There is no need for a separate reverse proxy in front of Knox - other than for load balancing if desired.
Basically, the typical approach for multi-tenant deployments is to: 1. dedicate specific topologies to each tenant 2. have each topology authenticate against a specific LDAP server or some tenant specific OU within a single LDAP schema 3. have OS accounts for each user that is unique per tenant 4. use identity assertion providers to disambiguate the tenant by appending a tenant id or the like to the user name to match the tenant specific username in #3 5. you could use port mapping to remove the extra path "gateway/tenant-topology" from the tenant specific URLs HTH --larry On Sun, Sep 3, 2017 at 9:34 PM, Benjamin Tan <[email protected]> wrote: > Hello Sandeep, > > Thanks for your information. > > In our use case, we are designing hadoop security solution for a big > telecom company, and it have many corporation customers(tenant), so we try > to supply an unique access domain for every tenant, such as > cust1.the-hadoop-domain.com, cust2.the-hadoop-domain.com or their's > customized domain using CNAME. > > I have got some information about topology port mapping from 0.13.0, but > it seems have to deploy a reverse proxy before knox. > > In my opinion, many users of knox have the need to support tenant > deployment. > > > On Fri, Sep 1, 2017 at 12:23 AM Sandeep More <[email protected]> > wrote: > >> Hello Tan, >> >> Can you describe your use case in more detail so I could answer it more >> accurately. About, virtual hosts we do not have a virtual host concept in >> Knox, although we we have Topology Port mapping >> <http://knox.apache.org/books/knox-0-13-0/user-guide.html#Topology+Port+Mapping> >> feature >> (0.13.0) which uses virtual hosts under the hood. Let me know if that >> interests you. >> >> Best, >> Sandeep >> >> On Wed, Aug 30, 2017 at 11:48 PM, Benjamin Tan <[email protected]> >> wrote: >> >>> I have to deploy many topologies, and don't know how to set access >>> domain for every topology. >>> >>> Or knox doesn't support the feature like virtual host in apache >>> mod_proxy? >>> >>> Thanks. >>> >> >>
