Connected hubs(已连接中心(Connected hubs))¶
The Connected hubs extension in Control Panel enables you to authenticate connections between your Foundry enrollment and Apollo hubs. Once a connection is established, you can add Marketplace stores to a publishing whitelist so that new product releases in those stores are automatically published to the connected Apollo hub.
This enables cross-network shipping of Marketplace products: users can build products on top of their own data, publish to an Apollo hub that they control, and install those products onto other Foundry environments without requiring any Palantir-specific permissions.
Individual Marketplace stores can be connected to multiple Apollo hubs, and each hub can receive products from multiple stores.
Prerequisites¶
To access the Connected hubs extension in Control Panel, you must have the Enrollment administrator role, granted in the Enrollment permissions extension. For more details, see Permissions.
Connect an Apollo hub¶
Before connecting an Apollo hub, ensure the following setup has been completed:
- Network connectivity: The Apollo hub must allow inbound traffic from your Foundry enrollment. To configure this:
a. In your Foundry enrollment's Control Panel, navigate to the Network egress extension and select What IPs do connections from Foundry come from? to copy the CIDRs.
b. In the Apollo hub's Control Panel, navigate to the Network ingress extension and add those CIDRs.
- Third-party application credentials: Create credentials on the Apollo hub that your Foundry enrollment will use to authenticate:
a. In the Apollo hub's Control Panel, navigate to the Third-party applications extension.
b. Create a new application and select Confidential client, then Client credentials grant.
c. Enable the application and turn on Organization level consent.
Once the setup is complete, connect the hub in Control Panel:
- Navigate to Control Panel and select Connected hubs from the side panel under Enrollment settings.
- Select Add.

- Provide the following information:
| Field | Description |
|---|---|
| Apollo hub URL | The URL of the Apollo hub to connect to. |
| Apollo Space ID | The identifier for the Apollo space associated with the hub. This value is case sensitive. |
| Client ID | The client ID generated when creating the third-party application on the Apollo hub. |
| Client secret | The client secret generated when creating the third-party application on the Apollo hub. |
- Select Submit to establish the connection.
Once the connection is saved, the extension displays the connection status, indicating whether the authentication is valid.
Verify a hub connection¶
After connecting an Apollo hub, the Connected hubs extension displays the current status of each connection. Use this to verify that authentication credentials are valid and the hub is reachable.

Publish products to a connected Apollo hub¶
To publish Marketplace products to a connected Apollo hub, ensure the following additional setup has been completed on the Apollo hub:
- Apollo hub permissions: Add the third-party application user to a team (or create a new team) that has the following permissions:
- Artifacts: Creator, Viewer
- Products: Release Creator, Creator, Viewer
Add Marketplace stores to the publishing whitelist¶
After the hub permissions are configured, you can add Marketplace stores to the publishing whitelist for that hub.
- Select the connected hub you want to configure.
- Select Configure, or the cog icon.
- Add the Marketplace store to the whitelist.

