You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@knox.apache.org by Benjamin Tan <ta...@gmail.com> on 2017/09/04 01:34:54 UTC
Re: How to setup vhost/domain for knox topology?
Hello Sandeep,
Thanks for your information.
In our use case, we are designing hadoop security solution for a big
telecom company, and it have many corporation customers(tenant), so we try
to supply an unique access domain for every tenant, such as
cust1.the-hadoop-domain.com, cust2.the-hadoop-domain.com or their's
customized domain using CNAME.
I have got some information about topology port mapping from 0.13.0, but it
seems have to deploy a reverse proxy before knox.
In my opinion, many users of knox have the need to support tenant
deployment.
On Fri, Sep 1, 2017 at 12:23 AM Sandeep More <mo...@gmail.com> wrote:
> Hello Tan,
>
> Can you describe your use case in more detail so I could answer it more
> accurately. About, virtual hosts we do not have a virtual host concept in
> Knox, although we we have Topology Port mapping
> <http://knox.apache.org/books/knox-0-13-0/user-guide.html#Topology+Port+Mapping> feature
> (0.13.0) which uses virtual hosts under the hood. Let me know if that
> interests you.
>
> Best,
> Sandeep
>
> On Wed, Aug 30, 2017 at 11:48 PM, Benjamin Tan <ta...@gmail.com>
> wrote:
>
>> I have to deploy many topologies, and don't know how to set access domain
>> for every topology.
>>
>> Or knox doesn't support the feature like virtual host in apache mod_proxy?
>>
>> Thanks.
>>
>
>
Re: How to setup vhost/domain for knox topology?
Posted by Benjamin Tan <ta...@gmail.com>.
I have create a patch and upload to the JIRA, but can't change the assignee
to myself, maybe don't have assignment permission.
P.S. I created the patch using below command:
git diff master KNOX-1025 > ../knox-1025.patch
And the commit of master and KNOX-1025 are:
* KNOX-1025 5808d5d KNOX-1025 - Topology
Domain Mapping
master c7cbd46 KNOX-962 - Add
signature validation tests for the JWT filters
Best,
Benjamin
On Fri, Sep 8, 2017 at 8:59 PM Sandeep More <mo...@gmail.com> wrote:
> Great, thanks Benjamin, I will review it soon.
> For now we do not do PRs, so can you create a patch and upload it to the
> JIRA KNOX-1025 <https://issues.apache.org/jira/browse/KNOX-1025>, we do
> it so we can track everything in JIRA and it will be easy to backport, also
> you can change the assignee filed to yourself !
>
> Again, thanks a lot and I will try to review it as soon as I can !
>
> Best,
> Sandeep
>
> On Fri, Sep 8, 2017 at 5:05 AM, Benjamin Tan <ta...@gmail.com> wrote:
>
>> Hello Sandeep & Larry,
>>
>> Would you please review the PR for KNOX-1025?
>> https://github.com/apache/knox/pull/10
>>
>> Thanks!
>>
>> On Thu, Sep 7, 2017 at 12:18 AM larry mccay <lm...@apache.org> wrote:
>>
>>> Excellent!
>>>
>>> On Wed, Sep 6, 2017 at 11:04 AM, Benjamin Tan <ta...@gmail.com>
>>> wrote:
>>>
>>>> Thanks, I have filed a JIRA KNOX-1025
>>>> <https://issues.apache.org/jira/browse/KNOX-1025>: Topology Domain
>>>> Mapping, and trying to prepare the patch.
>>>>
>>>> On Wed, Sep 6, 2017 at 12:00 AM larry mccay <lm...@apache.org> wrote:
>>>>
>>>>> Sure, I can see a feature that maps an incoming request domain to a
>>>>> particular topology.
>>>>> Feel free to file a JIRA for it and even provide a patch.
>>>>>
>>>>> Make sure to provide enough details of the usecase in the JIRA.
>>>>>
>>>>> On Tue, Sep 5, 2017 at 5:37 AM, Benjamin Tan <ta...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hello Larry,
>>>>>>
>>>>>> Thanks very much for your detail guide.
>>>>>>
>>>>>> We already designed a similar deployment, but want give
>>>>>> more convenience for user.
