[Freeipa-devel] Is there RPC documentation?

Rob Crittenden rcritten at redhat.com
Thu Feb 27 16:32:34 UTC 2014 

Rich Megginson wrote:
> On 02/27/2014 06:19 AM, Rob Crittenden wrote:
>> Rich Megginson wrote:
>>> On 02/26/2014 03:48 PM, Simo Sorce wrote:
>>>> On Wed, 2014-02-26 at 15:28 -0700, Rich Megginson wrote:
>>>>> On 02/26/2014 03:22 PM, Rob Crittenden wrote:
>>>>>> Rich Megginson wrote:
>>>>>>> On 02/26/2014 02:19 PM, Rob Crittenden wrote:
>>>>>>>> Rich Megginson wrote:
>>>>>>>>> On 02/26/2014 08:53 AM, Petr Viktorin wrote:
>>>>>>>>>> On 02/26/2014 04:45 PM, Rich Megginson wrote:
>>>>>>>>>>> I'm working on adding support for freeipa DNS to openstack
>>>>>>>>>>> designate
>>>>>>>>>>> (DNSaaS).  I am assuming I need to use RPC (XML?  JSON?
>>>>>>>>>>> REST?) to
>>>>>>>>>>> communicate with freeipa.  Is there documentation about how to
>>>>>>>>>>> construct
>>>>>>>>>>> and send RPC messages?
>>>>>>>>>> The JSON-RPC and XML-RPC API is still not "officially supported"
>>>>>>>>>> (read: documented), though it's extremely unlikely to change.
>>>>>>>>>> If you need an example, run any ipa command with -vv, this will
>>>>>>>>>> print
>>>>>>>>>> out the request & response.
>>>>>>>>>> API.txt in the source tree lists all the commands and params.
>>>>>>>>>> This blog post still applies (but be sure to read the update
>>>>>>>>>> about
>>>>>>>>>> --cacert):
>>>>>>>>>> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Ok.  Next question is - how does one do the equivalent of the curl
>>>>>>>>> command in python code?
>>>>>>>> Here is a pretty stripped-down way to add a user. Other commands
>>>>>>>> are
>>>>>>>> similar, you just may care more about the output:
>>>>>>>>
>>>>>>>> from ipalib import api
>>>>>>>> from ipalib import errors
>>>>>>>>
>>>>>>>> api.bootstrap(context='cli')
>>>>>>>> api.finalize()
>>>>>>>> api.Backend.xmlclient.connect()
>>>>>>>>
>>>>>>>> try:
>>>>>>>>      api.Command['user_add'](u'testuser',
>>>>>>>>                              givenname=u'Test', sn=u'User',
>>>>>>>>                              loginshell=u'/bin/sh')
>>>>>>>> except errors.DuplicateEntry:
>>>>>>>>      print "user already exists"
>>>>>>>> else:
>>>>>>>>      print "User added"
>>>>>>>>
>>>>>>> How would one do this from outside of ipa?  If ipalib is not
>>>>>>> available?
>>>>>> You'd need to go to either /ipa/xml or /ipa/json (depending on what
>>>>>> protocol you want to use) and issue one request there. This requires
>>>>>> Kerberos authentication. The response will include a cookie which you
>>>>>> should either ignore or store safely (like in the kernel keyring).
>>>>>> Using the cookie will significantly improve performance.
>>>>> This is for the ipa dns backend for designate.  I'm assuming I will
>>>>> either be using a keytab, or perhaps the new proxy?
>>>>>
>>>>> At any rate, I have to do everything in python - including the kinit
>>>>> with the keytab.
>>>> Lok at rob's damon but you should *not* do a kinit, you should just use
>>>> gssapi (see python-kerberos) and do a gss_init_sec_context there, if
>>>> the
>>>> environment is configured (KRB5_KTNAME set correctly) then gssapi will
>>>> automatically kinit for you under the hood.
>>>>
>>>>> I guess I'm really looking for specifics - I've seen
>>>>> recommendations to
>>>>> use the python libraries "requests" and "json".  I don't know if
>>>>> requests supports negotiate/kerberos.  If not, is there a recommended
>>>>> library to use?  As this particular project will be part of openstack,
>>>>> perhaps there is a more "openstack"-y library, or even something
>>>>> built-in to openstack (oslo?).  I think amqp support kerberos, so
>>>>> perhaps there is some oslo.messaging thing that will do the http +
>>>>> kerberos stuff.
>>>> Afaik there is nothing that does kerberos in openstack, you'll have to
>>>> introduce all that stuff.
>>>
>>> Egads - implementing openstack-wide kerberos client libraries in order
>>> to add an ipa dns backend to designate.
>>>
>>> Rob, need any help with your proxy?
>>
>> Well, something occurred to me this morning. You need SSL on top of
>> this too, which means you need the IPA CA. The easiest way to get that
>> is to enroll the designate server as an IPA client. This pulls in the
>> freeipa-python package which gives you ipalib, so no reinventing the
>> wheel required.
>
> I'm trying to use python-kerberos to do auth with a keytab
> (KRB5_KTNAME), without first doing a kinit from the command line. It is
> not working.
>
> Does anyone know how I can do client side kerberos auth with a keytab in
> python without first doing a kinit?

gssproxy. You need at least 0.3.1.

Add something like this to the _top_ of /etc/gssproxy/gssproxy.conf:

[service/myservice]
     mechs = krb5
     cred_store = client_keytab:/etc/my.keytab
     cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
     cred_usage = initiate
     euid = xx (where xx is the uid of your process)

I found running gssproxy directly in debug mode another window to be a 
handy debugging tool while I got my head wrapped around things.

rob

More information about the Freeipa-devel mailing list