Hello Sandeep & Larry, Would you please review the PR for KNOX-1025? https://github.com/apache/knox/pull/10
Thanks! On Thu, Sep 7, 2017 at 12:18 AM larry mccay <[email protected]> wrote: > Excellent! > > On Wed, Sep 6, 2017 at 11:04 AM, Benjamin Tan <[email protected]> wrote: > >> Thanks, I have filed a JIRA KNOX-1025 >> <https://issues.apache.org/jira/browse/KNOX-1025>: Topology Domain >> Mapping, and trying to prepare the patch. >> >> On Wed, Sep 6, 2017 at 12:00 AM larry mccay <[email protected]> wrote: >> >>> Sure, I can see a feature that maps an incoming request domain to a >>> particular topology. >>> Feel free to file a JIRA for it and even provide a patch. >>> >>> Make sure to provide enough details of the usecase in the JIRA. >>> >>> On Tue, Sep 5, 2017 at 5:37 AM, Benjamin Tan <[email protected]> >>> wrote: >>> >>>> Hello Larry, >>>> >>>> Thanks very much for your detail guide. >>>> >>>> We already designed a similar deployment, but want give >>>> more convenience for user. >>>> >>>> Now the access path seems: >>>> tenant-doamin.com -> apache virtual host -> proxy to tenant-topology's >>>> port -> tenant-topology >>>> >>>> If Knox support some feature like domain mapping, the access path will >>>> be: >>>> tenant-doamin.com -> tenant-topology >>>> >>>> Does let knox support domain mapping make sense? >>>> >>>> On Mon, Sep 4, 2017 at 10:20 AM larry mccay <[email protected]> wrote: >>>> >>>>> There is no need for a separate reverse proxy in front of Knox - other >>>>> than for load balancing if desired. >>>>> >>>>> Basically, the typical approach for multi-tenant deployments is to: >>>>> >>>>> 1. dedicate specific topologies to each tenant >>>>> 2. have each topology authenticate against a specific LDAP server or >>>>> some tenant specific OU within a single LDAP schema >>>>> 3. have OS accounts for each user that is unique per tenant >>>>> 4. use identity assertion providers to disambiguate the tenant by >>>>> appending a tenant id or the like to the user name to match the tenant >>>>> specific username in #3 >>>>> 5. you could use port mapping to remove the extra path >>>>> "gateway/tenant-topology" from the tenant specific URLs >>>>> >>>>> HTH >>>>> >>>>> --larry >>>>> >>>>> On Sun, Sep 3, 2017 at 9:34 PM, Benjamin Tan <[email protected]> >>>>> wrote: >>>>> >>>>>> Hello Sandeep, >>>>>> >>>>>> Thanks for your information. >>>>>> >>>>>> In our use case, we are designing hadoop security solution for a big >>>>>> telecom company, and it have many corporation customers(tenant), so we >>>>>> try >>>>>> to supply an unique access domain for every tenant, such as >>>>>> cust1.the-hadoop-domain.com, cust2.the-hadoop-domain.com or their's >>>>>> customized domain using CNAME. >>>>>> >>>>>> I have got some information about topology port mapping from 0.13.0, >>>>>> but it seems have to deploy a reverse proxy before knox. >>>>>> >>>>>> In my opinion, many users of knox have the need to support tenant >>>>>> deployment. >>>>>> >>>>>> >>>>>> On Fri, Sep 1, 2017 at 12:23 AM Sandeep More <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hello Tan, >>>>>>> >>>>>>> Can you describe your use case in more detail so I could answer it >>>>>>> more accurately. About, virtual hosts we do not have a virtual host >>>>>>> concept >>>>>>> in Knox, although we we have Topology Port mapping >>>>>>> <http://knox.apache.org/books/knox-0-13-0/user-guide.html#Topology+Port+Mapping> >>>>>>> feature >>>>>>> (0.13.0) which uses virtual hosts under the hood. Let me know if that >>>>>>> interests you. >>>>>>> >>>>>>> Best, >>>>>>> Sandeep >>>>>>> >>>>>>> On Wed, Aug 30, 2017 at 11:48 PM, Benjamin Tan <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> I have to deploy many topologies, and don't know how to set access >>>>>>>> domain for every topology. >>>>>>>> >>>>>>>> Or knox doesn't support the feature like virtual host in apache >>>>>>>> mod_proxy? >>>>>>>> >>>>>>>> Thanks. >>>>>>>> >>>>>>> >>>>>>> >>>>> >>> >
