Re: [Freeipa-users] Looking for documentation for Python API
On Fri, 13 May 2016, Petr Vobornik wrote: On 05/13/2016 11:49 AM, Alexander Bokovoy wrote: On Thu, 12 May 2016, Jan Cholasta wrote: On 11.5.2016 10:52, Martin Kosek wrote: On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: On Friday, May 06, 2016 09:04:59 Martin Basti wrote: since IPA4.2 web UI contains API browser (IPA Server/API Browser) So for example for caacl-add: api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional description") you can try commands in "ipa console" it contains initialized API, just call api.Command.() API.txt provides the same information as API browser, but browser looks better :) Feel free to ask anything, if you identified gaps in docs which are hard to understand for non-IPA developer feel free report it, or feel free to create howTo in freeipa.org page. Thanks for the pointers. I'm looking at automating some user and group additions, group editing, etc. Am I right in assuming that anything that uses the api.Command. will require a kinit before it is run, even if it is via the Python API? If I want to use a user/pass from the script itself (and not have a shell script which does kinit, then fires off my Python script) would I be better off hitting the web API with sessions and JSON-RPC as detailed here: https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ Put another way, since I want to hit the API from a system that might not have sssd installed, nor has joined the realm, I assume it would be *impossible* to use api.Command. as it relies on a Kerberos ticket? To put it yet another way: is there a way to hand a user/pass to the Python API and authenticate that way. The API itself can be hit with user/password, as noted in Alexander's blog. If you want to use the actual Python API, Kerberos may be the only way. But I think Jan or Petr may had some other (hacky) way to pass user+password there too. I don't think we support anything but Kerberos on the client side in our Python API. It might be possible to somehow emulate what the web UI does, but I haven't personally ever attempted to do that. Petr, have you? It should be relatively easy to update IPA cli code to accept a jar with a cookie and use that if Kerberos ccache is missing or empty. I implemented it a year ago, but the patch was not merged: https://www.redhat.com/archives/freeipa-devel/2015-May/msg00070.html I can revive it. I think it brings sufficient value to get merged. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Looking for documentation for Python API
On 05/13/2016 11:49 AM, Alexander Bokovoy wrote: > On Thu, 12 May 2016, Jan Cholasta wrote: >> On 11.5.2016 10:52, Martin Kosek wrote: >>> On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: On Friday, May 06, 2016 09:04:59 Martin Basti wrote: > since IPA4.2 web UI contains API browser (IPA Server/API Browser) > > So for example for caacl-add: > api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional > description") > > you can try commands in "ipa console" it contains initialized API, > just > call api.Command.() > > API.txt provides the same information as API browser, but browser > looks > better :) > > Feel free to ask anything, if you identified gaps in docs which are > hard > to understand for non-IPA developer feel free report it, or feel > free to > create howTo in freeipa.org page. Thanks for the pointers. I'm looking at automating some user and group additions, group editing, etc. Am I right in assuming that anything that uses the api.Command. will require a kinit before it is run, even if it is via the Python API? If I want to use a user/pass from the script itself (and not have a shell script which does kinit, then fires off my Python script) would I be better off hitting the web API with sessions and JSON-RPC as detailed here: https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ Put another way, since I want to hit the API from a system that might not have sssd installed, nor has joined the realm, I assume it would be *impossible* to use api.Command. as it relies on a Kerberos ticket? To put it yet another way: is there a way to hand a user/pass to the Python API and authenticate that way. >>> >>> The API itself can be hit with user/password, as noted in Alexander's >>> blog. If >>> you want to use the actual Python API, Kerberos may be the only way. >>> But I >>> think Jan or Petr may had some other (hacky) way to pass >>> user+password there too. >> >> I don't think we support anything but Kerberos on the client side in >> our Python API. It might be possible to somehow emulate what the web >> UI does, but I haven't personally ever attempted to do that. Petr, >> have you? > It should be relatively easy to update IPA cli code to accept a jar with > a cookie and use that if Kerberos ccache is missing or empty. > I implemented it a year ago, but the patch was not merged: https://www.redhat.com/archives/freeipa-devel/2015-May/msg00070.html -- Petr Vobornik -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Looking for documentation for Python API
On Thu, 12 May 2016, Jan Cholasta wrote: On 11.5.2016 10:52, Martin Kosek wrote: On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: On Friday, May 06, 2016 09:04:59 Martin Basti wrote: since IPA4.2 web UI contains API browser (IPA Server/API Browser) So for example for caacl-add: api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional description") you can try commands in "ipa console" it contains initialized API, just call api.Command.