The media download url cannot be configured by tenant

Skip to first unread message

Ran Zhang

Feb 21, 2024, 7:11:20 PMFeb 21
to Opencast Users

Recently, I explored Opencast, a powerful video management tool, which I really like.

In my test deployment, I used a 2-node setup (admin-presentation and worker) and divided Opencast into three tenants: the default mh_default_org, tenant1, and tenant2, configuring different URLs for them.

Now, there's only one unachievable requirement: tenant separation for media download url. The configuration for `` is in ``, not in `org.opencastproject.organization-<tenant-id>.org`. Thus, the loading of media files in tenant1 and tenant2 still comes from the URL of mh_default_org.

This forces me to do two things to enable video playback:
1. Set CORS for the reverse proxy of mh_default_org's URL;
2. Set `authentication.required = false` in `org.opencastproject.fsresources.StaticResourceServlet.cfg`.

However, this inability to separate media download url by tenant does not meet our needs. Therefore, I tried the following approaches:

1. In ``, I set


   However, as I expected, `` cannot retrieve the variable `${}` from `org.opencastproject.organization-<tenant-id>.org`, leading to workflow failure when publishing to engage.

2. I also tried adding a definition in `org.opencastproject.organization-<tenant-id>.org`:

 And commenting out the definition of `` in ``. This caused the workflow to not run at all, staying in pending status. Only when I added `` back to `` did the workflow run normally.

I wonder if tenant separation for media download url is currently possible? If not, is there any plan to add this feature?

If it's not feasible in the short term, I'll have to deploy two completely independent instances.



Katrin Ihler

Feb 22, 2024, 5:27:09 AMFeb 22

Hi Ran,

most people configure a separate file server for the download URL in a production setup, which then serves from the NFS. But this still means that you have to turn off Static File Protection iirc (although people have been working on that). But you're right that you can't can configure this per tenant currently. (But the requested URL contains the tenant ID in the path, so maybe you can do something with that.) Changing this shouldn't be too hard, but it hadn't been requested so far.

In general, a multitenant setup comes with a few potential complications like this one, so maybe it would be easier for you to setup separate instances for complete separation and manage them with something like Ansible.



To unsubscribe from this group and stop receiving emails from it, send an email to
Karlstr. 23
D-26123 Oldeburg

Dietmar Zenker

Feb 22, 2024, 6:04:45 AMFeb 22
to Opencast Users,
Hi Ran,

we are also using a multi-tenant setting with 10 different tenants, 2 of them are configured with stream-security enabled, thus 'authentication.required' is also set to "false".

Indeed, all static URLs point to the mh_default tenant, but, as Katrin already described, the tenant is part of the URL, e.g.
But, a tenant specific URL also works here:

Thus, you could try to define appropriate rewrite rules in the reverse proxy to change all URLs to


Ran Zhang

Feb 27, 2024, 2:15:05 PMFeb 27
to Opencast Users,, Ran Zhang
Dear Katrin and Dietmar,

Thank you very much for your reply and suggestions!

URL redirect using reverse proxy is a good idea. However, our needs are based on some special countries and areas where internet is limited. If users can't access, they can't get the redirect result from the reverse proxy web server. I got another idea from this-- setting a filter in the web server of the

location / {
location = /search/episode.json {
        sub_filter '' $host;
        sub_filter_once off;
        sub_filter_types application/json;

This way the client knows how to access the correct URL directly. Since it only filters for the specific episode.json path, performance does not have much impact.

I'm very grateful for the wonderful help I've received in this forum.

Best regards,

Reply all
Reply to author
0 new messages