[Freeipa-devel] Is there RPC documentation?

Simo Sorce simo at redhat.com
Thu Feb 27 16:35:59 UTC 2014 

On Thu, 2014-02-27 at 08:41 -0700, Rich Megginson wrote:
> On 02/27/2014 06:19 AM, Rob Crittenden wrote:
> > Rich Megginson wrote:
> >> On 02/26/2014 03:48 PM, Simo Sorce wrote:
> >>> On Wed, 2014-02-26 at 15:28 -0700, Rich Megginson wrote:
> >>>> On 02/26/2014 03:22 PM, Rob Crittenden wrote:
> >>>>> Rich Megginson wrote:
> >>>>>> On 02/26/2014 02:19 PM, Rob Crittenden wrote:
> >>>>>>> Rich Megginson wrote:
> >>>>>>>> On 02/26/2014 08:53 AM, Petr Viktorin wrote:
> >>>>>>>>> On 02/26/2014 04:45 PM, Rich Megginson wrote:
> >>>>>>>>>> I'm working on adding support for freeipa DNS to openstack
> >>>>>>>>>> designate
> >>>>>>>>>> (DNSaaS).  I am assuming I need to use RPC (XML?  JSON? 
> >>>>>>>>>> REST?) to
> >>>>>>>>>> communicate with freeipa.  Is there documentation about how to
> >>>>>>>>>> construct
> >>>>>>>>>> and send RPC messages?
> >>>>>>>>> The JSON-RPC and XML-RPC API is still not "officially supported"
> >>>>>>>>> (read: documented), though it's extremely unlikely to change.
> >>>>>>>>> If you need an example, run any ipa command with -vv, this will
> >>>>>>>>> print
> >>>>>>>>> out the request & response.
> >>>>>>>>> API.txt in the source tree lists all the commands and params.
> >>>>>>>>> This blog post still applies (but be sure to read the update 
> >>>>>>>>> about
> >>>>>>>>> --cacert):
> >>>>>>>>> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ 
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>> Ok.  Next question is - how does one do the equivalent of the curl
> >>>>>>>> command in python code?
> >>>>>>> Here is a pretty stripped-down way to add a user. Other commands 
> >>>>>>> are
> >>>>>>> similar, you just may care more about the output:
> >>>>>>>
> >>>>>>> from ipalib import api
> >>>>>>> from ipalib import errors
> >>>>>>>
> >>>>>>> api.bootstrap(context='cli')
> >>>>>>> api.finalize()
> >>>>>>> api.Backend.xmlclient.connect()
> >>>>>>>
> >>>>>>> try:
> >>>>>>>      api.Command['user_add'](u'testuser',
> >>>>>>>                              givenname=u'Test', sn=u'User',
> >>>>>>>                              loginshell=u'/bin/sh')
> >>>>>>> except errors.DuplicateEntry:
> >>>>>>>      print "user already exists"
> >>>>>>> else:
> >>>>>>>      print "User added"
> >>>>>>>
> >>>>>> How would one do this from outside of ipa?  If ipalib is not
> >>>>>> available?
> >>>>> You'd need to go to either /ipa/xml or /ipa/json (depending on what
> >>>>> protocol you want to use) and issue one request there. This requires
> >>>>> Kerberos authentication. The response will include a cookie which you
> >>>>> should either ignore or store safely (like in the kernel keyring).
> >>>>> Using the cookie will significantly improve performance.
> >>>> This is for the ipa dns backend for designate.  I'm assuming I will
> >>>> either be using a keytab, or perhaps the new proxy?
> >>>>
> >>>> At any rate, I have to do everything in python - including the kinit
> >>>> with the keytab.
> >>> Lok at rob's damon but you should *not* do a kinit, you should just use
> >>> gssapi (see python-kerberos) and do a gss_init_sec_context there, if 
> >>> the
> >>> environment is configured (KRB5_KTNAME set correctly) then gssapi will
> >>> automatically kinit for you under the hood.
> >>>
> >>>> I guess I'm really looking for specifics - I've seen 
> >>>> recommendations to
> >>>> use the python libraries "requests" and "json".  I don't know if
> >>>> requests supports negotiate/kerberos.  If not, is there a recommended
> >>>> library to use?  As this particular project will be part of openstack,
> >>>> perhaps there is a more "openstack"-y library, or even something
> >>>> built-in to openstack (oslo?).  I think amqp support kerberos, so
> >>>> perhaps there is some oslo.messaging thing that will do the http +
> >>>> kerberos stuff.
> >>> Afaik there is nothing that does kerberos in openstack, you'll have to
> >>> introduce all that stuff.
> >>
> >> Egads - implementing openstack-wide kerberos client libraries in order
> >> to add an ipa dns backend to designate.
> >>
> >> Rob, need any help with your proxy?
> >
> > Well, something occurred to me this morning. You need SSL on top of 
> > this too, which means you need the IPA CA. The easiest way to get that 
> > is to enroll the designate server as an IPA client. This pulls in the 
> > freeipa-python package which gives you ipalib, so no reinventing the 
> > wheel required.
> 
> I'm trying to use python-kerberos to do auth with a keytab 
> (KRB5_KTNAME), without first doing a kinit from the command line. It is 
> not working.
> 
> Does anyone know how I can do client side kerberos auth with a keytab in 
> python without first doing a kinit?

Ping me privately if you can't make it work and we'll try to debug why.

Simo

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-devel mailing list