Re: [openstack-dev] Supporting Javascript clients calling OpenStack APIs
Diego Parrilla SantamarĂa diego.parrilla.santama...@gmail.com writes: May be it's a bit too late, but in mid 2012 the FIWARE team developed a horizon clone 100% in Javascript. https://github.com/ging/horizon-js Nice! I poked around a little in the repo and found no mention of Swift? [...] Portal has evolved and now it's more like a 'chroot' for safe execution of javascript apps. And we use it for our own OpenStack extensions (accounting, rating, billing, monitoring, advanced network management...). Sounds cool! So maybe if you want to discuss about how to proceed in the future for a 100% javascript user interface, maybe we can talk about it in Paris. I'm unfortunately not coming to Paris, but we can discuss this over email. The ZeroVM mailinglist would be fine if it's too off-topic for this list. In the ZeroVM project, we're mostly (only really) interested in an interface for Swift since we can embed the ZeroVM sandbox in Swift. This gives you a Swift cluster where you can execute map-reduce jobs (from untrusted clients because of the ZeroVM sandbox) directly on the data. We like say that you can send the code to the data instead of doing it the other way around. So that is why I'm focusing on Swift now and will later add support for starting these ZeroVM jobs to the browser. -- Martin Geisler http://google.com/+MartinGeisler pgpTx2xioHhGZ.pgp Description: PGP signature ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Supporting Javascript clients calling OpenStack APIs
Richard Jones r1chardj0...@gmail.com writes: Hi, I'm working on the ZeroVM project at Rackspace and as part of that I'm writing a JavaScript based file manager for Swift which I've called Swift Browser: https://github.com/zerovm/swift-browser When writing this, I of course ran in to exactly the problems you describe below. 2. add CORS support to all the OpenStack APIs though a new WSGI middleware (for example oslo.middleware.cors) and configured into each of the API services individually since they all exist on different origin host:port combinations, or This was the solution I picked first and it was not difficult to get working. I used this middleware: http://blog.yunak.eu/2013/07/24/keystone_cors/ Since I only case about Swift, another solution that I've been using is to use swauth (or really https://github.com/zerovm/liteauth) which lets you authenticate to Swift directly. There are thus only a single origin to consider and the same-origin problems disappear. 3. a new web service that proxies all the APIs and serves the static Javascript (etc) content from the one origin (host). That sounds like another good alternative. I'm not sure familiar with how people normally deploy Swift, but I would imagine that people setup some proxying anyway to rewrite the URLs to a nicer format. I have implemented options 2 and 3 as an exercise to see how horrid each one is. == CORS Middleware == The middleware option results in a reasonably nice bit of middleware. It's short and relatively easy to test. The big problem with it comes in configuring it in all the APIs. The configuration for the middleware takes two forms: 1. hooking oslo.middleware.cors into the WSGI pipeline (there's more than one in each API), If this became a standard part of OpenStack, could one imagine that the default WSGI pipelines would already contain the CORS middleware? 2. adding the CORS configuration itself for the middleware in the API's main configuration file (eg. keystone.conf or nova.conf). So for each service, that's two configuration files *and* the kicker is that the paste configuration file is non-trivially different in almost every case. I'm unsure why it would have to be different for each service? Would the services not be configured mostly the same, as in: [filter:cors] allow_origins = https://static.company.com == New Single-Point API Service == Actually, this is not horrid in any way - unless that publicURL rewriting gives you the heebie-jeebies. It works, and offers us some nice additional features like being able to host the service behind SSL without needing to get a bazillion certificates. And maybe load balancing. And maybe API access filtering. I like this option for the flexibility it gives you. -- Martin Geisler http://google.com/+MartinGeisler pgpbntQlgOsos.pgp Description: PGP signature ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] Supporting Javascript clients calling OpenStack APIs
[This is Horizon-related but affects every service in OpenStack, hence no filter in the subject] I would like for OpenStack to support browser-based Javascript API clients. Currently this is not possible because of cross-origin resource blocking in Javascript clients - that is, given some Javascript hosted on https://horizon.company.com/; you cannot, for example, call from that Javascript code to an API on https://apis.company.com:5000/v2.0/tokens; to authenticate with Keystone. There are three solutions to this problem: 1. the Horizon solution, in which those APIs are proxied by a very thick layer of additional Python API, plus some Python view code with some Javascript on the top only calling the Horizon view code, 2. add CORS support to all the OpenStack APIs though a new WSGI middleware (for example oslo.middleware.cors) and configured into each of the API services individually since they all exist on different origin host:port combinations, or 3. a new web service that proxies all the APIs and serves the static Javascript (etc) content from the one origin (host). APIs are then served from new URL roots /name/ where the name is from the serviceCatalog