>>>>>>
>>>>>> Now the access path seems:
>>>>>> tenant-doamin.com -> apache virtual host -> proxy to
>>>>>> tenant-topology's port -> tenant-topology
>>>>>>
>>>>>> If Knox support some feature like domain mapping, the access path
>>>>>> will be:
>>>>>> tenant-doamin.com -> tenant-topology
>>>>>>
>>>>>> Does let knox support domain mapping make sense?
>>>>>>
>>>>>> On Mon, Sep 4, 2017 at 10:20 AM larry mccay <lm...@apache.org>
>>>>>> wrote:
>>>>>>
>>>>>>> There is no need for a separate reverse proxy in front of Knox -
>>>>>>> other than for load balancing if desired.
>>>>>>>
>>>>>>> Basically, the typical approach for multi-tenant deployments is to:
>>>>>>>
>>>>>>> 1. dedicate specific topologies to each tenant
>>>>>>> 2. have each topology authenticate against a specific LDAP server or
>>>>>>> some tenant specific OU within a single LDAP schema
>>>>>>> 3. have OS accounts for each user that is unique per tenant
>>>>>>> 4. use identity assertion providers to disambiguate the tenant by
>>>>>>> appending a tenant id or the like to the user name to match the tenant
>>>>>>> specific username in #3
>>>>>>> 5. you could use port mapping to remove the extra path
>>>>>>> "gateway/tenant-topology" from the tenant specific URLs
>>>>>>>
>>>>>>> HTH
>>>>>>>
>>>>>>> --larry
>>>>>>>
>>>>>>> On Sun, Sep 3, 2017 at 9:34 PM, Benjamin Tan <ta...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hello Sandeep,
>>>>>>>>
>>>>>>>> Thanks for your information.
>>>>>>>>
>>>>>>>> In our use case, we are designing hadoop security solution for a
>>>>>>>> big telecom company, and it have many corporation customers(tenant), so we
>>>>>>>> try to supply an unique access domain for every tenant, such as
>>>>>>>> cust1.the-hadoop-domain.com, cust2.the-hadoop-domain.com or
>>>>>>>> their's customized domain using CNAME.
>>>>>>>>
>>>>>>>> I have got some information about topology port mapping from
>>>>>>>> 0.13.0, but it seems have to deploy a reverse proxy before knox.
>>>>>>>>
>>>>>>>> In my opinion, many users of knox have the need to support tenant
>>>>>>>> deployment.
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Sep 1, 2017 at 12:23 AM Sandeep More <mo...@gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hello Tan,
>>>>>>>>>
>>>>>>>>> Can you describe your use case in more detail so I could answer it
>>>>>>>>> more accurately. About, virtual hosts we do not have a virtual host concept
>>>>>>>>> in Knox, although we we have Topology Port mapping
>>>>>>>>> <http://knox.apache.org/books/knox-0-13-0/user-guide.html#Topology+Port+Mapping> feature
>>>>>>>>> (0.13.0) which uses virtual hosts under the hood. Let me know if that
>>>>>>>>> interests you.
>>>>>>>>>
>>>>>>>>> Best,
>>>>>>>>> Sandeep
>>>>>>>>>
>>>>>>>>> On Wed, Aug 30, 2017 at 11:48 PM, Benjamin Tan <
>>>>>>>>> tanbamboo@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> I have to deploy many topologies, and don't know how to set
>>>>>>>>>> access domain for every topology.
>>>>>>>>>>
>>>>>>>>>> Or knox doesn't support the feature like virtual host in apache
>>>>>>>>>> mod_proxy?
>>>>>>>>>>
>>>>>>>>>> Thanks.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>
>>>
>
Re: How to setup vhost/domain for knox topology?
Posted by Sandeep More <mo...@gmail.com>.
Great, thanks Benjamin, I will review it soon.
For now we do not do PRs, so can you create a patch and upload it to the
JIRA KNOX-1025 <https://issues.apache.org/jira/browse/KNOX-1025>, we do it
so we can track everything in JIRA and it will be easy to backport, also
you can change the assignee filed to yourself !
Again, thanks a lot and I will try to review it as soon as I can !
Best,
Sandeep
On Fri, Sep 8, 2017 at 5:05 AM, Benjamin Tan <ta...@gmail.com> wrote:
> Hello Sandeep & Larry,
>
> Would you please review the PR for KNOX-1025?
> https://github.com/apache/knox/pull/10
>
> Thanks!
>
> On Thu, Sep 7, 2017 at 12:18 AM larry mccay <lm...@apache.org> wrote:
>
>> Excellent!
