Excellent! On Wed, Sep 6, 2017 at 11:04 AM, Benjamin Tan <[email protected]> wrote:
> Thanks, I have filed a JIRA KNOX-1025 > <https://issues.apache.org/jira/browse/KNOX-1025>: Topology Domain > Mapping, and trying to prepare the patch. > > On Wed, Sep 6, 2017 at 12:00 AM larry mccay <[email protected]> wrote: > >> Sure, I can see a feature that maps an incoming request domain to a >> particular topology. >> Feel free to file a JIRA for it and even provide a patch. >> >> Make sure to provide enough details of the usecase in the JIRA. >> >> On Tue, Sep 5, 2017 at 5:37 AM, Benjamin Tan <[email protected]> wrote: >> >>> Hello Larry, >>> >>> Thanks very much for your detail guide. >>> >>> We already designed a similar deployment, but want give more convenience >>> for user. >>> >>> Now the access path seems: >>> tenant-doamin.com -> apache virtual host -> proxy to tenant-topology's >>> port -> tenant-topology >>> >>> If Knox support some feature like domain mapping, the access path will >>> be: >>> tenant-doamin.com -> tenant-topology >>> >>> Does let knox support domain mapping make sense? >>> >>> On Mon, Sep 4, 2017 at 10:20 AM larry mccay <[email protected]> wrote: >>> >>>> There is no need for a separate reverse proxy in front of Knox - other >>>> than for load balancing if desired. >>>> >>>> Basically, the typical approach for multi-tenant deployments is to: >>>> >>>> 1. dedicate specific topologies to each tenant >>>> 2. have each topology authenticate against a specific LDAP server or >>>> some tenant specific OU within a single LDAP schema >>>> 3. have OS accounts for each user that is unique per tenant >>>> 4. use identity assertion providers to disambiguate the tenant by >>>> appending a tenant id or the like to the user name to match the tenant >>>> specific username in #3 >>>> 5. you could use port mapping to remove the extra path >>>> "gateway/tenant-topology" from the tenant specific URLs >>>> >>>> HTH >>>> >>>> --larry >>>> >>>> On Sun, Sep 3, 2017 at 9:34 PM, Benjamin Tan <[email protected]> >>>> wrote: >>>> >>>>> Hello Sandeep, >>>>> >>>>> Thanks for your information. >>>>> >>>>> In our use case, we are designing hadoop security solution for a big >>>>> telecom company, and it have many corporation customers(tenant), so we try >>>>> to supply an unique access domain for every tenant, such as >>>>> cust1.the-hadoop-domain.com, cust2.the-hadoop-domain.com or their's >>>>> customized domain using CNAME. >>>>> >>>>> I have got some information about topology port mapping from 0.13.0, >>>>> but it seems have to deploy a reverse proxy before knox. >>>>> >>>>> In my opinion, many users of knox have the need to support tenant >>>>> deployment. >>>>> >>>>> >>>>> On Fri, Sep 1, 2017 at 12:23 AM Sandeep More <[email protected]> >>>>> wrote: >>>>> >>>>>> Hello Tan, >>>>>> >>>>>> Can you describe your use case in more detail so I could answer it >>>>>> more accurately. About, virtual hosts we do not have a virtual host >>>>>> concept >>>>>> in Knox, although we we have Topology Port mapping >>>>>> <http://knox.apache.org/books/knox-0-13-0/user-guide.html#Topology+Port+Mapping> >>>>>> feature >>>>>> (0.13.0) which uses virtual hosts under the hood. Let me know if that >>>>>> interests you. >>>>>> >>>>>> Best, >>>>>> Sandeep >>>>>> >>>>>> On Wed, Aug 30, 2017 at 11:48 PM, Benjamin Tan <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> I have to deploy many topologies, and don't know how to set access >>>>>>> domain for every topology. >>>>>>> >>>>>>> Or knox doesn't support the feature like virtual host in apache >>>>>>> mod_proxy? >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>> >>>>>> >>>> >>
