Great, thanks Benjamin, I will review it soon. For now we do not do PRs, so can you create a patch and upload it to the JIRA KNOX-1025 <https://issues.apache.org/jira/browse/KNOX-1025>, we do it so we can track everything in JIRA and it will be easy to backport, also you can change the assignee filed to yourself !
Again, thanks a lot and I will try to review it as soon as I can ! Best, Sandeep On Fri, Sep 8, 2017 at 5:05 AM, Benjamin Tan <[email protected]> wrote: > Hello Sandeep & Larry, > > Would you please review the PR for KNOX-1025? > https://github.com/apache/knox/pull/10 > > Thanks! > > On Thu, Sep 7, 2017 at 12:18 AM larry mccay <[email protected]> wrote: > >> Excellent! >> >> On Wed, Sep 6, 2017 at 11:04 AM, Benjamin Tan <[email protected]> >> wrote: >> >>> Thanks, I have filed a JIRA KNOX-1025 >>> <https://issues.apache.org/jira/browse/KNOX-1025>: Topology Domain >>> Mapping, and trying to prepare the patch. >>> >>> On Wed, Sep 6, 2017 at 12:00 AM larry mccay <[email protected]> wrote: >>> >>>> Sure, I can see a feature that maps an incoming request domain to a >>>> particular topology. >>>> Feel free to file a JIRA for it and even provide a patch. >>>> >>>> Make sure to provide enough details of the usecase in the JIRA. >>>> >>>> On Tue, Sep 5, 2017 at 5:37 AM, Benjamin Tan <[email protected]> >>>> wrote: >>>> >>>>> Hello Larry, >>>>> >>>>> Thanks very much for your detail guide. >>>>> >>>>> We already designed a similar deployment, but want give >>>>> more convenience for user. >>>>> >>>>> Now the access path seems: >>>>> tenant-doamin.com -> apache virtual host -> proxy to >>>>> tenant-topology's port -> tenant-topology >>>>> >>>>> If Knox support some feature like domain mapping, the access path will >>>>> be: >>>>> tenant-doamin.com -> tenant-topology >>>>> >>>>> Does let knox support domain mapping make sense? >>>>> >>>>> On Mon, Sep 4, 2017 at 10:20 AM larry mccay <[email protected]> wrote: >>>>> >>>>>> There is no need for a separate reverse proxy in front of Knox - >>>>>> other than for load balancing if desired. >>>>>> >>>>>> Basically, the typical approach for multi-tenant deployments is to: >>>>>> >>>>>> 1. dedicate specific topologies to each tenant >>>>>> 2. have each topology authenticate against a specific LDAP server or >>>>>> some tenant specific OU within a single LDAP schema >>>>>> 3. have OS accounts for each user that is unique per tenant >>>>>> 4. use identity assertion providers to disambiguate the tenant by >>>>>> appending a tenant id or the like to the user name to match the tenant >>>>>> specific username in #3 >>>>>> 5. you could use port mapping to remove the extra path >>>>>> "gateway/tenant-topology" from the tenant specific URLs >>>>>> >>>>>> HTH >>>>>> >>>>>> --larry >>>>>> >>>>>> On Sun, Sep 3, 2017 at 9:34 PM, Benjamin Tan <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hello Sandeep, >>>>>>> >>>>>>> Thanks for your information. >>>>>>> >>>>>>> In our use case, we are designing hadoop security solution for a big >>>>>>> telecom company, and it have many corporation customers(tenant), so we >>>>>>> try >>>>>>> to supply an unique access domain for every tenant, such as >>>>>>> cust1.the-hadoop-domain.com, cust2.the-hadoop-domain.com or their's >>>>>>> customized domain using CNAME. >>>>>>> >>>>>>> I have got some information about topology port mapping from 0.13.0, >>>>>>> but it seems have to deploy a reverse proxy before knox. >>>>>>> >>>>>>> In my opinion, many users of knox have the need to support tenant >>>>>>> deployment. >>>>>>> >>>>>>> >>>>>>> On Fri, Sep 1, 2017 at 12:23 AM Sandeep More <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hello Tan, >>>>>>>> >>>>>>>> Can you describe your use case in more detail so I could answer it >>>>>>>> more accurately. About, virtual hosts we do not have a virtual host >>>>>>>> concept >>>>>>>> in Knox, although we we have Topology Port mapping >>>>>>>> <http://knox.apache.org/books/knox-0-13-0/user-guide.html#Topology+Port+Mapping> >>>>>>>> feature >>>>>>>> (0.13.0) which uses virtual hosts under the hood. Let me know if that >>>>>>>> interests you. >>>>>>>> >>>>>>>> Best, >>>>>>>> Sandeep >>>>>>>> >>>>>>>> On Wed, Aug 30, 2017 at 11:48 PM, Benjamin Tan <[email protected] >>>>>>>> > wrote: >>>>>>>> >>>>>>>>> I have to deploy many topologies, and don't know how to set access >>>>>>>>> domain for every topology. >>>>>>>>> >>>>>>>>> Or knox doesn't support the feature like virtual host in apache >>>>>>>>> mod_proxy? >>>>>>>>> >>>>>>>>> Thanks. >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>> >>>> >>