>>
>> On Wed, Sep 6, 2017 at 11:04 AM, Benjamin Tan <ta...@gmail.com>
>> wrote:
>>
>>> Thanks, I have filed a JIRA KNOX-1025
>>> <https://issues.apache.org/jira/browse/KNOX-1025>: Topology Domain
>>> Mapping, and trying to prepare the patch.
>>>
>>> On Wed, Sep 6, 2017 at 12:00 AM larry mccay <lm...@apache.org> wrote:
>>>
>>>> Sure, I can see a feature that maps an incoming request domain to a
>>>> particular topology.
>>>> Feel free to file a JIRA for it and even provide a patch.
>>>>
>>>> Make sure to provide enough details of the usecase in the JIRA.
>>>>
>>>> On Tue, Sep 5, 2017 at 5:37 AM, Benjamin Tan <ta...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hello Larry,
>>>>>
>>>>> Thanks very much for your detail guide.
>>>>>
>>>>> We already designed a similar deployment, but want give
>>>>> more convenience for user.
>>>>>
>>>>> Now the access path seems:
>>>>> tenant-doamin.com -> apache virtual host -> proxy to
>>>>> tenant-topology's port -> tenant-topology
>>>>>
>>>>> If Knox support some feature like domain mapping, the access path will
>>>>> be:
>>>>> tenant-doamin.com -> tenant-topology
>>>>>
>>>>> Does let knox support domain mapping make sense?
>>>>>
>>>>> On Mon, Sep 4, 2017 at 10:20 AM larry mccay <lm...@apache.org> wrote:
>>>>>
>>>>>> There is no need for a separate reverse proxy in front of Knox -
>>>>>> other than for load balancing if desired.
>>>>>>
>>>>>> Basically, the typical approach for multi-tenant deployments is to:
>>>>>>
>>>>>> 1. dedicate specific topologies to each tenant
>>>>>> 2. have each topology authenticate against a specific LDAP server or
>>>>>> some tenant specific OU within a single LDAP schema
>>>>>> 3. have OS accounts for each user that is unique per tenant
>>>>>> 4. use identity assertion providers to disambiguate the tenant by
>>>>>> appending a tenant id or the like to the user name to match the tenant
>>>>>> specific username in #3
>>>>>> 5. you could use port mapping to remove the extra path
>>>>>> "gateway/tenant-topology" from the tenant specific URLs
>>>>>>
>>>>>> HTH
>>>>>>
>>>>>> --larry
>>>>>>
>>>>>> On Sun, Sep 3, 2017 at 9:34 PM, Benjamin Tan <ta...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello Sandeep,
>>>>>>>
>>>>>>> Thanks for your information.
>>>>>>>
>>>>>>> In our use case, we are designing hadoop security solution for a big
>>>>>>> telecom company, and it have many corporation customers(tenant), so we try
>>>>>>> to supply an unique access domain for every tenant, such as
>>>>>>> cust1.the-hadoop-domain.com, cust2.the-hadoop-domain.com or their's
>>>>>>> customized domain using CNAME.
>>>>>>>
>>>>>>> I have got some information about topology port mapping from 0.13.0,
>>>>>>> but it seems have to deploy a reverse proxy before knox.
>>>>>>>
>>>>>>> In my opinion, many users of knox have the need to support tenant
>>>>>>> deployment.
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Sep 1, 2017 at 12:23 AM Sandeep More <mo...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hello Tan,
>>>>>>>>
>>>>>>>> Can you describe your use case in more detail so I could answer it
>>>>>>>> more accurately. About, virtual hosts we do not have a virtual host concept
>>>>>>>> in Knox, although we we have Topology Port mapping
>>>>>>>> <http://knox.apache.org/books/knox-0-13-0/user-guide.html#Topology+Port+Mapping> feature
>>>>>>>> (0.13.0) which uses virtual hosts under the hood. Let me know if that
>>>>>>>> interests you.
>>>>>>>>
>>>>>>>> Best,
>>>>>>>> Sandeep
>>>>>>>>
>>>>>>>> On Wed, Aug 30, 2017 at 11:48 PM, Benjamin Tan <tanbamboo@gmail.com
>>>>>>>> > wrote:
>>>>>>>>
>>>>>>>>> I have to deploy many topologies, and don't know how to set access
>>>>>>>>> domain for every topology.
>>>>>>>>>
>>>>>>>>> Or knox doesn't support the feature like virtual host in apache
>>>>>>>>> mod_proxy?
