Hello Larry, Thanks very much for your detail guide.
We already designed a similar deployment, but want give more convenience for user. Now the access path seems: tenant-doamin.com -> apache virtual host -> proxy to tenant-topology's port -> tenant-topology If Knox support some feature like domain mapping, the access path will be: tenant-doamin.com -> tenant-topology Does let knox support domain mapping make sense? On Mon, Sep 4, 2017 at 10:20 AM larry mccay <[email protected]> wrote: > There is no need for a separate reverse proxy in front of Knox - other > than for load balancing if desired. > > Basically, the typical approach for multi-tenant deployments is to: > > 1. dedicate specific topologies to each tenant > 2. have each topology authenticate against a specific LDAP server or some > tenant specific OU within a single LDAP schema > 3. have OS accounts for each user that is unique per tenant > 4. use identity assertion providers to disambiguate the tenant by > appending a tenant id or the like to the user name to match the tenant > specific username in #3 > 5. you could use port mapping to remove the extra path > "gateway/tenant-topology" from the tenant specific URLs > > HTH > > --larry > > On Sun, Sep 3, 2017 at 9:34 PM, Benjamin Tan <[email protected]> wrote: > >> Hello Sandeep, >> >> Thanks for your information. >> >> In our use case, we are designing hadoop security solution for a big >> telecom company, and it have many corporation customers(tenant), so we try >> to supply an unique access domain for every tenant, such as >> cust1.the-hadoop-domain.com, cust2.the-hadoop-domain.com or their's >> customized domain using CNAME. >> >> I have got some information about topology port mapping from 0.13.0, but >> it seems have to deploy a reverse proxy before knox. >> >> In my opinion, many users of knox have the need to support tenant >> deployment. >> >> >> On Fri, Sep 1, 2017 at 12:23 AM Sandeep More <[email protected]> >> wrote: >> >>> Hello Tan, >>> >>> Can you describe your use case in more detail so I could answer it more >>> accurately. About, virtual hosts we do not have a virtual host concept in >>> Knox, although we we have Topology Port mapping >>> <http://knox.apache.org/books/knox-0-13-0/user-guide.html#Topology+Port+Mapping> >>> feature >>> (0.13.0) which uses virtual hosts under the hood. Let me know if that >>> interests you. >>> >>> Best, >>> Sandeep >>> >>> On Wed, Aug 30, 2017 at 11:48 PM, Benjamin Tan <[email protected]> >>> wrote: >>> >>>> I have to deploy many topologies, and don't know how to set access >>>> domain for every topology. >>>> >>>> Or knox doesn't support the feature like virtual host in apache >>>> mod_proxy? >>>> >>>> Thanks. >>>> >>> >>> >