() API.txt provides the same information as API browser, but browser looks better :) Feel free to ask anything, if you identified gaps in docs which are hard to understand for non-IPA developer feel free report it, or feel free to create howTo in freeipa.org page. Thanks for the pointers. I'm looking at automating some user and group additions, group editing, etc. Am I right in assuming that anything that uses the api.Command. will require a kinit before it is run, even if it is via the Python API? If I want to use a user/pass from the script itself (and not have a shell script which does kinit, then fires off my Python script) would I be better off hitting the web API with sessions and JSON-RPC as detailed here: https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ Put another way, since I want to hit the API from a system that might not have sssd installed, nor has joined the realm, I assume it would be *impossible* to use api.Command. as it relies on a Kerberos ticket? To put it yet another way: is there a way to hand a user/pass to the Python API and authenticate that way. The API itself can be hit with user/password, as noted in Alexander's blog. If you want to use the actual Python API, Kerberos may be the only way. But I think Jan or Petr may had some other (hacky) way to pass user+password there too. I don't think we support anything but Kerberos on the client side in our Python API. It might be possible to somehow emulate what the web UI does, but I haven't personally ever attempted to do that. Petr, have you? It should be relatively easy to update IPA cli code to accept a jar with a cookie and use that if Kerberos ccache is missing or empty. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Looking for documentation for Python API
On 11.5.2016 10:52, Martin Kosek wrote: On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: On Friday, May 06, 2016 09:04:59 Martin Basti wrote: since IPA4.2 web UI contains API browser (IPA Server/API Browser) So for example for caacl-add: api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional description") you can try commands in "ipa console" it contains initialized API, just call api.Command.() API.txt provides the same information as API browser, but browser looks better :) Feel free to ask anything, if you identified gaps in docs which are hard to understand for non-IPA developer feel free report it, or feel free to create howTo in freeipa.org page. Thanks for the pointers. I'm looking at automating some user and group additions, group editing, etc. Am I right in assuming that anything that uses the api.Command. will require a kinit before it is run, even if it is via the Python API? If I want to use a user/pass from the script itself (and not have a shell script which does kinit, then fires off my Python script) would I be better off hitting the web API with sessions and JSON-RPC as detailed here: https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ Put another way, since I want to hit the API from a system that might not have sssd installed, nor has joined the realm, I assume it would be *impossible* to use api.Command. as it relies on a Kerberos ticket? To put it yet another way: is there a way to hand a user/pass to the Python API and authenticate that way. The API itself can be hit with user/password, as noted in Alexander's blog. If you want to use the actual Python API, Kerberos may be the only way. But I think Jan or Petr may had some other (hacky) way to pass user+password there too. I don't think we support anything but Kerberos on the client side in our Python API. It might be possible to somehow emulate what the web UI does, but I haven't personally ever attempted to do that. Petr, have you? Those are the questions I did not see addressed in the docs that I found. There were lots of examples of invoking commands, but I never saw anything about authenticating to the server before running the commands. Thanks again for the pointers, and if there is documentation I missed, feel free to point me in that direction. -- Jan Cholasta -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Looking for documentation for Python API
On 05/07/2016 09:07 AM, Joshua J. Kugler wrote: > On Friday, May 06, 2016 09:04:59 Martin Basti wrote: >> since IPA4.2 web UI contains API browser (IPA Server/API Browser) >> >> So for example for caacl-add: >> api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional >> description") >> >> you can try commands in "ipa console" it contains initialized API, just >> call api.Command.() >> >> API.txt provides the same information as API browser, but browser looks >> better :) >> >> Feel free to ask anything, if you identified gaps in docs which are hard >> to understand for non-IPA developer feel free report it, or feel free to >> create howTo in freeipa.org page. > > Thanks for the pointers. I'm looking at automating some user and group > additions, group editing, etc. Am I right in assuming that anything that > uses > the api.Command. will require a kinit before it is run, > even if it is via the Python API? If I want to use a user/pass from the > script > itself (and not have a shell script which does kinit, then fires off my > Python > script) would I be better off hitting the web API with sessions and JSON-RPC > as > detailed here: > > https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ > > Put another way, since I want to hit the API from a system that might not > have > sssd installed, nor has joined the realm, I assume it would be *impossible* > to > use api.Command. as it relies on a Kerberos ticket? To put it yet > another way: is there a way to hand a user/pass to the Python API and > authenticate that way. The API itself can be hit with user/password, as noted in Alexander's blog. If you want to use the actual Python API, Kerberos may be the only way. But I think Jan or Petr may had some other (hacky) way to pass user+password there too. > Those are the questions I did not see addressed in the docs that I found. > There were lots of examples of invoking commands, but I never saw anything > about authenticating to the server before running the commands. > > Thanks again for the pointers, and if there is documentation I missed, feel > free to point me in that direction. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Looking for documentation for Python API