>>>>>>>>>
>>>>>>>>> Thanks.
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>
>>
Re: How to setup vhost/domain for knox topology?
Posted by Benjamin Tan <ta...@gmail.com>.
Hello Sandeep & Larry,
Would you please review the PR for KNOX-1025?
https://github.com/apache/knox/pull/10
Thanks!
On Thu, Sep 7, 2017 at 12:18 AM larry mccay <lm...@apache.org> wrote:
> Excellent!
>
> On Wed, Sep 6, 2017 at 11:04 AM, Benjamin Tan <ta...@gmail.com> wrote:
>
>> Thanks, I have filed a JIRA KNOX-1025
>> <https://issues.apache.org/jira/browse/KNOX-1025>: Topology Domain
>> Mapping, and trying to prepare the patch.
>>
>> On Wed, Sep 6, 2017 at 12:00 AM larry mccay <lm...@apache.org> wrote:
>>
>>> Sure, I can see a feature that maps an incoming request domain to a
>>> particular topology.
>>> Feel free to file a JIRA for it and even provide a patch.
>>>
>>> Make sure to provide enough details of the usecase in the JIRA.
>>>
>>> On Tue, Sep 5, 2017 at 5:37 AM, Benjamin Tan <ta...@gmail.com>
>>> wrote:
>>>
>>>> Hello Larry,
>>>>
>>>> Thanks very much for your detail guide.
>>>>
>>>> We already designed a similar deployment, but want give
>>>> more convenience for user.
>>>>
>>>> Now the access path seems:
>>>> tenant-doamin.com -> apache virtual host -> proxy to tenant-topology's
>>>> port -> tenant-topology
>>>>
>>>> If Knox support some feature like domain mapping, the access path will
>>>> be:
>>>> tenant-doamin.com -> tenant-topology
>>>>
>>>> Does let knox support domain mapping make sense?
>>>>
>>>> On Mon, Sep 4, 2017 at 10:20 AM larry mccay <lm...@apache.org> wrote:
>>>>
>>>>> There is no need for a separate reverse proxy in front of Knox - other
>>>>> than for load balancing if desired.
>>>>>
>>>>> Basically, the typical approach for multi-tenant deployments is to:
>>>>>
>>>>> 1. dedicate specific topologies to each tenant
>>>>> 2. have each topology authenticate against a specific LDAP server or
>>>>> some tenant specific OU within a single LDAP schema
>>>>> 3. have OS accounts for each user that is unique per tenant
>>>>> 4. use identity assertion providers to disambiguate the tenant by
>>>>> appending a tenant id or the like to the user name to match the tenant
>>>>> specific username in #3
>>>>> 5. you could use port mapping to remove the extra path
>>>>> "gateway/tenant-topology" from the tenant specific URLs
>>>>>
>>>>> HTH
>>>>>
>>>>> --larry
>>>>>
>>>>> On Sun, Sep 3, 2017 at 9:34 PM, Benjamin Tan <ta...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hello Sandeep,
>>>>>>
>>>>>> Thanks for your information.
>>>>>>
>>>>>> In our use case, we are designing hadoop security solution for a big
>>>>>> telecom company, and it have many corporation customers(tenant), so we try
>>>>>> to supply an unique access domain for every tenant, such as
>>>>>> cust1.the-hadoop-domain.com, cust2.the-hadoop-domain.com or their's
>>>>>> customized domain using CNAME.
>>>>>>
>>>>>> I have got some information about topology port mapping from 0.13.0,
>>>>>> but it seems have to deploy a reverse proxy before knox.
>>>>>>
>>>>>> In my opinion, many users of knox have the need to support tenant
>>>>>> deployment.
>>>>>>
>>>>>>
>>>>>> On Fri, Sep 1, 2017 at 12:23 AM Sandeep More <mo...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello Tan,
>>>>>>>
>>>>>>> Can you describe your use case in more detail so I could answer it
>>>>>>> more accurately. About, virtual hosts we do not have a virtual host concept
>>>>>>> in Knox, although we we have Topology Port mapping
>>>>>>> <http://knox.apache.org/books/knox-0-13-0/user-guide.html#Topology+Port+Mapping> feature
>>>>>>> (0.13.0) which uses virtual hosts under the hood. Let me know if that
>>>>>>> interests you.
