[Freeipa-devel] Is there RPC documentation?

Simo Sorce simo at redhat.com
Wed Feb 26 22:48:47 UTC 2014 

On Wed, 2014-02-26 at 15:28 -0700, Rich Megginson wrote:
> On 02/26/2014 03:22 PM, Rob Crittenden wrote:
> > Rich Megginson wrote:
> >> On 02/26/2014 02:19 PM, Rob Crittenden wrote:
> >>> Rich Megginson wrote:
> >>>> On 02/26/2014 08:53 AM, Petr Viktorin wrote:
> >>>>> On 02/26/2014 04:45 PM, Rich Megginson wrote:
> >>>>>> I'm working on adding support for freeipa DNS to openstack designate
> >>>>>> (DNSaaS).  I am assuming I need to use RPC (XML?  JSON? REST?) to
> >>>>>> communicate with freeipa.  Is there documentation about how to
> >>>>>> construct
> >>>>>> and send RPC messages?
> >>>>>
> >>>>> The JSON-RPC and XML-RPC API is still not "officially supported"
> >>>>> (read: documented), though it's extremely unlikely to change.
> >>>>> If you need an example, run any ipa command with -vv, this will print
> >>>>> out the request & response.
> >>>>> API.txt in the source tree lists all the commands and params.
> >>>>> This blog post still applies (but be sure to read the update about
> >>>>> --cacert):
> >>>>> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ 
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>> Ok.  Next question is - how does one do the equivalent of the curl
> >>>> command in python code?
> >>>
> >>> Here is a pretty stripped-down way to add a user. Other commands are
> >>> similar, you just may care more about the output:
> >>>
> >>> from ipalib import api
> >>> from ipalib import errors
> >>>
> >>> api.bootstrap(context='cli')
> >>> api.finalize()
> >>> api.Backend.xmlclient.connect()
> >>>
> >>> try:
> >>>     api.Command['user_add'](u'testuser',
> >>>                             givenname=u'Test', sn=u'User',
> >>>                             loginshell=u'/bin/sh')
> >>> except errors.DuplicateEntry:
> >>>     print "user already exists"
> >>> else:
> >>>     print "User added"
> >>>
> >>
> >> How would one do this from outside of ipa?  If ipalib is not available?
> >
> > You'd need to go to either /ipa/xml or /ipa/json (depending on what 
> > protocol you want to use) and issue one request there. This requires 
> > Kerberos authentication. The response will include a cookie which you 
> > should either ignore or store safely (like in the kernel keyring). 
> > Using the cookie will significantly improve performance.
> 
> This is for the ipa dns backend for designate.  I'm assuming I will 
> either be using a keytab, or perhaps the new proxy?
> 
> At any rate, I have to do everything in python - including the kinit 
> with the keytab.

Lok at rob's damon but you should *not* do a kinit, you should just use
gssapi (see python-kerberos) and do a gss_init_sec_context there, if the
environment is configured (KRB5_KTNAME set correctly) then gssapi will
automatically kinit for you under the hood.

> I guess I'm really looking for specifics - I've seen recommendations to 
> use the python libraries "requests" and "json".  I don't know if 
> requests supports negotiate/kerberos.  If not, is there a recommended 
> library to use?  As this particular project will be part of openstack, 
> perhaps there is a more "openstack"-y library, or even something 
> built-in to openstack (oslo?).  I think amqp support kerberos, so 
> perhaps there is some oslo.messaging thing that will do the http + 
> kerberos stuff.

Afaik there is nothing that does kerberos in openstack, you'll have to
introduce all that stuff.

HTH,
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list