← Back to team overview

openstack team mailing list archive

Re: Using Nova APIs from Javascript: possible?

 

On 04/23/2012 01:13 PM, Tres Henry wrote:
Adam, in what way should the OS API support server-less clients? AFAIK the options are CORS or JSONP, no?

I am not quite sure what you mean by serverless clients, but I think the answer to this is getting a real Single Sign On solution, which is based on:

1. Kerberos,
2. X509

Kerberos is likely a non starter for Web applications due to some current issues with handling multiple TGTs and also cross firewalls (Kerberso tickets must get served out on port 88 without jumping through considerable hoops.)

I've written up about X509 support here:
http://wiki.openstack.org/PKI

I think that X509 Client Authentication is the right long-term approach for what we are doing. Specifically, short term X509 certificates replacing the Keystone tokens as the mechanism for SSO.



On Apr 23, 2012, at 5:50 AM, Adam Young wrote:

I see this as a feature,  not a drawback.    The inability to access portions of the HTTP protocol is there to defend against attacks such as cross site request forgeries.  If we suppress that mechanism, we open up a lot of security holes.


On 04/23/2012 06:09 AM, Adrian Smith wrote:
The authentication request returns X-Storage-Url and X-Auth-Token
headers. For the JS client to see them they need to be referenced in
Access-Control-Expose-Headers. As of the last time checked, both these
headers were being stripped from the response before being presented
to JS.

Adrian


On 23 April 2012 10:35, Nick Lothian<nick.lothian@xxxxxxxxx>   wrote:
Hi Adrian,

Good to know this is a known issue.

Why does the client need to see custom headers from the server anyway?
I know the client needs to pass the authorisation header to the server, but
I haven't seen any of the APIs yet that return custom headers. (It's likely
I'm missing them though)

Nick

On Apr 23, 2012 5:40 PM, "Adrian Smith"<adrian@xxxxxxxx>   wrote:
Hi Nick,

I did some work with CORS a few months back [1].

At the time I couldn't get any browser to work properly with CORS so I
just parked the code. The problem was lack of support for the
Access-Control-Expose-Headers header.

According to the Chrome bug report [2] this issue may well be fixed
now so I need to retest.

Adrian

[1]
http://www.mail-archive.com/openstack@xxxxxxxxxxxxxxxxxxx/msg07219.html
[2] http://code.google.com/p/chromium/issues/detail?id=87338


On 23 April 2012 06:19, Nick Lothian<nick.lothian@xxxxxxxxx>   wrote:
Hi,

I've been playing with the Nova APIs from Javascript, and I've run into
a
problem.

The very first thing one needs to do to use the APIs is to get a token.

That requires a POST to the API endpoint. Using curl&   trystack that
looks
like this:

$ curl -k -X 'POST' -v https://nova-api.trystack.org:5443/v2.0/tokens -d
'{"auth":{"passwordCredentials":{"username": "<username>",
"password":"<password>"}}}' -H 'Content-type: application/json'


The Javascript equivalent (using JQuery) is:

     $.ajax({
         url: "https://nova-api.trystack.org:5443/v2.0/tokens";,
         type: 'POST',
         headers: {"Content-Type": "application/json"},
         data:  {"auth":{"passwordCredentials":{"username":"<username>",
"password":"<password>"}}},
         success: function(data) { alert(data); }
     });

That fails because the call is cross-domain, and Nova doesn't support
CORS
(http://en.wikipedia.org/wiki/Cross-origin_resource_sharing).<script>
based
cross-domain requests only supports GET requests, so that doesn't work
either.

I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044, but
I'm
really hoping someone can point out something obvious I'm missing here.

Regards
   Nick Lothian

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to     : openstack@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~openstack
More help   : https://help.launchpad.net/ListHelp



Follow ups

References