>>>>>>>
>>>>>>> Best,
>>>>>>> Sandeep
>>>>>>>
>>>>>>> On Wed, Aug 30, 2017 at 11:48 PM, Benjamin Tan <ta...@gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> I have to deploy many topologies, and don't know how to set access
>>>>>>>> domain for every topology.
>>>>>>>>
>>>>>>>> Or knox doesn't support the feature like virtual host in apache
>>>>>>>> mod_proxy?
>>>>>>>>
>>>>>>>> Thanks.
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>
>>>
>
Re: How to setup vhost/domain for knox topology?
Posted by larry mccay <lm...@apache.org>.
Excellent!
On Wed, Sep 6, 2017 at 11:04 AM, Benjamin Tan <ta...@gmail.com> wrote:
> Thanks, I have filed a JIRA KNOX-1025
> <https://issues.apache.org/jira/browse/KNOX-1025>: Topology Domain
> Mapping, and trying to prepare the patch.
>
> On Wed, Sep 6, 2017 at 12:00 AM larry mccay <lm...@apache.org> wrote:
>
>> Sure, I can see a feature that maps an incoming request domain to a
>> particular topology.
>> Feel free to file a JIRA for it and even provide a patch.
>>
>> Make sure to provide enough details of the usecase in the JIRA.
>>
>> On Tue, Sep 5, 2017 at 5:37 AM, Benjamin Tan <ta...@gmail.com> wrote:
>>
>>> Hello Larry,
>>>
>>> Thanks very much for your detail guide.
>>>
>>> We already designed a similar deployment, but want give more convenience
>>> for user.
>>>
>>> Now the access path seems:
>>> tenant-doamin.com -> apache virtual host -> proxy to tenant-topology's
>>> port -> tenant-topology
>>>
>>> If Knox support some feature like domain mapping, the access path will
>>> be:
>>> tenant-doamin.com -> tenant-topology
>>>
>>> Does let knox support domain mapping make sense?
>>>
>>> On Mon, Sep 4, 2017 at 10:20 AM larry mccay <lm...@apache.org> wrote:
>>>
>>>> There is no need for a separate reverse proxy in front of Knox - other
>>>> than for load balancing if desired.
>>>>
>>>> Basically, the typical approach for multi-tenant deployments is to:
>>>>
>>>> 1. dedicate specific topologies to each tenant
>>>> 2. have each topology authenticate against a specific LDAP server or
>>>> some tenant specific OU within a single LDAP schema
>>>> 3. have OS accounts for each user that is unique per tenant
>>>> 4. use identity assertion providers to disambiguate the tenant by
>>>> appending a tenant id or the like to the user name to match the tenant
>>>> specific username in #3
>>>> 5. you could use port mapping to remove the extra path
>>>> "gateway/tenant-topology" from the tenant specific URLs
>>>>
>>>> HTH
>>>>
>>>> --larry
>>>>
>>>> On Sun, Sep 3, 2017 at 9:34 PM, Benjamin Tan <ta...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hello Sandeep,
>>>>>
>>>>> Thanks for your information.
>>>>>
>>>>> In our use case, we are designing hadoop security solution for a big
>>>>> telecom company, and it have many corporation customers(tenant), so we try
>>>>> to supply an unique access domain for every tenant, such as
>>>>> cust1.the-hadoop-domain.com, cust2.the-hadoop-domain.com or their's
>>>>> customized domain using CNAME.
>>>>>
>>>>> I have got some information about topology port mapping from 0.13.0,
>>>>> but it seems have to deploy a reverse proxy before knox.
>>>>>
>>>>> In my opinion, many users of knox have the need to support tenant
>>>>> deployment.
>>>>>
>>>>>
>>>>> On Fri, Sep 1, 2017 at 12:23 AM Sandeep More <mo...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hello Tan,
>>>>>>
>>>>>> Can you describe your use case in more detail so I could answer it
>>>>>> more accurately. About, virtual hosts we do not have a virtual host concept
>>>>>> in Knox, although we we have Topology Port mapping
>>>>>> <http://knox.apache.org/books/knox-0-13-0/user-guide.html#Topology+Port+Mapping> feature
>>>>>> (0.13.0) which uses virtual hosts under the hood. Let me know if that
>>>>>> interests you.
>>>>>>
>>>>>> Best,
>>>>>> Sandeep
>>>>>>
>>>>>> On Wed, Aug 30, 2017 at 11:48 PM, Benjamin Tan <ta...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> I have to deploy many topologies, and don't know how to set access
>>>>>>> domain for every topology.
>>>>>>>
>>>>>>> Or knox doesn't support the feature like virtual host in apache
>>>>>>> mod_proxy?
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>
>>>>>>
>>>>
>>
Re: How to setup vhost/domain for knox topology?
Posted by Benjamin Tan <ta...@gmail.com>.
Thanks, I have filed a JIRA KNOX-1025
<https://issues.apache.org/jira/browse/KNOX-1025>: Topology Domain Mapping,
and trying to prepare the patch.
On Wed, Sep 6, 2017 at 12:00 AM larry mccay <lm...@apache.org> wrote:
> Sure, I can see a feature that maps an incoming request domain to a
> particular topology.
> Feel free to file a JIRA for it and even provide a patch.
>
> Make sure to provide enough details of the usecase in the JIRA.
>
> On Tue, Sep 5, 2017 at 5:37 AM, Benjamin Tan <ta...@gmail.com> wrote:
>
>> Hello Larry,
>>
>> Thanks very much for your detail guide.
>>
>> We already designed a similar deployment, but want give more convenience
>> for user.
>>
>> Now the access path seems:
>> tenant-doamin.com -> apache virtual host -> proxy to tenant-topology's
>> port -> tenant-topology
>>
>> If Knox support some feature like domain mapping, the access path will
>> be:
>> tenant-doamin.com -> tenant-topology
>>
>> Does let knox support domain mapping make sense?
>>
>> On Mon, Sep 4, 2017 at 10:20 AM larry mccay <lm...@apache.org> wrote:
>>
>>> There is no need for a separate reverse proxy in front of Knox - other
>>> than for load balancing if desired.
>>>
>>> Basically, the typical approach for multi-tenant deployments is to:
>>>
>>> 1. dedicate specific topologies to each tenant
>>> 2. have each topology authenticate against a specific LDAP server or
>>> some tenant specific OU within a single LDAP schema
>>> 3. have OS accounts for each user that is unique per tenant
>>> 4. use identity assertion providers to disambiguate the tenant by
>>> appending a tenant id or the like to the user name to match the tenant
>>> specific username in #3
>>> 5. you could use port mapping to remove the extra path
>>> "gateway/tenant-topology" from the tenant specific URLs
>>>
>>> HTH
>>>
>>> --larry
>>>
>>> On Sun, Sep 3, 2017 at 9:34 PM, Benjamin Tan <ta...@gmail.com>
>>> wrote:
>>>
>>>> Hello Sandeep,
>>>>
>>>> Thanks for your information.
>>>>
>>>> In our use case, we are designing hadoop security solution for a big
>>>> telecom company, and it have many corporation customers(tenant), so we try
>>>> to supply an unique access domain for every tenant, such as
>>>> cust1.the-hadoop-domain.com, cust2.the-hadoop-domain.com or their's
>>>> customized domain using CNAME.
>>>>
>>>> I have got some information about topology port mapping from 0.13.0,
>>>> but it seems have to deploy a reverse proxy before knox.
>>>>
>>>> In my opinion, many users of knox have the need to support tenant
>>>> deployment.
>>>>
>>>>
>>>> On Fri, Sep 1, 2017 at 12:23 AM Sandeep More <mo...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hello Tan,
>>>>>
>>>>> Can you describe your use case in more detail so I could answer it
>>>>> more accurately. About, virtual hosts we do not have a virtual host concept
>>>>> in Knox, although we we have Topology Port mapping
>>>>> <http://knox.apache.org/books/knox-0-13-0/user-guide.html#Topology+Port+Mapping> feature
>>>>> (0.13.0) which uses virtual hosts under the hood. Let me know if that
>>>>> interests you.
>>>>>
>>>>> Best,
>>>>> Sandeep
>>>>>
>>>>> On Wed, Aug 30, 2017 at 11:48 PM, Benjamin Tan <ta...@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> I have to deploy many topologies, and don't know how to set access
>>>>>> domain for every topology.
>>>>>>
>>>>>> Or knox doesn't support the feature like virtual host in apache
>>>>>> mod_proxy?
>>>>>>
>>>>>> Thanks.
>>>>>>
>>>>>
>>>>>
>>>
>
Re: How to setup vhost/domain for knox topology?
Posted by larry mccay <lm...@apache.org>.
