[Freeipa-devel] Is there RPC documentation?

Thu Feb 27 15:41:55 UTC 2014

On 02/27/2014 06:19 AM, Rob Crittenden wrote:
> Rich Megginson wrote:
>> On 02/26/2014 03:48 PM, Simo Sorce wrote:
>>> On Wed, 2014-02-26 at 15:28 -0700, Rich Megginson wrote:
>>>> On 02/26/2014 03:22 PM, Rob Crittenden wrote:
>>>>> Rich Megginson wrote:
>>>>>> On 02/26/2014 02:19 PM, Rob Crittenden wrote:
>>>>>>> Rich Megginson wrote:
>>>>>>>> On 02/26/2014 08:53 AM, Petr Viktorin wrote:
>>>>>>>>> On 02/26/2014 04:45 PM, Rich Megginson wrote:
>>>>>>>>>> I'm working on adding support for freeipa DNS to openstack
>>>>>>>>>> designate
>>>>>>>>>> (DNSaaS).  I am assuming I need to use RPC (XML?  JSON? 
>>>>>>>>>> REST?) to
>>>>>>>>>> communicate with freeipa.  Is there documentation about how to
>>>>>>>>>> construct
>>>>>>>>>> and send RPC messages?
>>>>>>>>> The JSON-RPC and XML-RPC API is still not "officially supported"
>>>>>>>>> (read: documented), though it's extremely unlikely to change.
>>>>>>>>> If you need an example, run any ipa command with -vv, this will
>>>>>>>>> print
>>>>>>>>> out the request & response.
>>>>>>>>> API.txt in the source tree lists all the commands and params.
>>>>>>>>> This blog post still applies (but be sure to read the update 
>>>>>>>>> about
>>>>>>>>> --cacert):
>>>>>>>>> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ 
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Ok.  Next question is - how does one do the equivalent of the curl
>>>>>>>> command in python code?
>>>>>>> Here is a pretty stripped-down way to add a user. Other commands 
>>>>>>> are
>>>>>>> similar, you just may care more about the output:
>>>>>>>
>>>>>>> from ipalib import api
>>>>>>> from ipalib import errors
>>>>>>>
>>>>>>> api.bootstrap(context='cli')
>>>>>>> api.finalize()
>>>>>>> api.Backend.xmlclient.connect()
>>>>>>>
>>>>>>> try:
>>>>>>>      api.Command['user_add'](u'testuser',
>>>>>>>                              givenname=u'Test', sn=u'User',
>>>>>>>                              loginshell=u'/bin/sh')
>>>>>>> except errors.DuplicateEntry:
>>>>>>>      print "user already exists"
>>>>>>> else:
>>>>>>>      print "User added"
>>>>>>>
>>>>>> How would one do this from outside of ipa?  If ipalib is not
>>>>>> available?
>>>>> You'd need to go to either /ipa/xml or /ipa/json (depending on what
>>>>> protocol you want to use) and issue one request there. This requires
>>>>> Kerberos authentication. The response will include a cookie which you
>>>>> should either ignore or store safely (like in the kernel keyring).
>>>>> Using the cookie will significantly improve performance.
>>>> This is for the ipa dns backend for designate.  I'm assuming I will
>>>> either be using a keytab, or perhaps the new proxy?
>>>>
>>>> At any rate, I have to do everything in python - including the kinit
>>>> with the keytab.
>>> Lok at rob's damon but you should *not* do a kinit, you should just use
>>> gssapi (see python-kerberos) and do a gss_init_sec_context there, if 
>>> the
>>> environment is configured (KRB5_KTNAME set correctly) then gssapi will
>>> automatically kinit for you under the hood.
>>>
>>>> I guess I'm really looking for specifics - I've seen 
>>>> recommendations to
>>>> use the python libraries "requests" and "json".  I don't know if
>>>> requests supports negotiate/kerberos.  If not, is there a recommended
>>>> library to use?  As this particular project will be part of openstack,
>>>> perhaps there is a more "openstack"-y library, or even something
>>>> built-in to openstack (oslo?).  I think amqp support kerberos, so
>>>> perhaps there is some oslo.messaging thing that will do the http +
>>>> kerberos stuff.
>>> Afaik there is nothing that does kerberos in openstack, you'll have to
>>> introduce all that stuff.
>>
>> Egads - implementing openstack-wide kerberos client libraries in order
>> to add an ipa dns backend to designate.
>>
>> Rob, need any help with your proxy?
>
> Well, something occurred to me this morning. You need SSL on top of 
> this too, which means you need the IPA CA. The easiest way to get that 
> is to enroll the designate server as an IPA client. This pulls in the 
> freeipa-python package which gives you ipalib, so no reinventing the 
> wheel required.

I'm trying to use python-kerberos to do auth with a keytab 
(KRB5_KTNAME), without first doing a kinit from the command line. It is 
not working.

Does anyone know how I can do client side kerberos auth with a keytab in 
python without first doing a kinit?

>
> rob