entry. Static content can be served from /static/. The serviceCatalog from keystone will be rewritten on the fly to point the API publicURLs at the new service. Requests are no longer cross-origin. I have implemented options 2 and 3 as an exercise to see how horrid each one is. == CORS Middleware == For those wanting a bit of background, I have written up a spec for oslo that talks about how this could work: https://review.openstack.org/#/c/119485/ The middleware option results in a reasonably nice bit of middleware. It's short and relatively easy to test. The big problem with it comes in configuring it in all the APIs. The configuration for the middleware takes two forms: 1. hooking oslo.middleware.cors into the WSGI pipeline (there's more than one in each API), 2. adding the CORS configuration itself for the middleware in the API's main configuration file (eg. keystone.conf or nova.conf). So for each service, that's two configuration files *and* the kicker is that the paste configuration file is non-trivially different in almost every case. That's a lot of work, and confusing for deployers. Configuration management tools can ease *some* of this burden (the *.conf files) but those paste files are a bit of a mess :( Once the config change is in place, it works (well, except for an issue I ran into relating to oslo.middleware.sizelimit which I'll go into in another place). The implementation hasn't been pushed up for review as I'm not sure it should be. I can do this if people wish me to. == New Single-Point API Service == Actually, this is not horrid in any way - unless that publicURL rewriting gives you the heebie-jeebies. It works, and offers us some nice additional features like being able to host the service behind SSL without needing to get a bazillion certificates. And maybe load balancing. And maybe API access filtering. I note that https://openrepose.org already exists to be *something* like this, but it's not *precisely* what I'm proposing. Also Java euwww ;) So, I propose that the idea of CORS-in-all-the-things as an idea be put aside as unworkable. I intend to pursue the single-point API service that I have described as a way of moving forward in prototyping a pure-Javascript OpenStack Dashboard. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Supporting Javascript clients calling OpenStack APIs
On 09/11/2014 03:15 AM, Richard Jones wrote: [This is Horizon-related but affects every service in OpenStack, hence no filter in the subject] I would like for OpenStack to support browser-based Javascript API clients. Currently this is not possible because of cross-origin resource blocking in Javascript clients - that is, given some Javascript hosted on https://horizon.company.com/; you cannot, for example, call from that Javascript code to an API on https://apis.company.com:5000/v2.0/tokens; to authenticate with Keystone. There are three solutions to this problem: 1. the Horizon solution, in which those APIs are proxied by a very thick layer of additional Python API, plus some Python view code with some Javascript on the top only calling the Horizon view code, 2. add CORS support to all the OpenStack APIs though a new WSGI middleware (for example oslo.middleware.cors) and configured into each of the API services individually since they all exist on different origin host:port combinations, or 3. a new web service that proxies all the APIs and serves the static Javascript (etc) content from the one origin (host). APIs are then served from new URL roots /name/ where the name is from the serviceCatalog entry. Static content can be served from /static/. The serviceCatalog from keystone will be rewritten on the fly to point the API publicURLs at the new service. Requests are no longer cross-origin. I have implemented options 2 and 3 as an exercise to see how horrid each one is. I don't think these are mutually exclusive. I can see people wanting either in some deployments. == CORS Middleware == For those wanting a bit of background, I have written up a spec for oslo that talks about how this could work: https://review.openstack.org/#/c/119485/ The middleware option results in a reasonably nice bit of middleware. It's short and relatively easy to test. The big problem with it comes in configuring it in all the APIs. The configuration for the middleware takes two forms: 1. hooking oslo.middleware.cors into the WSGI pipeline (there's more than one in each API), 2. adding the CORS configuration itself for the middleware in the API's main configuration file (eg. keystone.conf or nova.conf). So for each service, that's two configuration files *and* the kicker is that the paste configuration file is non-trivially different in almost every case. This is one reason I thought that it should be done by auth_token middleware. The other reason is that I don't think we want to blanket accept CORS from everywhere, but instead we should do so based on the service catalog. This is for the non-trivial deployment case like MOC: http://www.bu.edu/hic/projects/massachusetts-open-cloud/ Where one Horizon instance is going to have to talk to multiple, non-trusted instances for each of the services. CORS should only be acceptable between services in the same service catalog. Yes, I realize this is not security enforcment, it is just one step in the strategy. For a POC deployment, for a small company, all-in-one, what you are doing shouild be fine, but then, if you were running all of your services that way, in one web server, you wouldn't need CORS either. So, lets have these two approaches work in parallel. THe proxy will get things goint while we work out the CORS approach. That's a