Sure, I can see a feature that maps an incoming request domain to a
particular topology.
Feel free to file a JIRA for it and even provide a patch.
Make sure to provide enough details of the usecase in the JIRA.
On Tue, Sep 5, 2017 at 5:37 AM, Benjamin Tan <ta...@gmail.com> wrote:
> Hello Larry,
>
> Thanks very much for your detail guide.
>
> We already designed a similar deployment, but want give more convenience
> for user.
>
> Now the access path seems:
> tenant-doamin.com -> apache virtual host -> proxy to tenant-topology's
> port -> tenant-topology
>
> If Knox support some feature like domain mapping, the access path will be:
> tenant-doamin.com -> tenant-topology
>
> Does let knox support domain mapping make sense?
>
> On Mon, Sep 4, 2017 at 10:20 AM larry mccay <lm...@apache.org> wrote:
>
>> There is no need for a separate reverse proxy in front of Knox - other
>> than for load balancing if desired.
>>
>> Basically, the typical approach for multi-tenant deployments is to:
>>
>> 1. dedicate specific topologies to each tenant
>> 2. have each topology authenticate against a specific LDAP server or some
>> tenant specific OU within a single LDAP schema
>> 3. have OS accounts for each user that is unique per tenant
>> 4. use identity assertion providers to disambiguate the tenant by
>> appending a tenant id or the like to the user name to match the tenant
>> specific username in #3
>> 5. you could use port mapping to remove the extra path
>> "gateway/tenant-topology" from the tenant specific URLs
>>
>> HTH
>>
>> --larry
>>
>> On Sun, Sep 3, 2017 at 9:34 PM, Benjamin Tan <ta...@gmail.com> wrote:
>>
>>> Hello Sandeep,
>>>
>>> Thanks for your information.
>>>
>>> In our use case, we are designing hadoop security solution for a big
>>> telecom company, and it have many corporation customers(tenant), so we try
>>> to supply an unique access domain for every tenant, such as
>>> cust1.the-hadoop-domain.com, cust2.the-hadoop-domain.com or their's
>>> customized domain using CNAME.
>>>
>>> I have got some information about topology port mapping from 0.13.0, but
>>> it seems have to deploy a reverse proxy before knox.
>>>
>>> In my opinion, many users of knox have the need to support tenant
>>> deployment.
>>>
>>>
>>> On Fri, Sep 1, 2017 at 12:23 AM Sandeep More <mo...@gmail.com>
>>> wrote:
>>>
>>>> Hello Tan,
>>>>
>>>> Can you describe your use case in more detail so I could answer it more
>>>> accurately. About, virtual hosts we do not have a virtual host concept in
>>>> Knox, although we we have Topology Port mapping
>>>> <http://knox.apache.org/books/knox-0-13-0/user-guide.html#Topology+Port+Mapping> feature
>>>> (0.13.0) which uses virtual hosts under the hood. Let me know if that
>>>> interests you.
>>>>
>>>> Best,
>>>> Sandeep
>>>>
>>>> On Wed, Aug 30, 2017 at 11:48 PM, Benjamin Tan <ta...@gmail.com>
>>>> wrote:
>>>>
>>>>> I have to deploy many topologies, and don't know how to set access
>>>>> domain for every topology.
>>>>>
>>>>> Or knox doesn't support the feature like virtual host in apache
>>>>> mod_proxy?
>>>>>
>>>>> Thanks.
>>>>>
>>>>
>>>>
>>
Re: How to setup vhost/domain for knox topology?
Posted by Benjamin Tan <ta...@gmail.com>.
Hello Larry,
Thanks very much for your detail guide.
We already designed a similar deployment, but want give more convenience
for user.
Now the access path seems:
tenant-doamin.com -> apache virtual host -> proxy to tenant-topology's port
-> tenant-topology
If Knox support some feature like domain mapping, the access path will be:
tenant-doamin.com -> tenant-topology
Does let knox support domain mapping make sense?
On Mon, Sep 4, 2017 at 10:20 AM larry mccay <lm...@apache.org> wrote:
> There is no need for a separate reverse proxy in front of Knox - other
> than for load balancing if desired.
