You've built a shared observability platform. Multiple teams, one Grafana, one set of datasources. Now someone asks: "Can team A see team B's production logs?" And you realize you don't have a good answer.
Native multi-tenancy in the Prometheus/Loki/Tempo ecosystem relies on tenant IDs, a single header that grants all-or-nothing access to an entire tenant's data. But real organizations don't work that way. You need developers to see their namespace but not production secrets. You need the platform team to see everything. You need external contractors limited to a single service. Tenant IDs can't express these boundaries.
The alternatives? Run separate datasource instances per team (operational nightmare). Build custom authorization middleware for each query language (maintenance burden). Or trust everyone to add the right label filters manually (security theater).
This is why we built Janus, an open-source (AGPLv3) proxy that sits between Grafana and your datasources. It extracts identity from OAuth2 tokens, resolves policies, and automatically injects label filters into PromQL, LogQL, and TraceQL queries. Users query naturally - Janus enforces boundaries transparently.
We'll walk through the architecture, show deployment patterns for multi-tenant Kubernetes environments, and discuss the challenges of parsing and rewriting three distinct query languages. You'll leave with practical strategies for securing shared observability infrastructure, without sacrificing usability.