On Wed, 2014-02-26 at 15:28 -0700, Rich Megginson wrote: > On 02/26/2014 03:22 PM, Rob Crittenden wrote: > > Rich Megginson wrote: > >> On 02/26/2014 02:19 PM, Rob Crittenden wrote: > >>> Rich Megginson wrote: > >>>> On 02/26/2014 08:53 AM, Petr Viktorin wrote: > >>>>> On 02/26/2014 04:45 PM, Rich Megginson wrote: > >>>>>> I'm working on adding support for freeipa DNS to openstack designate > >>>>>> (DNSaaS). I am assuming I need to use RPC (XML? JSON? REST?) to > >>>>>> communicate with freeipa. Is there documentation about how to > >>>>>> construct > >>>>>> and send RPC messages? > >>>>> > >>>>> The JSON-RPC and XML-RPC API is still not "officially supported" > >>>>> (read: documented), though it's extremely unlikely to change. > >>>>> If you need an example, run any ipa command with -vv, this will print > >>>>> out the request & response. > >>>>> API.txt in the source tree lists all the commands and params. > >>>>> This blog post still applies (but be sure to read the update about > >>>>> --cacert): > >>>>> http://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/ > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>> > >>>> Ok. Next question is - how does one do the equivalent of the curl > >>>> command in python code? > >>> > >>> Here is a pretty stripped-down way to add a user. Other commands are > >>> similar, you just may care more about the output: > >>> > >>> from ipalib import api > >>> from ipalib import errors > >>> > >>> api.bootstrap(context='cli') > >>> api.finalize() > >>> api.Backend.xmlclient.connect() > >>> > >>> try: > >>> api.Command['user_add'](u'testuser', > >>> givenname=u'Test', sn=u'User', > >>> loginshell=u'/bin/sh') > >>> except errors.DuplicateEntry: > >>> print "user already exists" > >>> else: > >>> print "User added" > >>> > >> > >> How would one do this from outside of ipa? If ipalib is not available? > > > > You'd need to go to either /ipa/xml or /ipa/json (depending on what > > protocol you want to use) and issue one request there. This requires > > Kerberos authentication. The response will include a cookie which you > > should either ignore or store safely (like in the kernel keyring). > > Using the cookie will significantly improve performance. > > This is for the ipa dns backend for designate. I'm assuming I will > either be using a keytab, or perhaps the new proxy? > > At any rate, I have to do everything in python - including the kinit > with the keytab.
Lok at rob's damon but you should *not* do a kinit, you should just use gssapi (see python-kerberos) and do a gss_init_sec_context there, if the environment is configured (KRB5_KTNAME set correctly) then gssapi will automatically kinit for you under the hood. > I guess I'm really looking for specifics - I've seen recommendations to > use the python libraries "requests" and "json". I don't know if > requests supports negotiate/kerberos. If not, is there a recommended > library to use? As this particular project will be part of openstack, > perhaps there is a more "openstack"-y library, or even something > built-in to openstack (oslo?). I think amqp support kerberos, so > perhaps there is some oslo.messaging thing that will do the http + > kerberos stuff. Afaik there is nothing that does kerberos in openstack, you'll have to introduce all that stuff. HTH, Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
