[Freeipa-devel] Is there RPC documentation?
Rich Megginson
rmeggins at redhat.com
Wed Feb 26 22:28:58 UTC 2014
On 02/26/2014 03:22 PM, Rob Crittenden wrote:
> Rich Megginson wrote:
>> On 02/26/2014 02:19 PM, Rob Crittenden wrote:
>>> Rich Megginson wrote:
>>>> On 02/26/2014 08:53 AM, Petr Viktorin wrote:
>>>>> On 02/26/2014 04:45 PM, Rich Megginson wrote:
>>>>>> I'm working on adding support for freeipa DNS to openstack designate
>>>>>> (DNSaaS). I am assuming I need to use RPC (XML? JSON? REST?) to
>>>>>> communicate with freeipa. Is there documentation about how to
>>>>>> construct
>>>>>> and send RPC messages?
>>>>>
>>>>> The JSON-RPC and XML-RPC API is still not "officially supported"
>>>>> (read: documented), though it's extremely unlikely to change.
>>>>> If you need an example, run any ipa command with -vv, this will print
>>>>> out the request & response.
>>>>> API.txt in the source tree lists all the commands and params.
>>>>> This blog post still applies (but be sure to read the update about
>>>>> --cacert):
>>>>> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> Ok. Next question is - how does one do the equivalent of the curl
>>>> command in python code?
>>>
>>> Here is a pretty stripped-down way to add a user. Other commands are
>>> similar, you just may care more about the output:
>>>
>>> from ipalib import api
>>> from ipalib import errors
>>>
>>> api.bootstrap(context='cli')
>>> api.finalize()
>>> api.Backend.xmlclient.connect()
>>>
>>> try:
>>> api.Command['user_add'](u'testuser',
>>> givenname=u'Test', sn=u'User',
>>> loginshell=u'/bin/sh')
>>> except errors.DuplicateEntry:
>>> print "user already exists"
>>> else:
>>> print "User added"
>>>
>>
>> How would one do this from outside of ipa? If ipalib is not available?
>
> You'd need to go to either /ipa/xml or /ipa/json (depending on what
> protocol you want to use) and issue one request there. This requires
> Kerberos authentication. The response will include a cookie which you
> should either ignore or store safely (like in the kernel keyring).
> Using the cookie will significantly improve performance.
This is for the ipa dns backend for designate. I'm assuming I will
either be using a keytab, or perhaps the new proxy?
At any rate, I have to do everything in python - including the kinit
with the keytab.
I guess I'm really looking for specifics - I've seen recommendations to
use the python libraries "requests" and "json". I don't know if
requests supports negotiate/kerberos. If not, is there a recommended
library to use? As this particular project will be part of openstack,
perhaps there is a more "openstack"-y library, or even something
built-in to openstack (oslo?). I think amqp support kerberos, so
perhaps there is some oslo.messaging thing that will do the http +
kerberos stuff.
>
> If you store the cookie then you can make future requests to
> /ipa/session/{xml|json} unless a Kerberos error is raised, in which
> case things start over again.
>
> You'll need to include a Referer header in your request, see the -vv
> output of the ipa command for samples.
>
> rob
More information about the Freeipa-devel
mailing list