← Back to team overview

openstack team mailing list archive

Re: Using Nova APIs from Javascript: possible?

 

Hi!

We have just published the code of the portal in Github. You can find it in
https://github.com/ging/horizon-js. It will only work with Keystone and
Nova if they have CORS implemented.

Adrian, we didn't make big changes in your code, only logger classes and a
little problem we found with PUT requests in some cases (I have to take a
deeper look into this problem, anyway). We've made tests from  iPhone,
iPad, Safari, Firefox and Chrome and we didn't have any problems. But on
the other hand CORS doesn't work in IE9 with PUT and DELETE methods. Next
week I will test it with Android and Opera browsers.

Sure! It will be very interesting to submit your code to gerrit!!

Diego, I will talk with Joaquin to check if we can show you a demo in two
weeks!!

Cheers,
Javier.

2012/4/27 Adrian Smith <adrian_f_smith@xxxxxxxx>

> I'd be really interested to hear how you go on with the CORS middleware Javier.
> Did it work as-is or did you have to modify it? Was there much effort
> involved in using it with Nova?
>
> From your experience it sounds like there's decent CORS support in
> browsers now so it's probably time to submit this change to gerrit.
>
> Adrian
>
>
> 2012/4/27 Diego Parrilla Santamaría <diego.parrilla.santamaria@xxxxxxxxx>
>
>> Awesome Javier!!!!
>>
>> Anxiously waiting for a meeting with you guys to see your progress!
>>
>> Cheers
>> Diego
>>  --
>> Diego Parrilla
>> <http://www.stackops.com/>*CEO*
>> *www.stackops.com | * diego.parrilla@xxxxxxxxxxxx** | +34 649 94 43 29 |
>> skype:diegoparrilla*
>> * <http://www.stackops.com/>
>> *
>>
>> *
>>
>>
>>
>>
>> On Thu, Apr 26, 2012 at 9:50 AM, javier cerviño <jcervino@xxxxxxxxxx>wrote:
>>
>>> Hi all,
>>>
>>> I'm glad to hear that there's a lot of interest in the implementation
>>> of Openstack JavaScript clients. Actually, in my group we're
>>> developing a "single page" application developed entirely in
>>> JavaScript, that widely supports Nova and Keystone APIs.  This work is
>>> part of a European Project called FI-Ware (http://www.fi-ware.eu/), in
>>> which we are currently using Openstack APIs.
>>>
>>> We've modified Nova and Keystone installations by adding CORS support.
>>> We did it by implementing a kind of filter on their APIs. For doing
>>> this we used Adam's implementation
>>> (https://github.com/adrian/swift/tree/cors), and we adapted it to Nova
>>> and Keystone components. We also developed a JS library
>>> (http://ging.github.com/jstack/) that can be used by both web and
>>> Node.js applications, for example. This library aims to provide same
>>> functionalities as python-novaclient, adding support for Keystone API.
>>>
>>> And finally we are copying Openstack horizon functionality, using JS
>>> library and other frameworks such as jQuery and Backbone.js to
>>> implement the web application. This web application is an
>>> "early-stage" work, but we will probably publish it by the end of this
>>> week. I will let you know the github link.
>>>
>>> We didn't find much problems with CORS implementation and support in
>>> browsers.  For the time being, according to our experiments, the only
>>> web browser that is not usable at all with this technology is Internet
>>> Explorer, but we have tried it in Google Chrome, Safari and Firefox as
>>> well and we didn't have any problems.
>>>
>>> Cheers,
>>> Javier Cerviño.
>>>
>>> On 26 April 2012 06:28, Nick Lothian <nick.lothian@xxxxxxxxx> wrote:
>>> >
>>> >
>>> > On Thu, Apr 26, 2012 at 5:49 AM, Adam Young <ayoung@xxxxxxxxxx> wrote:
>>> >>
>>> >> Let me try to summarize:
>>> >>
>>> >> 1.  If you are running from a web browser,  post requests to hosts or
>>> >> ports other than the origin are allowed,  but the headers cannot be
>>> >> modified.  This prevents the addition of the token from Keystone to
>>> provide
>>> >> single sign on.
>>> >>
>>> >> 2.  There are various browser side technologies (JSONP, CORS) that get
>>> >> around this limitation, but they are typically not enabled,  and can
>>> be
>>> >> considered security issues.  While implementing these might require
>>> support
>>> >> from teh Openstack server,  they are fundamentally browser decisions.
>>> >>
>>> >
>>> > This is inaccurate. JSONP is supported by all browsers since ~Netscape
>>> 4.0.
>>> >
>>> > CORS is supported by all modern browsers: IE > 8, Firefox > 3.5,
>>> Chrome > 3,
>>> > Safari > 4
>>> > (See
>>> http://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Browser_support
>>> ).
>>> > Additionally, CORS support is not a browser decision - the server has
>>> to
>>> > EXPLICITLY opt-in to support it.
>>> >
>>> > Obviously CORS support *can* be a security issue - that is why it is
>>> > disabled unless the server enables it.
>>> >
>>> > I do not believe that CORS support adds any additional security issues
>>> above
>>> > what the OpenStack APIs already face. Specially, the most common
>>> problem
>>> > (CSRF) is not an issue here because the APIs are not authorised on a
>>> session
>>> > basis.
>>> >
>>> >  [snip]
>>> >>
>>> >>
>>> >> I've been working on Single Sign on Issues for another project for the
>>> >> past year and a half.  Here's a couple things I've learned.
>>> >>
>>> >>
>>> >> Kerberos is designed to solve this problem.  It has the benefit of
>>> being
>>> >> integrated into the browser.  Where Kerberos fails is that:
>>>  typically it
>>> >> only allows a single authentication provider (KDC in Kerberso speak)
>>> and it
>>> >> does not work well with Firewalls.
>>> >>
>>> >> The only crytographically secure way to authenticate on the web that
>>> can
>>> >> get around the firewall issue is Client side X509 certificates.  This
>>> is the
>>> >> foundation for https://blueprints.launchpad.net/keystone/+spec/pki.
>>>  This
>>> >> could, in theory, work in with OAuth, OpenID,  or some other
>>> distributed
>>> >> authorization service,  or we could embed the authorization
>>> information
>>> >> right into the Certitificate, which is what I suggest we do.
>>> >>
>>> >>
>>> >
>>> > To be clear, identity/authorisation is NOT the problem here. The
>>> OpenStack
>>> > APIs work well for my use cases, once I work around the cross domain
>>> POST
>>> > problem.
>>> >
>>> > However, I've also worked with SSO solutions. The simple truth is that
>>> > client side certificates do not play well with the web - browser
>>> support
>>> > ranges from non-existent (on some mobile platforms -
>>> > see
>>> http://mobilitydojo.net/2010/12/28/client-certificate-support-across-mobile-platforms-a-summary/
>>> ) to
>>> > abysmal (there is a reason why many websites that use certificates end
>>> up
>>> > using a Java applet), and their interaction with cross domain
>>> Javascript is
>>> > unknown.
>>> >
>>> > Even if certificates did work for identification, CORS would still be
>>> needed
>>> > - many OpenStack APIs require a POST request which is impossible
>>> without
>>> > it.
>>> >
>>> >
>>> > Nick
>>> >
>>> > _______________________________________________
>>> > Mailing list: https://launchpad.net/~openstack
>>> > Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>>> > Unsubscribe : https://launchpad.net/~openstack
>>> > More help   : https://help.launchpad.net/ListHelp
>>> >
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>

Follow ups

References