#limit-the-spans-per-spanset)
-      - [Cap the maximum query length](#cap-the-maximum-query-length)
-  - [Querier](#querier)
-  - [Compactor](#compactor)
-  - [Storage](#storage)
-    - [Local storage recommendations](#local-storage-recommendations)
-    - [Storage block configuration example](#storage-block-configuration-example)
-  - [Memberlist](#memberlist)
-  - [Configuration blocks](#configuration-blocks)
-    - [Block config](#block-config)
-    - [Filter policy config](#filter-policy-config)
-      - [Filter policy](#filter-policy)
-      - [Policy match](#policy-match)
-      - [Examples](#examples)
-    - [KVStore config](#kvstore-config)
-    - [Search config](#search-config)
-    - [WAL config](#wal-config)
-  - [Overrides](#overrides)
-    - [Ingestion limits](#ingestion-limits)
-      - [Standard overrides](#standard-overrides)
-      - [Tenant-specific overrides](#tenant-specific-overrides)
-        - [Runtime overrides](#runtime-overrides)
-        - [User-configurable overrides](#user-configurable-overrides)
-      - [Override strategies](#override-strategies)
-  - [Usage-report](#usage-report)
-    - [Configure usage-reporting](#configure-usage-reporting)
-  - [Cache](#cache)
+    - [Use environment variables in the configuration](#use-environment-variables-in-the-configuration)
+    - [Server](#server)
+    - [Distributor](#distributor)
+        - [Set max attribute size to help control out of memory errors](#set-max-attribute-size-to-help-control-out-of-memory-errors)
+        - [gRPC compression](#grpc-compression)
+    - [Ingester](#ingester)
+        - [Ingester configuration block](#ingester-configuration-block)
+    - [Metrics-generator](#metrics-generator)
+    - [Query-frontend](#query-frontend)
+        - [Limit query size to improve performance and stability](#limit-query-size-to-improve-performance-and-stability)
+            - [Limit the spans per spanset](#limit-the-spans-per-spanset)
+            - [Cap the maximum query length](#cap-the-maximum-query-length)
+    - [Querier](#querier)
+    - [Compactor](#compactor)
+    - [Storage](#storage)
+        - [Local storage recommendations](#local-storage-recommendations)
+        - [Storage block configuration example](#storage-block-configuration-example)
+    - [Memberlist](#memberlist)
+    - [Configuration blocks](#configuration-blocks)
+        - [Block config](#block-config)
+        - [Filter policy config](#filter-policy-config)
+            - [Filter policy](#filter-policy)
+            - [Policy match](#policy-match)
+            - [Examples](#examples)
+        - [KVStore config](#kvstore-config)
+        - [Search config](#search-config)
+        - [WAL config](#wal-config)
+    - [Overrides](#overrides)
+        - [Ingestion limits](#ingestion-limits)
+            - [Standard overrides](#standard-overrides)
+            - [Tenant-specific overrides](#tenant-specific-overrides)
+                - [Runtime overrides](#runtime-overrides)
+                - [User-configurable overrides](#user-configurable-overrides)
+            - [Override strategies](#override-strategies)
+    - [Usage-report](#usage-report)
+        - [Configure usage-reporting](#configure-usage-reporting)
+    - [Cache](#cache)
+    - [Configure authentication](#configure-authentication)
 
 Additionally, you can review [TLS](network/tls/) to configure the cluster components to communicate over TLS, or receive traces over TLS.
 
@@ -2259,3 +2260,7 @@ cache:
       redis:
         endpoint: redis-instance
 ```
+
+## Configure authentication
+
+Grafana Tempo does not come with any included authentication layer. You must run an authenticating reverse proxy in front of your services to prevent unauthorized access to Tempo (for example, nginx). [Manage authentication](https://grafana.com/docs/tempo/<TEMPO_VERSION>/operations/authentication/) for more details

docs/sources/tempo/operations/authentication.md

@@ -0,0 +1,26 @@
+---
+title: Manage authentication
+menuTitle: Authentication
+description: Describes how to add authentication to Grafana Tempo.
+weight: 
+---
+
+# Manage authentication
+
+Grafana Tempo does not come with any included authentication layer. You must run an authenticating reverse proxy in front of your services.
+
+We recommend that in all [deployment modes](https://grafana.com/docs/tempo/<TEMPO_VERSION>/setup/deployment/) you add a reverse proxy to be deployed in front of Tempo, to direct client API requests to the various components.
+
+A list of open-source reverse proxies you can use:
+
+- [HAProxy](https://docs.haproxy.org/ )
+- [NGINX](https://docs.nginx.com/nginx/) using their [guide on restricting access with HTTP basic authentication](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/)
+- [OAuth2 proxy](https://oauth2-proxy.github.io/oauth2-proxy/)
+- [Pomerium](https://www.pomerium.com/docs), which has a [guide for securing Grafana](https://www.pomerium.com/docs/guides/grafana)
+
+{{< admonition type="note" >}}
+When using Tempo in multi-tenant mode, Tempo requires the HTTP header
+`X-Scope-OrgID` to be set to a string identifying the tenant.
+It's assumed that clients setting `X-Scope-OrgID` are trusted clients, and the responsibility of populating this value should be handled by the authenticating reverse proxy.
+For more information, read the [multi-tenancy](https://grafana.com/docs/tempo/<TEMPO_VERSION>/operations/manage-advanced-systems/multitenancy/) documentation.
+{{< /admonition >}}

docs/sources/tempo/set-up-for-tracing/setup-tempo/deploy/_index.md

@@ -19,6 +19,10 @@ Tempo can be deployed in a number of ways, depending on your needs and environme
 
 You can also use Docker to deploy Tempo using [the Docker examples](https://github.com/grafana/tempo/tree/main/example/docker-compose).
 
+{{< admonition type="note" >}}
+Grafana Tempo does not come with any included authentication layer. You must run an authenticating reverse proxy in front of your services to prevent unauthorized access to Tempo (for example, nginx). [Manage authentication](https://grafana.com/docs/tempo/<TEMPO_VERSION>/operations/authentication/) for more details
+{{< /admonition >}}
+
 ## Deploy locally
 
 Monolithic mode (single binary) is commonly used for a local installation, testing, or small-scale deployments.

docs/sources/tempo/set-up-for-tracing/setup-tempo/deploy/kubernetes/_index.md

@@ -17,6 +17,10 @@ Kubernetes offers several deployment options for Tempo:
 
 Choose the method that best fits your Kubernetes workflow and operational requirements.
 
+{{< admonition type="note" >}}
+Grafana Tempo does not come with any included authentication layer. You must run an authenticating reverse proxy in front of your services to prevent unauthorized access to Tempo (for example, nginx). [Manage authentication](https://grafana.com/docs/tempo/<TEMPO_VERSION>/operations/authentication/) for more details
+{{< /admonition >}}
+
 ## Helm
 
 Helm charts are available in the `grafana/helm-charts` repository:

docs/sources/tempo/set-up-for-tracing/setup-tempo/deploy/locally/_index.md

@@ -10,3 +10,7 @@ You can deploy Tempo This section provides instructions for deploying Tempo loca
 
 {{< section withDescriptions="true">}}
 
+{{< admonition type="note" >}}
+Grafana Tempo does not come with any included authentication layer. You must run an authenticating reverse proxy in front of your services to prevent unauthorized access to Tempo (for example, nginx). [Manage authentication](https://grafana.com/docs/tempo/<TEMPO_VERSION>/operations/authentication/) for more details
+{{< /admonition >}}
+