On Friday, May 06, 2016 09:04:59 Martin Basti wrote: > since IPA4.2 web UI contains API browser (IPA Server/API Browser) > > So for example for caacl-add: > api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional > description") > > you can try commands in "ipa console" it contains initialized API, just > call api.Command.() > > API.txt provides the same information as API browser, but browser looks > better :) > > Feel free to ask anything, if you identified gaps in docs which are hard > to understand for non-IPA developer feel free report it, or feel free to > create howTo in freeipa.org page. Thanks for the pointers. I'm looking at automating some user and group additions, group editing, etc. Am I right in assuming that anything that uses the api.Command. will require a kinit before it is run, even if it is via the Python API? If I want to use a user/pass from the script itself (and not have a shell script which does kinit, then fires off my Python script) would I be better off hitting the web API with sessions and JSON-RPC as detailed here: https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ Put another way, since I want to hit the API from a system that might not have sssd installed, nor has joined the realm, I assume it would be *impossible* to use api.Command. as it relies on a Kerberos ticket? To put it yet another way: is there a way to hand a user/pass to the Python API and authenticate that way. Those are the questions I did not see addressed in the docs that I found. There were lots of examples of invoking commands, but I never saw anything about authenticating to the server before running the commands. Thanks again for the pointers, and if there is documentation I missed, feel free to point me in that direction. j -- Joshua J. Kugler - Fairbanks, Alaska Azariah Enterprises - Programming and Website Design jos...@azariah.com - Jabber: pedah...@gmail.com PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Looking for documentation for Python API
I've been googling and looking through the documentation, but I have yet to find official docs for the Python API for FreeIPA. The first result for 'python' when doing a search on www.freeipa.org is http://www.freeipa.org/page/Python_Coding_Style On that page, there is a link to "freeIPA Python API documentation" which goes to https://www.freeipa.org/page/Documentation#Developer_Documentation That page, however, doesn't have one mention of Python, and only one mention of "API" and that is "How to migrate your code to the new LDAP API" which doesn't seem to be related. I did manage to find https://github.com/encukou/freeipa/tree/master/doc/examples which has a couple (very convoluted) examples, but seems far from complete. There is a freeipa-python RPM, but *WHERE* is the documentation for the Python API. Or should I just shell-out to the 'ipa' command from all my python scripts? :) I found https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ and https://git.fedorahosted.org/cgit/freeipa.git/tree/API.txt so I'm sure I could work up something with python and requests, but I'd prefer to use the official API if I could. :) Any assistance would be great! j -- Joshua J. Kugler - Fairbanks, Alaska Azariah Enterprises - Programming and Website Design jos...@azariah.com - Jabber: pedah...@gmail.com PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Looking for documentation for Python API
On 05.05.2016 23:41, Joshua J. Kugler wrote: [This didn't show up in the archives or list after 12 house, so resending. Sorry if it's a dupe.] I've been googling and looking through the documentation, but I have yet to find official docs for the Python API for FreeIPA. The first result for 'python' when doing a search on www.freeipa.org is http://www.freeipa.org/page/Python_Coding_Style On that page, there is a link to "freeIPA Python API documentation" which goes to https://www.freeipa.org/page/Documentation#Developer_Documentation That page, however, doesn't have one mention of Python, and only one mention of "API" and that is "How to migrate your code to the new LDAP API" which doesn't seem to be related. I did manage to find https://github.com/encukou/freeipa/tree/master/doc/examples which has a couple (very convoluted) examples, but seems far from complete. There is a freeipa-python RPM, but *WHERE* is the documentation for the Python API. Or should I just shell-out to the 'ipa' command from all my python scripts? :) I found https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ and https://git.fedorahosted.org/cgit/freeipa.git/tree/API.txt so I'm sure I could work up something with python and requests, but I'd prefer to use the official API if I could. :) Any assistance would be great! j Hello, since IPA4.2 web UI contains API browser (IPA Server/API Browser) So for example for caacl-add: api.Command.caacl_add(u'argument-ca-acl-name', description=u"optional description") you can try commands in "ipa console" it contains initialized API, just call api.Command.() API.txt provides the same information as API browser, but browser looks better :) Feel free to ask anything, if you identified gaps in docs which are hard to understand for non-IPA developer feel free report it, or feel free to create howTo in freeipa.org page. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Looking for documentation for Python API
[This didn't show up in the archives or list after 12 house, so resending. Sorry if it's a dupe.] I've been googling and looking through the documentation, but I have yet to find official docs for the Python API for FreeIPA. The first result for 'python' when doing a search on www.freeipa.org is http://www.freeipa.org/page/Python_Coding_Style On that page, there is a link to "freeIPA Python API documentation" which goes to https://www.freeipa.org/page/Documentation#Developer_Documentation That page, however, doesn't have one mention of Python, and only one mention of "API" and that is "How to migrate your code to the new LDAP API" which doesn't seem to be related. I did manage to find https://github.com/encukou/freeipa/tree/master/doc/examples which has a couple (very convoluted) examples, but seems far from complete. There is a freeipa-python RPM, but *WHERE* is the documentation for the Python API. Or should I just shell-out to the 'ipa' command from all my python scripts? :) I found https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/ and https://git.fedorahosted.org/cgit/freeipa.git/tree/API.txt so I'm sure I could work up something with python and requests, but I'd prefer to use the official API if I could. :) Any assistance would be great! j -- Joshua J. Kugler - Fairbanks, Alaska Azariah Enterprises - Programming and Website Design jos...@azariah.com - Jabber: pedah...@gmail.com PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project