[Freeipa-users] Looking for documentation for Python API

Fri May 13 12:31:54 UTC 2016

On Fri, 13 May 2016, Petr Vobornik wrote:
>On 05/13/2016 11:49 AM, Alexander Bokovoy wrote:
>> On Thu, 12 May 2016, Jan Cholasta wrote:
>>> On 11.5.2016 10:52, Martin Kosek wrote:
>>>> On 05/07/2016 09:07 AM, Joshua J. Kugler wrote:
>>>>> On Friday, May 06, 2016 09:04:59 Martin Basti wrote:
>>>>>> since IPA4.2 web UI contains API browser (IPA Server/API Browser)
>>>>>>
>>>>>> So for example for caacl-add:
>>>>>> api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional
>>>>>> description")
>>>>>>
>>>>>> you can try commands in "ipa console" it contains initialized API,
>>>>>> just
>>>>>> call api.Command.<your-favorite-command>()
>>>>>>
>>>>>> API.txt provides the same information as API browser, but browser
>>>>>> looks
>>>>>> better :)
>>>>>>
>>>>>> Feel free to ask anything, if you identified gaps in docs which are
>>>>>> hard
>>>>>> to understand for non-IPA developer feel free report it, or feel
>>>>>> free to
>>>>>> create howTo in freeipa.org page.
>>>>>
>>>>> Thanks for the pointers. I'm looking at automating some user and group
>>>>> additions, group editing, etc.  Am I right in assuming that anything
>>>>> that uses
>>>>> the api.Command.<some_command> will require a kinit <user> before it
>>>>> is run,
>>>>> even if it is via the Python API? If I want to use a user/pass from
>>>>> the script
>>>>> itself (and not have a shell script which does kinit, then fires off
>>>>> my Python
>>>>> script) would I be better off hitting the web API with sessions and
>>>>> JSON-RPC as
>>>>> detailed here:
>>>>>
>>>>> https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
>>>>>
>>>>>
>>>>> Put another way, since I want to hit the API from a system that
>>>>> might not have
>>>>> sssd installed, nor has joined the realm, I assume it would be
>>>>> *impossible* to
>>>>> use api.Command.<something> as it relies on a Kerberos ticket?  To
>>>>> put it yet
>>>>> another way: is there a way to hand a user/pass to the Python API and
>>>>> authenticate that way.
>>>>
>>>> The API itself can be hit with user/password, as noted in Alexander's
>>>> blog. If
>>>> you want to use the actual Python API, Kerberos may be the only way.
>>>> But I
>>>> think Jan or Petr may had some other (hacky) way to pass
>>>> user+password there too.
>>>
>>> I don't think we support anything but Kerberos on the client side in
>>> our Python API. It might be possible to somehow emulate what the web
>>> UI does, but I haven't personally ever attempted to do that. Petr,
>>> have you?
>> It should be relatively easy to update IPA cli code to accept a jar with
>> a cookie and use that if Kerberos ccache is missing or empty.
>>
>
>I implemented it a year ago, but the patch was not merged:
>https://www.redhat.com/archives/freeipa-devel/2015-May/msg00070.html
I can revive it. I think it brings sufficient value to get merged.
-- 
/ Alexander Bokovoy