You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Ulf Lilleengen (Jira)" <ji...@apache.org> on 2020/04/01 11:05:00 UTC
[jira] [Comment Edited] (DISPATCH-1585) Allow specifying
address/source/target to be used for a multitenant listener
[ https://issues.apache.org/jira/browse/DISPATCH-1585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17072650#comment-17072650 ]
Ulf Lilleengen edited comment on DISPATCH-1585 at 4/1/20, 11:04 AM:
--------------------------------------------------------------------
[~tross]
Lets say you have a service suporting multiple tenants, but a single tenant can have applications running in 2 separate networks (but they belong to the same 'tenant', i.e. they have the same addresses), so the client applications connect to the router via 2 different hosts, lets say internal.example.com and public.example.com. Today, I would need to model it this way (omitting the broker connector and simplified some details):
{code:java}
[
["listener", { "host": "0.0.0.0", "port": 56721, "authenticatePeer": false, "saslMechanisms": "ANONYMOUS", "multiTenant": true }],
["policy", {"enableVhostPolicy": true, "defaultVhost": "$default" }],
["vhost", { "hostname": "internal.example.com", "allowUnknownUser": true, // ... }],
["address", { "waypoint": true, "prefix": "internal.example.com/foo" }],
["autoLink", { "address": "internal.example.com/foo", "direction": "out", "connection": "broker", "externalAddress": "t1/foo" }],
["autoLink", { "address": "internal.example.com/foo", "direction": "in", "connection": "broker", "externalAddress": "t1/foo" }],
["vhost", { "hostname": "public.example.com", "allowUnknownUser": true, // ... }],
["address", { "waypoint": true, "prefix": "public.example.com/foo" }],
["autoLink", { "address": "public.example.com/foo", "direction": "out", "connection": "broker", "externalAddress": "t1/foo" }],
["autoLink", { "address": "public.example.com/foo", "direction": "in", "connection": "broker", "externalAddress": "t1/foo" }],
]
{code}
So, for every host to expose for this tenant, a lot of configuration is needed. There is only one address in this example, but when you have 10k addresses, its starting to be a lot of work reconfiguring the router just to expose on a new host.
So, what would be very useful for this case is to have some way to specify a mapping from virtual host to the prefix matched for addresses. I.e
{code:java}
[
["listener", { "host": "0.0.0.0", "port": 56721, "authenticatePeer": false, "saslMechanisms": "ANONYMOUS", "multiTenant": true }],
["policy", {"enableVhostPolicy": true, "defaultVhost": "$default" }],
// List of hostnames that this vhost should apply to, and a prefix that hostnames should be replaced with when doing routing.
["vhost", { "hostnames": ["internal.example.com", "public.example.com"], "prefix": "tenant1", "allowUnknownUser": true, // ... }],
["address", { "waypoint": true, "prefix": "tenant1/foo" }],
["autoLink", { "address": "tenant1/foo", "direction": "out", "connection": "broker", "externalAddress": "t1/foo" }],
["autoLink", { "address": "tenant1/foo", "direction": "in", "connection": "broker", "externalAddress": "t1/foo" }],
]{code}
This means the amount of configuration to change would be a lot less if you have many addresses. There are probably better ways to model this than my example, but hopefully it shows the reason for raising this issue.
was (Author: lulf):
Lets say you have a service suporting multiple tenants, but a single tenant can have applications running in 2 separate networks (but they belong to the same 'tenant', i.e. they have the same addresses), so the client applications connect to the router via 2 different hosts, lets say internal.example.com and public.example.com. Today, I would need to model it this way (omitting the broker connector and unneeded details):
{code:java}
[
["listener", { "host": "0.0.0.0", "port": 56721, "authenticatePeer": false, "saslMechanisms": "ANONYMOUS", "multiTenant": true }],
["policy", {"enableVhostPolicy": true, "defaultVhost": "$default" }],
["vhost", { "hostname": "internal.example.com", "allowUnknownUser": true, // ... }],
["address", { "waypoint": true, "prefix": "internal.example.com/foo" }],
["autoLink", { "address": "internal.example.com/foo", "direction": "out", "connection": "broker", "externalAddress": "t1/foo" }],
["autoLink", { "address": "internal.example.com/foo", "direction": "in", "connection": "broker", "externalAddress": "t1/foo" }],
["vhost", { "hostname": "public.example.com", "allowUnknownUser": true, // ... }],
["address", { "waypoint": true, "prefix": "public.example.com/foo" }],
["autoLink", { "address": "public.example.com/foo", "direction": "out", "connection": "broker", "externalAddress": "t1/foo" }],
["autoLink", { "address": "public.example.com/foo", "direction": "in", "connection": "broker", "externalAddress": "t1/foo" }],
]
{code}
So, for every host to expose for this tenant, a lot of configuration is needed. There is only one address in this example, but when you have 10k addresses, its starting to be a lot of work reconfiguring the router just to expose on a new host.
So, what would be very useful for this case is to have some way to specify a mapping from virtual host to the prefix matched for addresses. I.e
{code:java}
[
["listener", { "host": "0.0.0.0", "port": 56721, "authenticatePeer": false, "saslMechanisms": "ANONYMOUS", "multiTenant": true }],
["policy", {"enableVhostPolicy": true, "defaultVhost": "$default" }],
// List of hostnames that this vhost should apply to, and a prefix that hostnames should be replaced with when doing routing.
["vhost", { "hostnames": ["internal.example.com", "public.example.com"], "prefix": "tenant1", "allowUnknownUser": true, // ... }],
["address", { "waypoint": true, "prefix": "tenant1/foo" }],
["autoLink", { "address": "tenant1/foo", "direction": "out", "connection": "broker", "externalAddress": "t1/foo" }],
["autoLink", { "address": "tenant1/foo", "direction": "in", "connection": "broker", "externalAddress": "t1/foo" }],
]{code}
This means the amount of configuration to change would be a lot less if you have many addresses. There are probably better ways to model this than my example, but hopefully it shows the reason for raising this issue.
> Allow specifying address/source/target to be used for a multitenant listener
> ----------------------------------------------------------------------------
>
> Key: DISPATCH-1585
> URL: https://issues.apache.org/jira/browse/DISPATCH-1585
> Project: Qpid Dispatch
> Issue Type: Wish
> Reporter: Ulf Lilleengen
> Priority: Major
>
> At present, a multitenant router listener will prefix addresses with the hostname in the AMQP Open. However, given a configuration where it is desirable to expose a router address space for multiple DNS names, any address, linkRoute and autoLink configuration will need to be duplicated for each DNS name. This complicates router configuration significantly.
>
> Instead, having a way to specify which prefix to apply for a multitenant listener would allow reusing the same address, autoLink and linkRoute configuration for multiple listeners.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org