The media download url cannot be configured by tenant
39 views
Skip to first unread message
Ran Zhang
Feb 21, 2024, 7:11:20 PMFeb 21
to Opencast Users
Hello,
Recently, I explored Opencast, a powerful video management tool, which I really like.
In my test deployment, I used a 2-node setup (admin-presentation and worker) and divided Opencast into three tenants: the default mh_default_org, tenant1, and tenant2, configuring different URLs for them.
Now, there's only one unachievable requirement: tenant separation for media download url. The configuration for `org.opencastproject.download.url` is in `custom.properties`, not in `org.opencastproject.organization-<tenant-id>.org`. Thus, the loading of media files in tenant1 and tenant2 still comes from the URL of mh_default_org.
This forces me to do two things to enable video playback:
1. Set CORS for the reverse proxy of mh_default_org's URL;
2. Set `authentication.required = false` in `org.opencastproject.fsresources.StaticResourceServlet.cfg`.
However, this inability to separate media download url by tenant does not meet our needs. Therefore, I tried the following approaches:
1. In `custom.properties`, I set
`org.opencastproject.download.url=${prop.org.opencastproject.engage.ui.url}/static`
However, as I expected, `custom.properties` cannot retrieve the variable `${prop.org.opencastproject.engage.ui.url}` from `org.opencastproject.organization-<tenant-id>.org`, leading to workflow failure when publishing to engage.
2. I also tried adding a definition in `org.opencastproject.organization-<tenant-id>.org`:
`prop.org.opencastproject.download.url=${prop.org.opencastproject.engage.ui.url}/static`
And commenting out the definition of `org.opencastproject.download.url` in `custom.properties`. This caused the workflow to not run at all, staying in pending status. Only when I added `org.opencastproject.download.url` back to `custom.properties` did the workflow run normally.
I wonder if tenant separation for media download url is currently possible? If not, is there any plan to add this feature?
If it's not feasible in the short term, I'll have to deploy two completely independent instances.
Thanks!
Ran
In my test deployment, I used a 2-node setup (admin-presentation and worker) and divided Opencast into three tenants: the default mh_default_org, tenant1, and tenant2, configuring different URLs for them.
Now, there's only one unachievable requirement: tenant separation for media download url. The configuration for `org.opencastproject.download.url` is in `custom.properties`, not in `org.opencastproject.organization-<tenant-id>.org`. Thus, the loading of media files in tenant1 and tenant2 still comes from the URL of mh_default_org.
This forces me to do two things to enable video playback:
1. Set CORS for the reverse proxy of mh_default_org's URL;
2. Set `authentication.required = false` in `org.opencastproject.fsresources.StaticResourceServlet.cfg`.
However, this inability to separate media download url by tenant does not meet our needs. Therefore, I tried the following approaches:
1. In `custom.properties`, I set
`org.opencastproject.download.url=${prop.org.opencastproject.engage.ui.url}/static`
However, as I expected, `custom.properties` cannot retrieve the variable `${prop.org.opencastproject.engage.ui.url}` from `org.opencastproject.organization-<tenant-id>.org`, leading to workflow failure when publishing to engage.
2. I also tried adding a definition in `org.opencastproject.organization-<tenant-id>.org`:
`prop.org.opencastproject.download.url=${prop.org.opencastproject.engage.ui.url}/static`
And commenting out the definition of `org.opencastproject.download.url` in `custom.properties`. This caused the workflow to not run at all, staying in pending status. Only when I added `org.opencastproject.download.url` back to `custom.properties` did the workflow run normally.
I wonder if tenant separation for media download url is currently possible? If not, is there any plan to add this feature?
If it's not feasible in the short term, I'll have to deploy two completely independent instances.
Thanks!
Ran
Katrin Ihler
Feb 22, 2024, 5:27:09 AMFeb 22
to us...@opencast.org
Hi Ran,
most people configure a separate file server for the download URL in a production setup, which then serves from the NFS. But this still means that you have to turn off Static File Protection iirc (although people have been working on that). But you're right that you can't can configure this per tenant currently. (But the requested URL contains the tenant ID in the path, so maybe you can do something with that.) Changing this shouldn't be too hard, but it hadn't been requested so far.
In general, a multitenant setup comes with a few potential complications like this one, so maybe it would be easier for you to setup separate instances for complete separation and manage them with something like Ansible.
Cheers,
Katrin
--
To unsubscribe from this group and stop receiving emails from it, send an email to users+un...@opencast.org.
-- ELAN e.V. Karlstr. 23 D-26123 Oldeburg elan-ev.de
Dietmar Zenker
Feb 22, 2024, 6:04:45 AMFeb 22
to Opencast Users, zhang...@gmail.com
Hi Ran,
we are also using a multi-tenant setting with 10 different tenants, 2 of them are configured with stream-security enabled, thus 'authentication.required' is also set to "false".
Indeed, all static URLs point to the mh_default tenant, but,
as Katrin already described,
the tenant is part of the URL, e.g.
https://mh_default.myopencast.de/static/tenant1/engage-player/ID1/ID2/presentation-24665081-a015-4b9b-a00e-b10b4aeed4bf.mp4
But, a tenant specific URL also works here:
https://tenant1.myopencast.de/static/tenant1/engage-player/ID1/ID2/presentation-24665081-a015-4b9b-a00e-b10b4aeed4bf.mp4
Thus, you could try to define appropriate rewrite rules in the reverse proxy to change all https://mh_default.myopencast.de/static/tenant1... URLs to
https://tenant1.myopencast.de/static/tenant1/....
Greetings,
Dietmar
Ran Zhang
Feb 27, 2024, 2:15:05 PMFeb 27
to Opencast Users, dzenk...@online.de, Ran Zhang
Dear Katrin and Dietmar,
Thank you very much for your reply and suggestions!
URL redirect using reverse proxy is a good idea. However, our needs are based on some special countries and areas where internet is limited. If users can't access https://mh_default.myopencast.de/static/tenant1..., they can't get the redirect result from the reverse proxy web server. I got another idea from this-- setting a filter in the web server of the https://tenant1.myopencast.de/static/tenant1/.....
location = /search/episode.json {
proxy_pass http://127.0.0.1:8080;
sub_filter 'mh_default.myopencast.de' $host;
sub_filter_once off;
sub_filter_types application/json;
}
proxy_pass http://127.0.0.1:8080;
sub_filter 'mh_default.myopencast.de' $host;
sub_filter_once off;
sub_filter_types application/json;
}
This way the client knows how to access the correct URL directly. Since it only filters for the specific episode.json path, performance does not have much impact.
I'm very grateful for the wonderful help I've received in this forum.
Best regards,
Ran
Reply all
Reply to author
Forward
0 new messages