[Freeipa-devel] Is there RPC documentation?

Thu Feb 27 16:35:12 UTC 2014

On Thu, 2014-02-27 at 11:32 -0500, Rob Crittenden wrote:
> Rich Megginson wrote:
> > On 02/27/2014 06:19 AM, Rob Crittenden wrote:
> >> Rich Megginson wrote:
> >>> On 02/26/2014 03:48 PM, Simo Sorce wrote:
> >>>> On Wed, 2014-02-26 at 15:28 -0700, Rich Megginson wrote:
> >>>>> On 02/26/2014 03:22 PM, Rob Crittenden wrote:
> >>>>>> Rich Megginson wrote:
> >>>>>>> On 02/26/2014 02:19 PM, Rob Crittenden wrote:
> >>>>>>>> Rich Megginson wrote:
> >>>>>>>>> On 02/26/2014 08:53 AM, Petr Viktorin wrote:
> >>>>>>>>>> On 02/26/2014 04:45 PM, Rich Megginson wrote:
> >>>>>>>>>>> I'm working on adding support for freeipa DNS to openstack
> >>>>>>>>>>> designate
> >>>>>>>>>>> (DNSaaS).  I am assuming I need to use RPC (XML?  JSON?
> >>>>>>>>>>> REST?) to
> >>>>>>>>>>> communicate with freeipa.  Is there documentation about how to
> >>>>>>>>>>> construct
> >>>>>>>>>>> and send RPC messages?
> >>>>>>>>>> The JSON-RPC and XML-RPC API is still not "officially supported"
> >>>>>>>>>> (read: documented), though it's extremely unlikely to change.
> >>>>>>>>>> If you need an example, run any ipa command with -vv, this will
> >>>>>>>>>> print
> >>>>>>>>>> out the request & response.
> >>>>>>>>>> API.txt in the source tree lists all the commands and params.
> >>>>>>>>>> This blog post still applies (but be sure to read the update
> >>>>>>>>>> about
> >>>>>>>>>> --cacert):
> >>>>>>>>>> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>> Ok.  Next question is - how does one do the equivalent of the curl
> >>>>>>>>> command in python code?
> >>>>>>>> Here is a pretty stripped-down way to add a user. Other commands
> >>>>>>>> are
> >>>>>>>> similar, you just may care more about the output:
> >>>>>>>>
> >>>>>>>> from ipalib import api
> >>>>>>>> from ipalib import errors
> >>>>>>>>
> >>>>>>>> api.bootstrap(context='cli')
> >>>>>>>> api.finalize()
> >>>>>>>> api.Backend.xmlclient.connect()
> >>>>>>>>
> >>>>>>>> try:
> >>>>>>>>      api.Command['user_add'](u'testuser',
> >>>>>>>>                              givenname=u'Test', sn=u'User',
> >>>>>>>>                              loginshell=u'/bin/sh')
> >>>>>>>> except errors.DuplicateEntry:
> >>>>>>>>      print "user already exists"
> >>>>>>>> else:
> >>>>>>>>      print "User added"
> >>>>>>>>
> >>>>>>> How would one do this from outside of ipa?  If ipalib is not
> >>>>>>> available?
> >>>>>> You'd need to go to either /ipa/xml or /ipa/json (depending on what
> >>>>>> protocol you want to use) and issue one request there. This requires
> >>>>>> Kerberos authentication. The response will include a cookie which you
> >>>>>> should either ignore or store safely (like in the kernel keyring).
> >>>>>> Using the cookie will significantly improve performance.
> >>>>> This is for the ipa dns backend for designate.  I'm assuming I will
> >>>>> either be using a keytab, or perhaps the new proxy?
> >>>>>
> >>>>> At any rate, I have to do everything in python - including the kinit
> >>>>> with the keytab.
> >>>> Lok at rob's damon but you should *not* do a kinit, you should just use
> >>>> gssapi (see python-kerberos) and do a gss_init_sec_context there, if
> >>>> the
> >>>> environment is configured (KRB5_KTNAME set correctly) then gssapi will
> >>>> automatically kinit for you under the hood.
> >>>>
> >>>>> I guess I'm really looking for specifics - I've seen
> >>>>> recommendations to
> >>>>> use the python libraries "requests" and "json".  I don't know if
> >>>>> requests supports negotiate/kerberos.  If not, is there a recommended
> >>>>> library to use?  As this particular project will be part of openstack,
> >>>>> perhaps there is a more "openstack"-y library, or even something
> >>>>> built-in to openstack (oslo?).  I think amqp support kerberos, so
> >>>>> perhaps there is some oslo.messaging thing that will do the http +
> >>>>> kerberos stuff.
> >>>> Afaik there is nothing that does kerberos in openstack, you'll have to
> >>>> introduce all that stuff.
> >>>
> >>> Egads - implementing openstack-wide kerberos client libraries in order
> >>> to add an ipa dns backend to designate.
> >>>
> >>> Rob, need any help with your proxy?
> >>
> >> Well, something occurred to me this morning. You need SSL on top of
> >> this too, which means you need the IPA CA. The easiest way to get that
> >> is to enroll the designate server as an IPA client. This pulls in the
> >> freeipa-python package which gives you ipalib, so no reinventing the
> >> wheel required.
> >
> > I'm trying to use python-kerberos to do auth with a keytab
> > (KRB5_KTNAME), without first doing a kinit from the command line. It is
> > not working.
> >
> > Does anyone know how I can do client side kerberos auth with a keytab in
> > python without first doing a kinit?
> 
> gssproxy. You need at least 0.3.1.
> 
> Add something like this to the _top_ of /etc/gssproxy/gssproxy.conf:
> 
> [service/myservice]
>      mechs = krb5
>      cred_store = client_keytab:/etc/my.keytab
>      cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
>      cred_usage = initiate
>      euid = xx (where xx is the uid of your process)
> 
> I found running gssproxy directly in debug mode another window to be a 
> handy debugging tool while I got my head wrapped around things.

Just for keytab initiation, GSS-Proxy should not be needed if you have
reasonably recent krb5-libs (>= 1.11 IIRC), we just use gssapi lib in
gss-proxy too and don't do explicit kinit in gss-proxy either.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York