>
> Basically, the typical approach for multi-tenant deployments is to:
>
> 1. dedicate specific topologies to each tenant
> 2. have each topology authenticate against a specific LDAP server or some
> tenant specific OU within a single LDAP schema
> 3. have OS accounts for each user that is unique per tenant
> 4. use identity assertion providers to disambiguate the tenant by
> appending a tenant id or the like to the user name to match the tenant
> specific username in #3
> 5. you could use port mapping to remove the extra path
> "gateway/tenant-topology" from the tenant specific URLs
>
> HTH
>
> --larry
>
> On Sun, Sep 3, 2017 at 9:34 PM, Benjamin Tan <ta...@gmail.com> wrote:
>
>> Hello Sandeep,
>>
>> Thanks for your information.
>>
>> In our use case, we are designing hadoop security solution for a big
>> telecom company, and it have many corporation customers(tenant), so we try
>> to supply an unique access domain for every tenant, such as
>> cust1.the-hadoop-domain.com, cust2.the-hadoop-domain.com or their's
>> customized domain using CNAME.
>>
>> I have got some information about topology port mapping from 0.13.0, but
>> it seems have to deploy a reverse proxy before knox.
>>
>> In my opinion, many users of knox have the need to support tenant
>> deployment.
>>
>>
>> On Fri, Sep 1, 2017 at 12:23 AM Sandeep More <mo...@gmail.com>
>> wrote:
>>
>>> Hello Tan,
>>>
>>> Can you describe your use case in more detail so I could answer it more
>>> accurately. About, virtual hosts we do not have a virtual host concept in
>>> Knox, although we we have Topology Port mapping
>>> <http://knox.apache.org/books/knox-0-13-0/user-guide.html#Topology+Port+Mapping> feature
>>> (0.13.0) which uses virtual hosts under the hood. Let me know if that
>>> interests you.
>>>
>>> Best,
>>> Sandeep
>>>
>>> On Wed, Aug 30, 2017 at 11:48 PM, Benjamin Tan <ta...@gmail.com>
>>> wrote:
>>>
>>>> I have to deploy many topologies, and don't know how to set access
>>>> domain for every topology.
>>>>
>>>> Or knox doesn't support the feature like virtual host in apache
>>>> mod_proxy?
>>>>
>>>> Thanks.
>>>>
>>>
>>>
>
Re: How to setup vhost/domain for knox topology?
Posted by larry mccay <lm...@apache.org>.
There is no need for a separate reverse proxy in front of Knox - other than
for load balancing if desired.
Basically, the typical approach for multi-tenant deployments is to:
1. dedicate specific topologies to each tenant
2. have each topology authenticate against a specific LDAP server or some
tenant specific OU within a single LDAP schema
3. have OS accounts for each user that is unique per tenant
4. use identity assertion providers to disambiguate the tenant by appending
a tenant id or the like to the user name to match the tenant specific
username in #3
5. you could use port mapping to remove the extra path
"gateway/tenant-topology" from the tenant specific URLs
HTH
--larry
On Sun, Sep 3, 2017 at 9:34 PM, Benjamin Tan <ta...@gmail.com> wrote:
> Hello Sandeep,
>
> Thanks for your information.
>
> In our use case, we are designing hadoop security solution for a big
> telecom company, and it have many corporation customers(tenant), so we try
> to supply an unique access domain for every tenant, such as
> cust1.the-hadoop-domain.com, cust2.the-hadoop-domain.com or their's
> customized domain using CNAME.
>
> I have got some information about topology port mapping from 0.13.0, but
> it seems have to deploy a reverse proxy before knox.
>
> In my opinion, many users of knox have the need to support tenant
> deployment.
>
>
> On Fri, Sep 1, 2017 at 12:23 AM Sandeep More <mo...@gmail.com>
> wrote:
>
>> Hello Tan,
>>
>> Can you describe your use case in more detail so I could answer it more
>> accurately. About, virtual hosts we do not have a virtual host concept in
>> Knox, although we we have Topology Port mapping
>> <http://knox.apache.org/books/knox-0-13-0/user-guide.html#Topology+Port+Mapping> feature
>> (0.13.0) which uses virtual hosts under the hood. Let me know if that
>> interests you.
>>
>> Best,
>> Sandeep
>>
>> On Wed, Aug 30, 2017 at 11:48 PM, Benjamin Tan <ta...@gmail.com>
>> wrote:
>>
>>> I have to deploy many topologies, and don't know how to set access
>>> domain for every topology.
>>>
>>> Or knox doesn't support the feature like virtual host in apache
>>> mod_proxy?
>>>
>>> Thanks.
>>>
>>
>>