lot of work, and confusing for deployers. Configuration management tools can ease *some* of this burden (the *.conf files) but those paste files are a bit of a mess :( Once the config change is in place, it works (well, except for an issue I ran into relating to oslo.middleware.sizelimit which I'll go into in another place). The implementation hasn't been pushed up for review as I'm not sure it should be. I can do this if people wish me to. == New Single-Point API Service == Actually, this is not horrid in any way - unless that publicURL rewriting gives you the heebie-jeebies. It works, and offers us some nice additional features like being able to host the service behind SSL without needing to get a bazillion certificates. And maybe load balancing. And maybe API access filtering. I note that https://openrepose.org already exists to be *something* like this, but it's not *precisely* what I'm proposing. Also Java euwww ;) So, I propose that the idea of CORS-in-all-the-things as an idea be put aside as unworkable. I intend to pursue the single-point API service that I have described as a way of moving forward in prototyping a pure-Javascript OpenStack Dashboard. ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Supporting Javascript clients calling OpenStack APIs
On 12 September 2014 07:50, Adam Young ayo...@redhat.com wrote: On 09/11/2014 03:15 AM, Richard Jones wrote: [This is Horizon-related but affects every service in OpenStack, hence no filter in the subject] I would like for OpenStack to support browser-based Javascript API clients. Currently this is not possible because of cross-origin resource blocking in Javascript clients - that is, given some Javascript hosted on https://horizon.company.com/; you cannot, for example, call from that Javascript code to an API on https://apis.company.com:5000/v2.0/tokens; to authenticate with Keystone. There are three solutions to this problem: 1. the Horizon solution, in which those APIs are proxied by a very thick layer of additional Python API, plus some Python view code with some Javascript on the top only calling the Horizon view code, 2. add CORS support to all the OpenStack APIs though a new WSGI middleware (for example oslo.middleware.cors) and configured into each of the API services individually since they all exist on different origin host:port combinations, or 3. a new web service that proxies all the APIs and serves the static Javascript (etc) content from the one origin (host). APIs are then served from new URL roots /name/ where the name is from the serviceCatalog entry. Static content can be served from /static/. The serviceCatalog from keystone will be rewritten on the fly to point the API publicURLs at the new service. Requests are no longer cross-origin. I have implemented options 2 and 3 as an exercise to see how horrid each one is. I don't think these are mutually exclusive. I can see people wanting either in some deployments. I think I agree :) == CORS Middleware == For those wanting a bit of background, I have written up a spec for oslo that talks about how this could work: https://review.openstack.org/#/c/119485/ The middleware option results in a reasonably nice bit of middleware. It's short and relatively easy to test. The big problem with it comes in configuring it in all the APIs. The configuration for the middleware takes two forms: 1. hooking oslo.middleware.cors into the WSGI pipeline (there's more than one in each API), 2. adding the CORS configuration itself for the middleware in the API's main configuration file (eg. keystone.conf or nova.conf). So for each service, that's two configuration files *and* the kicker is that the paste configuration file is non-trivially different in almost every case. This is one reason I thought that it should be done by auth_token middleware. The other reason is that I don't think we want to blanket accept CORS from everywhere, but instead we should do so based on the service catalog. It's very important to understand that CORS is entirely advisory. Nothing is required to pay any attention to it. Modern browsers do, of course, but in the absence of a browser initiating a CORS conversation (by sending an Origin header) the CORS middleware should do nothing whatsoever. A GET request will still return the body of data requested - it's just that the browser will see the CORS header and block an application from seeing that data. Security through access controls, XSS protections, etc. must be handled by other mechanisms. For a POC deployment, for a small company, all-in-one, what you are doing shouild be fine, but then, if you were running all of your services that way, in one web server, you wouldn't need CORS either. This isn't possible in the current OpenStack model - all the APIs run on different ports, which count as different origins for cross-origin resource issues (origin is defined as {protocol, host, port}). So, lets have these two approaches work in parallel. THe proxy will get things goint while we work out the CORS approach. I will look at submitting my middleware for inclusion anyway then. Richard ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] Supporting Javascript clients calling OpenStack APIs
On 12 September 2014 09:24, Richard Jones r1chardj0...@gmail.com wrote: On 12 September 2014 07:50, Adam Young ayo...@redhat.com wrote: So, lets have these two approaches work in parallel. THe proxy will get things goint while we work out the CORS approach. I will look at submitting my middleware for inclusion anyway then. Submitted to oslo.middleware https://review.openstack.org/#/c/120964/ Richard ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev