I'm testing out the existing JStack code at the moment. It's been enjoyable process so far. On Apr 30, 2012 7:30 PM, "javier cerviño" <[email protected]> wrote:
> Hi Adrian, > > I've just seen you submitted your Swift-based CORS implementation to > Gerrit. Would you mind if we do the same for Nova, Keystone and Glance? On > the other hand, it could be better to wait for its approval because we > could apply changes proposed by the reviewers to the rest of components. > > We've just started to implement Glance API support in jStack, and then I > will started with Swift. Is anybody out there who wants to join this > challenge? You're welcome to propose changes, write code, and so on. The > idea is to develop full OpenStack API in JavaScript, so that community > could start working with it. > > Cheers, > Javier. > > 2012/4/27 javier cerviño <[email protected]> > >> Hi! >> >> We have just published the code of the portal in Github. You can find it >> in https://github.com/ging/horizon-js. It will only work with Keystone >> and Nova if they have CORS implemented. >> >> Adrian, we didn't make big changes in your code, only logger classes and >> a little problem we found with PUT requests in some cases (I have to take a >> deeper look into this problem, anyway). We've made tests from iPhone, >> iPad, Safari, Firefox and Chrome and we didn't have any problems. But on >> the other hand CORS doesn't work in IE9 with PUT and DELETE methods. Next >> week I will test it with Android and Opera browsers. >> >> Sure! It will be very interesting to submit your code to gerrit!! >> >> Diego, I will talk with Joaquin to check if we can show you a demo in two >> weeks!! >> >> Cheers, >> Javier. >> >> 2012/4/27 Adrian Smith <[email protected]> >> >>> I'd be really interested to hear how you go on with the CORS middleware >>> Javier. >>> Did it work as-is or did you have to modify it? Was there much effort >>> involved in using it with Nova? >>> >>> From your experience it sounds like there's decent CORS support in >>> browsers now so it's probably time to submit this change to gerrit. >>> >>> Adrian >>> >>> >>> 2012/4/27 Diego Parrilla Santamaría <[email protected] >>> > >>> >>>> Awesome Javier!!!! >>>> >>>> Anxiously waiting for a meeting with you guys to see your progress! >>>> >>>> Cheers >>>> Diego >>>> -- >>>> Diego Parrilla >>>> <http://www.stackops.com/>*CEO* >>>> *www.stackops.com | * [email protected]** | +34 649 94 43 29| >>>> skype:diegoparrilla* >>>> * <http://www.stackops.com/> >>>> * >>>> >>>> * >>>> >>>> >>>> >>>> >>>> On Thu, Apr 26, 2012 at 9:50 AM, javier cerviño <[email protected]>wrote: >>>> >>>>> Hi all, >>>>> >>>>> I'm glad to hear that there's a lot of interest in the implementation >>>>> of Openstack JavaScript clients. Actually, in my group we're >>>>> developing a "single page" application developed entirely in >>>>> JavaScript, that widely supports Nova and Keystone APIs. This work is >>>>> part of a European Project called FI-Ware (http://www.fi-ware.eu/), in >>>>> which we are currently using Openstack APIs. >>>>> >>>>> We've modified Nova and Keystone installations by adding CORS support. >>>>> We did it by implementing a kind of filter on their APIs. For doing >>>>> this we used Adam's implementation >>>>> (https://github.com/adrian/swift/tree/cors), and we adapted it to Nova >>>>> and Keystone components. We also developed a JS library >>>>> (http://ging.github.com/jstack/) that can be used by both web and >>>>> Node.js applications, for example. This library aims to provide same >>>>> functionalities as python-novaclient, adding support for Keystone API. >>>>> >>>>> And finally we are copying Openstack horizon functionality, using JS >>>>> library and other frameworks such as jQuery and Backbone.js to >>>>> implement the web application. This web application is an >>>>> "early-stage" work, but we will probably publish it by the end of this >>>>> week. I will let you know the github link. >>>>> >>>>> We didn't find much problems with CORS implementation and support in >>>>> browsers. For the time being, according to our experiments, the only >>>>> web browser that is not usable at all with this technology is Internet >>>>> Explorer, but we have tried it in Google Chrome, Safari and Firefox as >>>>> well and we didn't have any problems. >>>>> >>>>> Cheers, >>>>> Javier Cerviño. >>>>> >>>>> On 26 April 2012 06:28, Nick Lothian <[email protected]> wrote: >>>>> > >>>>> > >>>>> > On Thu, Apr 26, 2012 at 5:49 AM, Adam Young <[email protected]> >>>>> wrote: >>>>> >> >>>>> >> Let