[Freeipa-devel] Is there RPC documentation?

Rob Crittenden rcritten at redhat.com
Wed Feb 26 23:18:56 UTC 2014 

Dmitri Pal wrote:
> On 02/26/2014 05:48 PM, Simo Sorce wrote:
>> On Wed, 2014-02-26 at 15:28 -0700, Rich Megginson wrote:
>>> On 02/26/2014 03:22 PM, Rob Crittenden wrote:
>>>> Rich Megginson wrote:
>>>>> On 02/26/2014 02:19 PM, Rob Crittenden wrote:
>>>>>> Rich Megginson wrote:
>>>>>>> On 02/26/2014 08:53 AM, Petr Viktorin wrote:
>>>>>>>> On 02/26/2014 04:45 PM, Rich Megginson wrote:
>>>>>>>>> I'm working on adding support for freeipa DNS to openstack
>>>>>>>>> designate
>>>>>>>>> (DNSaaS).  I am assuming I need to use RPC (XML?  JSON? REST?) to
>>>>>>>>> communicate with freeipa.  Is there documentation about how to
>>>>>>>>> construct
>>>>>>>>> and send RPC messages?
>>>>>>>> The JSON-RPC and XML-RPC API is still not "officially supported"
>>>>>>>> (read: documented), though it's extremely unlikely to change.
>>>>>>>> If you need an example, run any ipa command with -vv, this will
>>>>>>>> print
>>>>>>>> out the request&  response.
>>>>>>>> API.txt in the source tree lists all the commands and params.
>>>>>>>> This blog post still applies (but be sure to read the update about
>>>>>>>> --cacert):
>>>>>>>> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Ok.  Next question is - how does one do the equivalent of the curl
>>>>>>> command in python code?
>>>>>> Here is a pretty stripped-down way to add a user. Other commands are
>>>>>> similar, you just may care more about the output:
>>>>>>
>>>>>> from ipalib import api
>>>>>> from ipalib import errors
>>>>>>
>>>>>> api.bootstrap(context='cli')
>>>>>> api.finalize()
>>>>>> api.Backend.xmlclient.connect()
>>>>>>
>>>>>> try:
>>>>>>      api.Command['user_add'](u'testuser',
>>>>>>                              givenname=u'Test', sn=u'User',
>>>>>>                              loginshell=u'/bin/sh')
>>>>>> except errors.DuplicateEntry:
>>>>>>      print "user already exists"
>>>>>> else:
>>>>>>      print "User added"
>>>>>>
>>>>> How would one do this from outside of ipa?  If ipalib is not
>>>>> available?
>>>> You'd need to go to either /ipa/xml or /ipa/json (depending on what
>>>> protocol you want to use) and issue one request there. This requires
>>>> Kerberos authentication. The response will include a cookie which you
>>>> should either ignore or store safely (like in the kernel keyring).
>>>> Using the cookie will significantly improve performance.
>>> This is for the ipa dns backend for designate.  I'm assuming I will
>>> either be using a keytab, or perhaps the new proxy?
>>>
>>> At any rate, I have to do everything in python - including the kinit
>>> with the keytab.
>> Lok at rob's damon but you should *not* do a kinit, you should just use
>> gssapi (see python-kerberos) and do a gss_init_sec_context there, if the
>> environment is configured (KRB5_KTNAME set correctly) then gssapi will
>> automatically kinit for you under the hood.
>
> Yes look at Rob's smart proxy and use a similar approach.

This is a little different since the smart proxy is directly using ipalib.

You'll need to use python-kerberos to do the GSSAPI work. Basically you 
need to get a service ticket for the remote server using your TGT and 
pass that in the HTTP Authorization header.

There was a patch floating around for python-requests to do Kerberos but 
I'm not sure if it has been accepted upstream, or if it has if it is 
generally available. That patch may have been converted into a separate 
project, I found a repo at 
https://github.com/requests/requests-kerberos. At a glance it looks like 
this module does all the work for you.

To see how we do it, look in ipalib/rpc.py in the KerbTransport class, 
specifically in get_host_info(). That shows the calls IPA makes to get 
the information needed for the header, but this is for httplib.

rob

More information about the Freeipa-devel mailing list