← Back to team overview

openstack team mailing list archive

Re: Using Nova APIs from Javascript: possible?

 

Due to problems people are facing with CORS we've already included further
description and a video of how the JavaScript portal can be used. We'll
work with the fantastic people from StackOps on the implementation of a
basic HTTP proxy which could be used until we find a solution to implement
CORS in OpenStack components.

In the meantime you can see video, description and code in here:
http://ging.github.com/horizon-js/

On 30 April 2012 13:56, Nick Lothian <nick.lothian@xxxxxxxxx> wrote:

> I'm testing out the existing  JStack code at the moment.
>
> It's been enjoyable process so far.
> On Apr 30, 2012 7:30 PM, "javier cerviño" <jcervino@xxxxxxxxxx> wrote:
>
>> Hi Adrian,
>>
>> I've just seen you submitted your Swift-based CORS implementation to
>> Gerrit. Would you mind if we do the same for Nova, Keystone and Glance? On
>> the other hand, it could be better to wait for its approval because we
>> could apply changes proposed by the reviewers to the rest of components.
>>
>> We've just started to implement Glance API support in jStack, and then I
>> will started with Swift. Is anybody out there who wants to join this
>> challenge? You're welcome to propose changes, write code, and so on. The
>> idea is to develop full OpenStack API in JavaScript, so that community
>> could start working with it.
>>
>> Cheers,
>> Javier.
>>
>> 2012/4/27 javier cerviño <jcervino@xxxxxxxxxx>
>>
>>> Hi!
>>>
>>> We have just published the code of the portal in Github. You can find it
>>> in https://github.com/ging/horizon-js. It will only work with Keystone
>>> and Nova if they have CORS implemented.
>>>
>>> Adrian, we didn't make big changes in your code, only logger classes and
>>> a little problem we found with PUT requests in some cases (I have to take a
>>> deeper look into this problem, anyway). We've made tests from  iPhone,
>>> iPad, Safari, Firefox and Chrome and we didn't have any problems. But on
>>> the other hand CORS doesn't work in IE9 with PUT and DELETE methods. Next
>>> week I will test it with Android and Opera browsers.
>>>
>>> Sure! It will be very interesting to submit your code to gerrit!!
>>>
>>> Diego, I will talk with Joaquin to check if we can show you a demo in
>>> two weeks!!
>>>
>>> Cheers,
>>> Javier.
>>>
>>> 2012/4/27 Adrian Smith <adrian_f_smith@xxxxxxxx>
>>>
>>>> I'd be really interested to hear how you go on with the CORS middleware Javier.
>>>> Did it work as-is or did you have to modify it? Was there much effort
>>>> involved in using it with Nova?
>>>>
>>>> From your experience it sounds like there's decent CORS support in
>>>> browsers now so it's probably time to submit this change to gerrit.
>>>>
>>>> Adrian
>>>>
>>>>
>>>> 2012/4/27 Diego Parrilla Santamaría <
>>>> diego.parrilla.santamaria@xxxxxxxxx>
>>>>
>>>>> Awesome Javier!!!!
>>>>>
>>>>> Anxiously waiting for a meeting with you guys to see your progress!
>>>>>
>>>>> Cheers
>>>>> Diego
>>>>>  --
>>>>> Diego Parrilla
>>>>> <http://www.stackops.com/>*CEO*
>>>>> *www.stackops.com | * diego.parrilla@xxxxxxxxxxxx** | +34 649 94 43 29|
>>>>> skype:diegoparrilla*
>>>>> * <http://www.stackops.com/>
>>>>> *
>>>>>
>>>>> *
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Apr 26, 2012 at 9:50 AM, javier cerviño <jcervino@xxxxxxxxxx>wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> I'm glad to hear that there's a lot of interest in the implementation
>>>>>> of Openstack JavaScript clients. Actually, in my group we're
>>>>>> developing a "single page" application developed entirely in
>>>>>> JavaScript, that widely supports Nova and Keystone APIs.  This work is
>>>>>> part of a European Project called FI-Ware (http://www.fi-ware.eu/),
>>>>>> in
>>>>>> which we are currently using Openstack APIs.
>>>>>>
>>>>>> We've modified Nova and Keystone installations by adding CORS support.
>>>>>> We did it by implementing a kind of filter on their APIs. For doing
>>>>>> this we used Adam's implementation
>>>>>> (https://github.com/adrian/swift/tree/cors), and we adapted it to
>>>>>> Nova
>>>>>> and Keystone components. We also developed a JS library
>>>>>> (http://ging.github.com/jstack/) that can be used by both web and
>>>>>> Node.js applications, for example. This library aims to provide same
>>>>>> functionalities as python-novaclient, adding support for Keystone API.
>>>>>>
>>>>>> And finally we are copying Openstack horizon functionality, using JS
>>>>>> library and other frameworks such as jQuery and Backbone.js to
>>>>>> implement the web application. This web application is an
>>>>>> "early-stage" work, but we will probably publish it by the end of this
