Yeah, Rick - we have always advocated using some sort of loadbalancer in front of some number of Knox instances. I think we document one way to use Apache as a loadbalancer across a cluster of Knox instances, others have used Nginx as well.
I think this is more REST friendly than forcing some specific leader determining protocol on the clients. You certainly could also using DNS based loadbalancing and there are a number of services available for that these days too. On Wed, Jun 14, 2017 at 3:44 PM, Rick Kellogg <[email protected]> wrote: > Larry, > > You are absolutely correct. We should not be able to see the protected > Zookeeper instance in the first place. > > What I am trying to solve is the problem of which Knox Gateway instance is > available to our external client app. We hope to have several for load > balancing and high availability purposes. Another hardware option is the > use of a F5 with DNS load balancing against Knox. > > Thanks for bringing this up. > Rick > > -----Original Message----- > From: larry mccay [mailto:[email protected]] > Sent: Wednesday, June 14, 2017 3:18 PM > To: [email protected] > Subject: Re: Knox Gateway Registration within Zookeeper > > Hi Rick - > > It's an interesting thought. > My follow up question would be... > > How often does the REST client that is having access to services gated by > Knox have line of sight of ZK? > My personal expectation is that most clients of Knox do not and ZK should > actually be hidden from them. > > ZK is rather cumbersome to secure and there are lots of sensitive network > topology and state information in there. > > While I do dream of the day that Knox will be able to discover all the > URLs of the services in a topology from the ZK based register, I don't > think that I can see the value in having Knox be discoverable through it. > > Can you more fully articulate the usecase? > > thanks! > > --larry > > > On Wed, Jun 14, 2017 at 3:11 PM, Rick Kellogg <[email protected]> > wrote: > > > Greetings, > > > > > > > > What are your thoughts about optional registering of live Knox Gateway > > instances in Zookeeper? Then as a client, I could query Zookeeper to > > find a valid host. > > > > > > > > No idea of complexity involved but it seems to be a good idea to me. > > > > > > > > Thoughts? > > > > Rick > > > > > >
