[Freeipa-devel] Is there RPC documentation?

Rich Megginson rmeggins at redhat.com
Wed Feb 26 22:28:58 UTC 2014 

On 02/26/2014 03:22 PM, Rob Crittenden wrote:
> Rich Megginson wrote:
>> On 02/26/2014 02:19 PM, Rob Crittenden wrote:
>>> Rich Megginson wrote:
>>>> On 02/26/2014 08:53 AM, Petr Viktorin wrote:
>>>>> On 02/26/2014 04:45 PM, Rich Megginson wrote:
>>>>>> I'm working on adding support for freeipa DNS to openstack designate
>>>>>> (DNSaaS).  I am assuming I need to use RPC (XML?  JSON? REST?) to
>>>>>> communicate with freeipa.  Is there documentation about how to
>>>>>> construct
>>>>>> and send RPC messages?
>>>>>
>>>>> The JSON-RPC and XML-RPC API is still not "officially supported"
>>>>> (read: documented), though it's extremely unlikely to change.
>>>>> If you need an example, run any ipa command with -vv, this will print
>>>>> out the request & response.
>>>>> API.txt in the source tree lists all the commands and params.
>>>>> This blog post still applies (but be sure to read the update about
>>>>> --cacert):
>>>>> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ 
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> Ok.  Next question is - how does one do the equivalent of the curl
>>>> command in python code?
>>>
>>> Here is a pretty stripped-down way to add a user. Other commands are
>>> similar, you just may care more about the output:
>>>
>>> from ipalib import api
>>> from ipalib import errors
>>>
>>> api.bootstrap(context='cli')
>>> api.finalize()
>>> api.Backend.xmlclient.connect()
>>>
>>> try:
>>>     api.Command['user_add'](u'testuser',
>>>                             givenname=u'Test', sn=u'User',
>>>                             loginshell=u'/bin/sh')
>>> except errors.DuplicateEntry:
>>>     print "user already exists"
>>> else:
>>>     print "User added"
>>>
>>
>> How would one do this from outside of ipa?  If ipalib is not available?
>
> You'd need to go to either /ipa/xml or /ipa/json (depending on what 
> protocol you want to use) and issue one request there. This requires 
> Kerberos authentication. The response will include a cookie which you 
> should either ignore or store safely (like in the kernel keyring). 
> Using the cookie will significantly improve performance.

This is for the ipa dns backend for designate.  I'm assuming I will 
either be using a keytab, or perhaps the new proxy?

At any rate, I have to do everything in python - including the kinit 
with the keytab.

I guess I'm really looking for specifics - I've seen recommendations to 
use the python libraries "requests" and "json".  I don't know if 
requests supports negotiate/kerberos.  If not, is there a recommended 
library to use?  As this particular project will be part of openstack, 
perhaps there is a more "openstack"-y library, or even something 
built-in to openstack (oslo?).  I think amqp support kerberos, so 
perhaps there is some oslo.messaging thing that will do the http + 
kerberos stuff.

>
> If you store the cookie then you can make future requests to 
> /ipa/session/{xml|json} unless a Kerberos error is raised, in which 
> case things start over again.
>
> You'll need to include a Referer header in your request, see the -vv 
> output of the ipa command for samples.
>
> rob

More information about the Freeipa-devel mailing list