target to be used for a multitenant listener

Ulf Lilleengen (Jira) Sat, 18 Apr 2020 00:04:21 -0700


    [ 
https://issues.apache.org/jira/browse/DISPATCH-1585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17072650#comment-17072650
 ]


Ulf Lilleengen edited comment on DISPATCH-1585 at 4/18/20, 7:03 AM:
--------------------------------------------------------------------

[~tross]

Lets say you have a service suporting multiple tenants, but a single tenant can 
have applications running in 2 separate networks (but they belong to the same 
'tenant', i.e. they have the same addresses), so the client applications 
connect to the router via 2 different hosts, lets say internal.example.com and 
public.example.com. Today, I would need to model it this way (omitting the 
broker connector and simplified some details):

 
{code:java}
[
    ["listener", { "host": "0.0.0.0", "port": 56721, "authenticatePeer": false, 
"saslMechanisms": "ANONYMOUS", "multiTenant": true }],
    ["policy", {"enableVhostPolicy": true, "defaultVhost": "$default" }],

    ["vhost", { "hostname": "internal.example.com", "allowUnknownUser": true, 
// ... }],
    ["address", { "waypoint": true, "prefix": "internal.example.com/foo" }], 
    ["autoLink", { "address": "internal.example.com/foo", "direction": "out", 
"connection": "broker", "externalAddress": "t1/foo" }],
    ["autoLink", { "address": "internal.example.com/foo", "direction": "in", 
"connection": "broker", "externalAddress": "t1/foo" }],

    ["vhost", { "hostname": "public.example.com", "allowUnknownUser": true, // 
... }],
    ["address", { "waypoint": true, "prefix": "public.example.com/foo" }], 
    ["autoLink", { "address": "public.example.com/foo", "direction": "out", 
"connection": "broker", "externalAddress": "t1/foo" }],
    ["autoLink", { "address": "public.example.com/foo", "direction": "in", 
"connection": "broker", "externalAddress": "t1/foo" }], 
]
{code}
So, for every host to expose for this tenant, a lot of configuration is needed. 
There is only one address in this example, but when you have 10k addresses, its 
starting to be a lot of work reconfiguring the router just to expose on a new 
host.

 

So, what would be very useful for this case is to have some way to specify a 
mapping from virtual host to the prefix matched for addresses. I.e
{code:java}
  
[
    ["listener", { "host": "0.0.0.0", "port": 56721, "authenticatePeer": false, 
"saslMechanisms": "ANONYMOUS", "multiTenant": true }],
    ["policy", {"enableVhostPolicy": true, "defaultVhost": "$default" }],

    // List of hostnames that this vhost should apply to, and a prefix that 
hostnames should be replaced with when doing routing.
    ["vhost", { "hostnames": ["internal.example.com", "public.example.com"], 
"internalHost": "tenant1", "allowUnknownUser": true, // ... }],

    ["address", { "waypoint": true, "prefix": "tenant1/foo" }], 
    ["autoLink", { "address": "tenant1/foo", "direction": "out", "connection": 
"broker", "externalAddress": "t1/foo" }],
    ["autoLink", { "address": "tenant1/foo", "direction": "in", "connection": 
"broker", "externalAddress": "t1/foo" }],
]{code}
 

This means the amount of configuration to change would be a lot less if you 
have many addresses. There are probably better ways to model this than my 
example, but hopefully it shows the reason for raising this issue.


was (Author: lulf):
[~tross]

Lets say you have a service suporting multiple tenants, but a single tenant can 
have applications running in 2 separate networks (but they belong to the same 
'tenant', i.e. they have the same addresses), so the client applications 
connect to the router via 2 different hosts, lets say internal.example.com and 
public.example.com. Today, I would need to model it this way (omitting the 
broker connector and simplified some details):

 
{code:java}
[
    ["listener", { "host": "0.0.0.0", "port": 56721, "authenticatePeer": false, 
"saslMechanisms": "ANONYMOUS", "multiTenant": true }],
    ["policy", {"enableVhostPolicy": true, "defaultVhost": "$default" }],

    ["vhost", { "hostname": "internal.example.com", "allowUnknownUser": true, 
// ... }],
    ["address", { "waypoint": true, "prefix": "internal.example.com/foo" }], 
    ["autoLink", { "address": "internal.example.com/foo", "direction": "out", 
"connection": "broker", "externalAddress": "t1/foo" }],
    ["autoLink", { "address": "internal.example.com/foo", "direction": "in", 
"connection": "broker", "externalAddress": "t1/foo" }],

    ["vhost", { "hostname": "public.example.com", "allowUnknownUser": true, // 
... }],
    ["address", { "waypoint": true, "prefix": "public.example.com/foo" }], 
    ["autoLink", { "address": "public.example.com/foo", "direction": "out", 
"connection": "broker", "externalAddress": "t1/foo" }],
    ["autoLink", { "address": "public.example.com/foo", "direction": "in", 
"connection": "broker", "externalAddress": "t1/foo" }], 
]
{code}
So, for every host to expose for this tenant, a lot of configuration is needed. 
There is only one address in this example, but when you have 10k addresses, its 
starting to be a lot of work reconfiguring the router just to expose on a new 
host.

 

So, what would be very useful for this case is to have some way to specify a 
mapping from virtual host to the prefix matched for addresses. I.e
{code:java}
  
[
    ["listener", { "host": "0.0.0.0", "port": 56721, "authenticatePeer": false, 
"saslMechanisms": "ANONYMOUS", "multiTenant": true }],
    ["policy", {"enableVhostPolicy": true, "defaultVhost": "$default" }],

    // List of hostnames that this vhost should apply to, and a prefix that 
hostnames should be replaced with when doing routing.
    ["vhost", { "hostnames": ["internal.example.com", "public.example.com"], 
"prefix": "tenant1", "allowUnknownUser": true, // ... }],

    ["address", { "waypoint": true, "prefix": "tenant1/foo" }], 
    ["autoLink", { "address": "tenant1/foo", "direction": "out", "connection": 
"broker", "externalAddress": "t1/foo" }],
    ["autoLink", { "address": "tenant1/foo", "direction": "in", "connection": 
"broker", "externalAddress": "t1/foo" }],
]{code}
 

This means the amount of configuration to change would be a lot less if you 
have many addresses. There are probably better ways to model this than my 
example, but hopefully it shows the reason for raising this issue.

> Allow specifying address/source/target to be used for a multitenant listener
> ----------------------------------------------------------------------------
>
>                 Key: DISPATCH-1585
>                 URL: https://issues.apache.org/jira/browse/DISPATCH-1585
>             Project: Qpid Dispatch
>          Issue Type: Wish
>            Reporter: Ulf Lilleengen
>            Priority: Major
>
> At present, a multitenant router listener will prefix addresses with the 
> hostname in the AMQP Open. However, given a configuration where it is 
> desirable to expose a router address space for multiple DNS names, any 
> address, linkRoute and autoLink configuration will need to be duplicated for 
> each DNS name. This complicates router configuration significantly.
>  
> Instead, having a way to specify which prefix to apply for a multitenant 
> listener would allow reusing the same address, autoLink and linkRoute 
> configuration for multiple listeners.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

[jira] [Comment Edited] (DISPATCH-1585) Allow specifying address/source/target to be used for a multitenant listener

Reply via email to