me try to summarize: >>>>> >> >>>>> >> 1. If you are running from a web browser, post requests to hosts >>>>> or >>>>> >> ports other than the origin are allowed, but the headers cannot be >>>>> >> modified. This prevents the addition of the token from Keystone to >>>>> provide >>>>> >> single sign on. >>>>> >> >>>>> >> 2. There are various browser side technologies (JSONP, CORS) that >>>>> get >>>>> >> around this limitation, but they are typically not enabled, and >>>>> can be >>>>> >> considered security issues. While implementing these might require >>>>> support >>>>> >> from teh Openstack server, they are fundamentally browser >>>>> decisions. >>>>> >> >>>>> > >>>>> > This is inaccurate. JSONP is supported by all browsers since >>>>> ~Netscape 4.0. >>>>> > >>>>> > CORS is supported by all modern browsers: IE > 8, Firefox > 3.5, >>>>> Chrome > 3, >>>>> > Safari > 4 >>>>> > (See >>>>> http://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Browser_support >>>>> ). >>>>> > Additionally, CORS support is not a browser decision - the server >>>>> has to >>>>> > EXPLICITLY opt-in to support it. >>>>> > >>>>> > Obviously CORS support *can* be a security issue - that is why it is >>>>> > disabled unless the server enables it. >>>>> > >>>>> > I do not believe that CORS support adds any additional security >>>>> issues above >>>>> > what the OpenStack APIs already face. Specially, the most common >>>>> problem >>>>> > (CSRF) is not an issue here because the APIs are not authorised on a >>>>> session >>>>> > basis. >>>>> > >>>>> > [snip] >>>>> >> >>>>> >> >>>>> >> I've been working on Single Sign on Issues for another project for >>>>> the >>>>> >> past year and a half. Here's a couple things I've learned. >>>>> >> >>>>> >> >>>>> >> Kerberos is designed to solve this problem. It has the benefit of >>>>> being >>>>> >> integrated into the browser. Where Kerberos fails is that: >>>>> typically it >>>>> >> only allows a single authentication provider (KDC in Kerberso >>>>> speak) and it >>>>> >> does not work well with Firewalls. >>>>> >> >>>>> >> The only crytographically secure way to authenticate on the web >>>>> that can >>>>> >> get around the firewall issue is Client side X509 certificates. >>>>> This is the >>>>> >> foundation for https://blueprints.launchpad.net/keystone/+spec/pki. >>>>> This >>>>> >> could, in theory, work in with OAuth, OpenID, or some other >>>>> distributed >>>>> >> authorization service, or we could embed the authorization >>>>> information >>>>> >> right into the Certitificate, which is what I suggest we do. >>>>> >> >>>>> >> >>>>> > >>>>> > To be clear, identity/authorisation is NOT the problem here. The >>>>> OpenStack >>>>> > APIs work well for my use cases, once I work around the cross domain >>>>> POST >>>>> > problem. >>>>> > >>>>> > However, I've also worked with SSO solutions. The simple truth is >>>>> that >>>>> > client side certificates do not play well with the web - browser >>>>> support >>>>> > ranges from non-existent (on some mobile platforms - >>>>> > see >>>>> http://mobilitydojo.net/2010/12/28/client-certificate-support-across-mobile-platforms-a-summary/ >>>>> ) to >>>>> > abysmal (there is a reason why many websites that use certificates >>>>> end up >>>>> > using a Java applet), and their interaction with cross domain >>>>> Javascript is >>>>> > unknown. >>>>> > >>>>> > Even if certificates did work for identification, CORS would still >>>>> be needed >>>>> > - many OpenStack APIs require a POST request which is impossible >>>>> without >>>>> > it. >>>>> > >>>>> > >>>>> > Nick >>>>> > >>>>> > _______________________________________________ >>>>> > Mailing list: https://launchpad.net/~openstack >>>>> > Post to : [email protected] >>>>> > Unsubscribe : https://launchpad.net/~openstack >>>>> > More help : https://help.launchpad.net/ListHelp >>>>> > >>>>> >>>>> _______________________________________________ >>>>> Mailing list: https://launchpad.net/~openstack >>>>> Post to : [email protected] >>>>> Unsubscribe : https://launchpad.net/~openstack >>>>> More help : https://help.launchpad.net/ListHelp >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Mailing list: https://launchpad.net/~openstack >>>> Post to : [email protected] >>>> Unsubscribe : https://launchpad.net/~openstack >>>> More help : https://help.launchpad.net/ListHelp >>>> >>>> >>> >> > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openstack > More help : https://help.launchpad.net/ListHelp > >
_______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
