Thanks, I have filed a JIRA KNOX-1025 <https://issues.apache.org/jira/browse/KNOX-1025>: Topology Domain Mapping, and trying to prepare the patch.
On Wed, Sep 6, 2017 at 12:00 AM larry mccay <[email protected]> wrote: > Sure, I can see a feature that maps an incoming request domain to a > particular topology. > Feel free to file a JIRA for it and even provide a patch. > > Make sure to provide enough details of the usecase in the JIRA. > > On Tue, Sep 5, 2017 at 5:37 AM, Benjamin Tan <[email protected]> wrote: > >> Hello Larry, >> >> Thanks very much for your detail guide. >> >> We already designed a similar deployment, but want give more convenience >> for user. >> >> Now the access path seems: >> tenant-doamin.com -> apache virtual host -> proxy to tenant-topology's >> port -> tenant-topology >> >> If Knox support some feature like domain mapping, the access path will >> be: >> tenant-doamin.com -> tenant-topology >> >> Does let knox support domain mapping make sense? >> >> On Mon, Sep 4, 2017 at 10:20 AM larry mccay <[email protected]> wrote: >> >>> There is no need for a separate reverse proxy in front of Knox - other >>> than for load balancing if desired. >>> >>> Basically, the typical approach for multi-tenant deployments is to: >>> >>> 1. dedicate specific topologies to each tenant >>> 2. have each topology authenticate against a specific LDAP server or >>> some tenant specific OU within a single LDAP schema >>> 3. have OS accounts for each user that is unique per tenant >>> 4. use identity assertion providers to disambiguate the tenant by >>> appending a tenant id or the like to the user name to match the tenant >>> specific username in #3 >>> 5. you could use port mapping to remove the extra path >>> "gateway/tenant-topology" from the tenant specific URLs >>> >>> HTH >>> >>> --larry >>> >>> On Sun, Sep 3, 2017 at 9:34 PM, Benjamin Tan <[email protected]> >>> wrote: >>> >>>> Hello Sandeep, >>>> >>>> Thanks for your information. >>>> >>>> In our use case, we are designing hadoop security solution for a big >>>> telecom company, and it have many corporation customers(tenant), so we try >>>> to supply an unique access domain for every tenant, such as >>>> cust1.the-hadoop-domain.com, cust2.the-hadoop-domain.com or their's >>>> customized domain using CNAME. >>>> >>>> I have got some information about topology port mapping from 0.13.0, >>>> but it seems have to deploy a reverse proxy before knox. >>>> >>>> In my opinion, many users of knox have the need to support tenant >>>> deployment. >>>> >>>> >>>> On Fri, Sep 1, 2017 at 12:23 AM Sandeep More <[email protected]> >>>> wrote: >>>> >>>>> Hello Tan, >>>>> >>>>> Can you describe your use case in more detail so I could answer it >>>>> more accurately. About, virtual hosts we do not have a virtual host >>>>> concept >>>>> in Knox, although we we have Topology Port mapping >>>>> <http://knox.apache.org/books/knox-0-13-0/user-guide.html#Topology+Port+Mapping> >>>>> feature >>>>> (0.13.0) which uses virtual hosts under the hood. Let me know if that >>>>> interests you. >>>>> >>>>> Best, >>>>> Sandeep >>>>> >>>>> On Wed, Aug 30, 2017 at 11:48 PM, Benjamin Tan <[email protected]> >>>>> wrote: >>>>> >>>>>> I have to deploy many topologies, and don't know how to set access >>>>>> domain for every topology. >>>>>> >>>>>> Or knox doesn't support the feature like virtual host in apache >>>>>> mod_proxy? >>>>>> >>>>>> Thanks. >>>>>> >>>>> >>>>> >>> >
