[Freeipa-users] Looking for documentation for Python API
Alexander Bokovoy
abokovoy at redhat.com
Fri May 13 09:49:57 UTC 2016
On Thu, 12 May 2016, Jan Cholasta wrote:
>On 11.5.2016 10:52, Martin Kosek wrote:
>>On 05/07/2016 09:07 AM, Joshua J. Kugler wrote:
>>>On Friday, May 06, 2016 09:04:59 Martin Basti wrote:
>>>>since IPA4.2 web UI contains API browser (IPA Server/API Browser)
>>>>
>>>>So for example for caacl-add:
>>>>api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional
>>>>description")
>>>>
>>>>you can try commands in "ipa console" it contains initialized API, just
>>>>call api.Command.<your-favorite-command>()
>>>>
>>>>API.txt provides the same information as API browser, but browser looks
>>>>better :)
>>>>
>>>>Feel free to ask anything, if you identified gaps in docs which are hard
>>>>to understand for non-IPA developer feel free report it, or feel free to
>>>>create howTo in freeipa.org page.
>>>
>>>Thanks for the pointers. I'm looking at automating some user and group
>>>additions, group editing, etc. Am I right in assuming that anything that uses
>>>the api.Command.<some_command> will require a kinit <user> before it is run,
>>>even if it is via the Python API? If I want to use a user/pass from the script
>>>itself (and not have a shell script which does kinit, then fires off my Python
>>>script) would I be better off hitting the web API with sessions and JSON-RPC as
>>>detailed here:
>>>
>>>https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
>>>
>>>Put another way, since I want to hit the API from a system that might not have
>>>sssd installed, nor has joined the realm, I assume it would be *impossible* to
>>>use api.Command.<something> as it relies on a Kerberos ticket? To put it yet
>>>another way: is there a way to hand a user/pass to the Python API and
>>>authenticate that way.
>>
>>The API itself can be hit with user/password, as noted in Alexander's blog. If
>>you want to use the actual Python API, Kerberos may be the only way. But I
>>think Jan or Petr may had some other (hacky) way to pass user+password there too.
>
>I don't think we support anything but Kerberos on the client side in
>our Python API. It might be possible to somehow emulate what the web
>UI does, but I haven't personally ever attempted to do that. Petr,
>have you?
It should be relatively easy to update IPA cli code to accept a jar with
a cookie and use that if Kerberos ccache is missing or empty.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list