[Freeipa-devel] Is there RPC documentation?

Dmitri Pal dpal at redhat.com
Wed Feb 26 22:58:29 UTC 2014 

On 02/26/2014 05:48 PM, Simo Sorce wrote:
> On Wed, 2014-02-26 at 15:28 -0700, Rich Megginson wrote:
>> On 02/26/2014 03:22 PM, Rob Crittenden wrote:
>>> Rich Megginson wrote:
>>>> On 02/26/2014 02:19 PM, Rob Crittenden wrote:
>>>>> Rich Megginson wrote:
>>>>>> On 02/26/2014 08:53 AM, Petr Viktorin wrote:
>>>>>>> On 02/26/2014 04:45 PM, Rich Megginson wrote:
>>>>>>>> I'm working on adding support for freeipa DNS to openstack designate
>>>>>>>> (DNSaaS).  I am assuming I need to use RPC (XML?  JSON? REST?) to
>>>>>>>> communicate with freeipa.  Is there documentation about how to
>>>>>>>> construct
>>>>>>>> and send RPC messages?
>>>>>>> The JSON-RPC and XML-RPC API is still not "officially supported"
>>>>>>> (read: documented), though it's extremely unlikely to change.
>>>>>>> If you need an example, run any ipa command with -vv, this will print
>>>>>>> out the request&  response.
>>>>>>> API.txt in the source tree lists all the commands and params.
>>>>>>> This blog post still applies (but be sure to read the update about
>>>>>>> --cacert):
>>>>>>> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> Ok.  Next question is - how does one do the equivalent of the curl
>>>>>> command in python code?
>>>>> Here is a pretty stripped-down way to add a user. Other commands are
>>>>> similar, you just may care more about the output:
>>>>>
>>>>> from ipalib import api
>>>>> from ipalib import errors
>>>>>
>>>>> api.bootstrap(context='cli')
>>>>> api.finalize()
>>>>> api.Backend.xmlclient.connect()
>>>>>
>>>>> try:
>>>>>      api.Command['user_add'](u'testuser',
>>>>>                              givenname=u'Test', sn=u'User',
>>>>>                              loginshell=u'/bin/sh')
>>>>> except errors.DuplicateEntry:
>>>>>      print "user already exists"
>>>>> else:
>>>>>      print "User added"
>>>>>
>>>> How would one do this from outside of ipa?  If ipalib is not available?
>>> You'd need to go to either /ipa/xml or /ipa/json (depending on what
>>> protocol you want to use) and issue one request there. This requires
>>> Kerberos authentication. The response will include a cookie which you
>>> should either ignore or store safely (like in the kernel keyring).
>>> Using the cookie will significantly improve performance.
>> This is for the ipa dns backend for designate.  I'm assuming I will
>> either be using a keytab, or perhaps the new proxy?
>>
>> At any rate, I have to do everything in python - including the kinit
>> with the keytab.
> Lok at rob's damon but you should *not* do a kinit, you should just use
> gssapi (see python-kerberos) and do a gss_init_sec_context there, if the
> environment is configured (KRB5_KTNAME set correctly) then gssapi will
> automatically kinit for you under the hood.

Yes look at Rob's smart proxy and use a similar approach.

>
>> I guess I'm really looking for specifics - I've seen recommendations to
>> use the python libraries "requests" and "json".  I don't know if
>> requests supports negotiate/kerberos.  If not, is there a recommended
>> library to use?  As this particular project will be part of openstack,
>> perhaps there is a more "openstack"-y library, or even something
>> built-in to openstack (oslo?).  I think amqp support kerberos, so
>> perhaps there is some oslo.messaging thing that will do the http +
>> kerberos stuff.
> Afaik there is nothing that does kerberos in openstack, you'll have to
> introduce all that stuff.
>
> HTH,
> Simo.
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list