When a Marketplace store is on the publishing whitelist, cutting a new release of a product in that store will automatically publish it to all Apollo hubs that the store is configured for. Only products that use strict folder tracking and have a Maven coordinate configured will be successfully published; products that do not meet these requirements will not block other products from publishing.
Publishing workflow¶
Once a store is on the whitelist and properly configured:
- In DevOps, create a release for a product in the whitelisted store.
- The product is automatically published to all connected Apollo hubs that the store is whitelisted for.
Install products from a connected Apollo hub¶
To install Foundry Products from Apollo, first make sure you have a valid connection to the corresponding hub and attach the environment ID of the Apollo environment to install from. Then, contact Palantir Support to enable third-party Foundry Product installations from connected hubs.
Once the setup is complete, installing Foundry Products onto the attached Apollo environment will result in those products being imported to remote stores visible to your enrollment. More granular permissions can be set on the remote Marketplace stores page.
中文翻译¶
已连接中心(Connected hubs)¶
控制面板(Control Panel)中的已连接中心(Connected hubs)扩展程序支持你对Foundry部署实例(Foundry enrollment)与Apollo中心(Apollo hub)之间的连接进行身份验证。连接建立后,你可以将市场(Marketplace)商店添加到发布白名单中,这样这些商店内的新产品发布就会自动同步到已连接的Apollo中心。
这一功能支持市场产品的跨网络交付:用户可以基于自有数据构建产品,发布到自己管控的Apollo中心,无需任何Palantir专属权限即可将这些产品安装到其他Foundry环境中。
单个市场商店可以连接到多个Apollo中心,每个中心也可以接收来自多个商店的产品。
前提条件¶
要访问控制面板中的已连接中心扩展程序,你必须拥有实例管理员(Enrollment administrator)角色,该角色需在实例权限(Enrollment permissions)扩展程序中授予。更多详情请参考权限说明。
连接Apollo中心¶
在连接Apollo中心之前,请确保已完成以下准备工作: 1. 网络连通性:Apollo中心必须允许来自你的Foundry部署实例的入站流量。按以下步骤配置: a. 在你的Foundry部署实例的控制面板中,进入网络出站规则扩展程序,选择What IPs do connections from Foundry come from?复制对应的CIDR地址段。 b. 在Apollo中心的控制面板中,进入网络入站规则扩展程序,添加上述CIDR地址段。 2. 第三方应用凭证:在Apollo中心创建供你的Foundry部署实例进行身份验证使用的凭证: a. 在Apollo中心的控制面板中,进入第三方应用扩展程序。 b. 创建新应用,选择机密客户端(Confidential client),再选择客户端凭证授权(Client credentials grant)。 c. 启用该应用,并开启组织层级同意(Organization level consent)。
准备工作完成后,在控制面板中按以下步骤连接中心: 1. 进入控制面板,在侧边栏的实例设置(Enrollment settings)分类下选择已连接中心。 2. 选择添加(Add)。

- 提供以下信息:
| Field | Description |
|---|---|
| Apollo hub URL | 待连接的Apollo中心的URL |
| Apollo Space ID | 与该中心关联的Apollo空间(Apollo Space)的标识符,该值区分大小写 |
| Client ID | 在Apollo中心创建第三方应用时生成的客户端ID(Client ID) |
| Client secret | 在Apollo中心创建第三方应用时生成的客户端密钥(Client secret) |
- 选择提交(Submit)以建立连接。
连接保存后,扩展程序会显示连接状态,标识身份验证是否有效。
验证中心连接¶
完成Apollo中心连接后,已连接中心扩展程序会显示每个连接的当前状态。你可以通过该状态验证身份凭证是否有效、中心是否可访问。

发布产品到已连接的Apollo中心¶
要将市场产品发布到已连接的Apollo中心,请确保已在Apollo中心完成以下额外配置: 1. Apollo中心权限:将第三方应用用户添加到具备以下权限的团队中(也可新建团队): * 制品(Artifacts):创建者(Creator)、查看者(Viewer) * 产品(Products):版本创建者(Release Creator)、创建者、查看者
将市场商店添加到发布白名单¶
中心权限配置完成后,你可以将市场商店添加到该中心的发布白名单中。 1. 选择你要配置的已连接中心。 2. 选择配置(Configure),或齿轮图标。 3. 将市场商店添加到白名单。

当某家市场商店被加入发布白名单后,在该商店中为产品创建新版本时,会自动将版本发布到该商店配置对应的所有Apollo中心。只有使用严格文件夹跟踪(strict folder tracking)且配置了Maven坐标(Maven coordinate)的产品才会发布成功;不符合这些要求的产品不会阻塞其他产品的发布。
发布工作流¶
当商店被加入白名单并完成正确配置后: 1. 在DevOps中,为白名单内商店的某款产品创建一个版本。 2. 该产品会自动发布到所有该商店被加入白名单的已连接Apollo中心。
从已连接的Apollo中心安装产品¶
要从Apollo安装Foundry产品,首先请确保你与对应中心的连接有效,并且绑定了要从中安装产品的Apollo环境(Apollo environment)的环境ID。之后联系Palantir支持团队,启用从已连接中心安装第三方Foundry产品的功能。
配置完成后,将Foundry产品安装到绑定的Apollo环境中,这些产品就会被导入到你的部署实例可见的远程商店中。你可以在远程市场商店页面设置更细粒度的权限。