openstack team mailing list archive
-
openstack team
-
Mailing list archive
-
Message #10428
Re: Using Nova APIs from Javascript: possible?
Sorry, meant to say "server-less client applications". The OP is trying to create a client-side JS application that communicates directly to an OS endpoint (specifically trystack). I believe his problem is same origin policy, not authentication.
On Apr 23, 2012, at 12:33 PM, Adam Young wrote:
> On 04/23/2012 01:13 PM, Tres Henry wrote:
>> Adam, in what way should the OS API support server-less clients? AFAIK the options are CORS or JSONP, no?
>
> I am not quite sure what you mean by serverless clients, but I think the answer to this is getting a real Single Sign On solution, which is based on:
>
> 1. Kerberos,
> 2. X509
>
> Kerberos is likely a non starter for Web applications due to some current issues with handling multiple TGTs and also cross firewalls (Kerberso tickets must get served out on port 88 without jumping through considerable hoops.)
>
> I've written up about X509 support here:
> http://wiki.openstack.org/PKI
>
> I think that X509 Client Authentication is the right long-term approach for what we are doing. Specifically, short term X509 certificates replacing the Keystone tokens as the mechanism for SSO.
>
>
>>
>> On Apr 23, 2012, at 5:50 AM, Adam Young wrote:
>>
>>> I see this as a feature, not a drawback. The inability to access portions of the HTTP protocol is there to defend against attacks such as cross site request forgeries. If we suppress that mechanism, we open up a lot of security holes.
>>>
>>>
>>> On 04/23/2012 06:09 AM, Adrian Smith wrote:
>>>> The authentication request returns X-Storage-Url and X-Auth-Token
>>>> headers. For the JS client to see them they need to be referenced in
>>>> Access-Control-Expose-Headers. As of the last time checked, both these
>>>> headers were being stripped from the response before being presented
>>>> to JS.
>>>>
>>>> Adrian
>>>>
>>>>
>>>> On 23 April 2012 10:35, Nick Lothian<nick.lothian@xxxxxxxxx> wrote:
>>>>> Hi Adrian,
>>>>>
>>>>> Good to know this is a known issue.
>>>>>
>>>>> Why does the client need to see custom headers from the server anyway?
>>>>> I know the client needs to pass the authorisation header to the server, but
>>>>> I haven't seen any of the APIs yet that return custom headers. (It's likely
>>>>> I'm missing them though)
>>>>>
>>>>> Nick
>>>>>
>>>>> On Apr 23, 2012 5:40 PM, "Adrian Smith"<adrian@xxxxxxxx> wrote:
>>>>>> Hi Nick,
>>>>>>
>>>>>> I did some work with CORS a few months back [1].
>>>>>>
>>>>>> At the time I couldn't get any browser to work properly with CORS so I
>>>>>> just parked the code. The problem was lack of support for the
>>>>>> Access-Control-Expose-Headers header.
>>>>>>
>>>>>> According to the Chrome bug report [2] this issue may well be fixed
>>>>>> now so I need to retest.
>>>>>>
>>>>>> Adrian
>>>>>>
>>>>>> [1]
>>>>>> http://www.mail-archive.com/openstack@xxxxxxxxxxxxxxxxxxx/msg07219.html
>>>>>> [2] http://code.google.com/p/chromium/issues/detail?id=87338
>>>>>>
>>>>>>
>>>>>> On 23 April 2012 06:19, Nick Lothian<nick.lothian@xxxxxxxxx> wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I've been playing with the Nova APIs from Javascript, and I've run into
>>>>>>> a
>>>>>>> problem.
>>>>>>>
>>>>>>> The very first thing one needs to do to use the APIs is to get a token.
>>>>>>>
>>>>>>> That requires a POST to the API endpoint. Using curl& trystack that
>>>>>>> looks
>>>>>>> like this:
>>>>>>>
>>>>>>> $ curl -k -X 'POST' -v https://nova-api.trystack.org:5443/v2.0/tokens -d
>>>>>>> '{"auth":{"passwordCredentials":{"username": "<username>",
>>>>>>> "password":"<password>"}}}' -H 'Content-type: application/json'
>>>>>>>
>>>>>>>
>>>>>>> The Javascript equivalent (using JQuery) is:
>>>>>>>
>>>>>>> $.ajax({
>>>>>>> url: "https://nova-api.trystack.org:5443/v2.0/tokens",
>>>>>>> type: 'POST',
>>>>>>> headers: {"Content-Type": "application/json"},
>>>>>>> data: {"auth":{"passwordCredentials":{"username":"<username>",
>>>>>>> "password":"<password>"}}},
>>>>>>> success: function(data) { alert(data); }
>>>>>>> });
>>>>>>>
>>>>>>> That fails because the call is cross-domain, and Nova doesn't support
>>>>>>> CORS
>>>>>>> (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing).<script>
>>>>>>> based
>>>>>>> cross-domain requests only supports GET requests, so that doesn't work
>>>>>>> either.
>>>>>>>
>>>>>>> I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044, but
>>>>>>> I'm
>>>>>>> really hoping someone can point out something obvious I'm missing here.
>>>>>>>
>>>>>>> Regards
>>>>>>> Nick Lothian
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Mailing list: https://launchpad.net/~openstack
>>>>>>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>>>>>>> Unsubscribe : https://launchpad.net/~openstack
>>>>>>> More help : https://help.launchpad.net/ListHelp
>>>>>>>
>>>>> _______________________________________________
>>>>> Mailing list: https://launchpad.net/~openstack
>>>>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>>>>> Unsubscribe : https://launchpad.net/~openstack
>>>>> More help : https://help.launchpad.net/ListHelp
>>>>>
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~openstack
>>>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>>>> Unsubscribe : https://launchpad.net/~openstack
>>>> More help : https://help.launchpad.net/ListHelp
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to : openstack@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help : https://help.launchpad.net/ListHelp
>
Follow ups
References