[Freeipa-devel] Is there RPC documentation?
Rob Crittenden
rcritten at redhat.com
Thu Feb 27 13:19:24 UTC 2014
Rich Megginson wrote:
> On 02/26/2014 03:48 PM, Simo Sorce wrote:
>> On Wed, 2014-02-26 at 15:28 -0700, Rich Megginson wrote:
>>> On 02/26/2014 03:22 PM, Rob Crittenden wrote:
>>>> Rich Megginson wrote:
>>>>> On 02/26/2014 02:19 PM, Rob Crittenden wrote:
>>>>>> Rich Megginson wrote:
>>>>>>> On 02/26/2014 08:53 AM, Petr Viktorin wrote:
>>>>>>>> On 02/26/2014 04:45 PM, Rich Megginson wrote:
>>>>>>>>> I'm working on adding support for freeipa DNS to openstack
>>>>>>>>> designate
>>>>>>>>> (DNSaaS). I am assuming I need to use RPC (XML? JSON? REST?) to
>>>>>>>>> communicate with freeipa. Is there documentation about how to
>>>>>>>>> construct
>>>>>>>>> and send RPC messages?
>>>>>>>> The JSON-RPC and XML-RPC API is still not "officially supported"
>>>>>>>> (read: documented), though it's extremely unlikely to change.
>>>>>>>> If you need an example, run any ipa command with -vv, this will
>>>>>>>> print
>>>>>>>> out the request & response.
>>>>>>>> API.txt in the source tree lists all the commands and params.
>>>>>>>> This blog post still applies (but be sure to read the update about
>>>>>>>> --cacert):
>>>>>>>> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Ok. Next question is - how does one do the equivalent of the curl
>>>>>>> command in python code?
>>>>>> Here is a pretty stripped-down way to add a user. Other commands are
>>>>>> similar, you just may care more about the output:
>>>>>>
>>>>>> from ipalib import api
>>>>>> from ipalib import errors
>>>>>>
>>>>>> api.bootstrap(context='cli')
>>>>>> api.finalize()
>>>>>> api.Backend.xmlclient.connect()
>>>>>>
>>>>>> try:
>>>>>> api.Command['user_add'](u'testuser',
>>>>>> givenname=u'Test', sn=u'User',
>>>>>> loginshell=u'/bin/sh')
>>>>>> except errors.DuplicateEntry:
>>>>>> print "user already exists"
>>>>>> else:
>>>>>> print "User added"
>>>>>>
>>>>> How would one do this from outside of ipa? If ipalib is not
>>>>> available?
>>>> You'd need to go to either /ipa/xml or /ipa/json (depending on what
>>>> protocol you want to use) and issue one request there. This requires
>>>> Kerberos authentication. The response will include a cookie which you
>>>> should either ignore or store safely (like in the kernel keyring).
>>>> Using the cookie will significantly improve performance.
>>> This is for the ipa dns backend for designate. I'm assuming I will
>>> either be using a keytab, or perhaps the new proxy?
>>>
>>> At any rate, I have to do everything in python - including the kinit
>>> with the keytab.
>> Lok at rob's damon but you should *not* do a kinit, you should just use
>> gssapi (see python-kerberos) and do a gss_init_sec_context there, if the
>> environment is configured (KRB5_KTNAME set correctly) then gssapi will
>> automatically kinit for you under the hood.
>>
>>> I guess I'm really looking for specifics - I've seen recommendations to
>>> use the python libraries "requests" and "json". I don't know if
>>> requests supports negotiate/kerberos. If not, is there a recommended
>>> library to use? As this particular project will be part of openstack,
>>> perhaps there is a more "openstack"-y library, or even something
>>> built-in to openstack (oslo?). I think amqp support kerberos, so
>>> perhaps there is some oslo.messaging thing that will do the http +
>>> kerberos stuff.
>> Afaik there is nothing that does kerberos in openstack, you'll have to
>> introduce all that stuff.
>
> Egads - implementing openstack-wide kerberos client libraries in order
> to add an ipa dns backend to designate.
>
> Rob, need any help with your proxy?
Well, something occurred to me this morning. You need SSL on top of this
too, which means you need the IPA CA. The easiest way to get that is to
enroll the designate server as an IPA client. This pulls in the
freeipa-python package which gives you ipalib, so no reinventing the
wheel required.
rob
More information about the Freeipa-devel
mailing list