>>>>>> week. I will let you know the github link.
>>>>>>
>>>>>> We didn't find much problems with CORS implementation and support in
>>>>>> browsers.  For the time being, according to our experiments, the only
>>>>>> web browser that is not usable at all with this technology is Internet
>>>>>> Explorer, but we have tried it in Google Chrome, Safari and Firefox as
>>>>>> well and we didn't have any problems.
>>>>>>
>>>>>> Cheers,
>>>>>> Javier Cerviño.
>>>>>>
>>>>>> On 26 April 2012 06:28, Nick Lothian <nick.lothian@xxxxxxxxx> wrote:
>>>>>> >
>>>>>> >
>>>>>> > On Thu, Apr 26, 2012 at 5:49 AM, Adam Young <ayoung@xxxxxxxxxx>
>>>>>> wrote:
>>>>>> >>
>>>>>> >> Let me try to summarize:
>>>>>> >>
>>>>>> >> 1.  If you are running from a web browser,  post requests to hosts
>>>>>> or
>>>>>> >> ports other than the origin are allowed,  but the headers cannot be
>>>>>> >> modified.  This prevents the addition of the token from Keystone
>>>>>> to provide
>>>>>> >> single sign on.
>>>>>> >>
>>>>>> >> 2.  There are various browser side technologies (JSONP, CORS) that
>>>>>> get
>>>>>> >> around this limitation, but they are typically not enabled,  and
>>>>>> can be
>>>>>> >> considered security issues.  While implementing these might
>>>>>> require support
>>>>>> >> from teh Openstack server,  they are fundamentally browser
>>>>>> decisions.
>>>>>> >>
>>>>>> >
>>>>>> > This is inaccurate. JSONP is supported by all browsers since
>>>>>> ~Netscape 4.0.
>>>>>> >
>>>>>> > CORS is supported by all modern browsers: IE > 8, Firefox > 3.5,
>>>>>> Chrome > 3,
>>>>>> > Safari > 4
>>>>>> > (See
>>>>>> http://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Browser_support
>>>>>> ).
>>>>>> > Additionally, CORS support is not a browser decision - the server
>>>>>> has to
>>>>>> > EXPLICITLY opt-in to support it.
>>>>>> >
>>>>>> > Obviously CORS support *can* be a security issue - that is why it is
>>>>>> > disabled unless the server enables it.
>>>>>> >
>>>>>> > I do not believe that CORS support adds any additional security
>>>>>> issues above
>>>>>> > what the OpenStack APIs already face. Specially, the most common
>>>>>> problem
>>>>>> > (CSRF) is not an issue here because the APIs are not authorised on
>>>>>> a session
>>>>>> > basis.
>>>>>> >
>>>>>> >  [snip]
>>>>>> >>
>>>>>> >>
>>>>>> >> I've been working on Single Sign on Issues for another project for
>>>>>> the
>>>>>> >> past year and a half.  Here's a couple things I've learned.
>>>>>> >>
>>>>>> >>
>>>>>> >> Kerberos is designed to solve this problem.  It has the benefit of
>>>>>> being
>>>>>> >> integrated into the browser.  Where Kerberos fails is that:
>>>>>>  typically it
>>>>>> >> only allows a single authentication provider (KDC in Kerberso
>>>>>> speak) and it
>>>>>> >> does not work well with Firewalls.
>>>>>> >>
>>>>>> >> The only crytographically secure way to authenticate on the web
>>>>>> that can
>>>>>> >> get around the firewall issue is Client side X509 certificates.
>>>>>>  This is the
>>>>>> >> foundation for https://blueprints.launchpad.net/keystone/+spec/pki.
>>>>>>  This
>>>>>> >> could, in theory, work in with OAuth, OpenID,  or some other
>>>>>> distributed
>>>>>> >> authorization service,  or we could embed the authorization
>>>>>> information
>>>>>> >> right into the Certitificate, which is what I suggest we do.
>>>>>> >>
>>>>>> >>
>>>>>> >
>>>>>> > To be clear, identity/authorisation is NOT the problem here. The
>>>>>> OpenStack
>>>>>> > APIs work well for my use cases, once I work around the cross
>>>>>> domain POST
>>>>>> > problem.
>>>>>> >
>>>>>> > However, I've also worked with SSO solutions. The simple truth is
>>>>>> that
>>>>>> > client side certificates do not play well with the web - browser
>>>>>> support
>>>>>> > ranges from non-existent (on some mobile platforms -
>>>>>> > see
>>>>>> http://mobilitydojo.net/2010/12/28/client-certificate-support-across-mobile-platforms-a-summary/
>>>>>> ) to
>>>>>> > abysmal (there is a reason why many websites that use certificates
>>>>>> end up
>>>>>> > using a Java applet), and their interaction with cross domain
>>>>>> Javascript is
>>>>>> > unknown.
>>>>>> >
>>>>>> > Even if certificates did work for identification, CORS would still
>>>>>> be needed
>>>>>> > - many OpenStack APIs require a POST request which is impossible
>>>>>> without
>>>>>> > it.
>>>>>> >
>>>>>> >
>>>>>> > Nick
>>>>>> >
>>>>>> > _______________________________________________
>>>>>> > Mailing list: https://launchpad.net/~openstack
>>>>>> > Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>>>>>> > Unsubscribe : https://launchpad.net/~openstack
>>>>>> > More help   : https://help.launchpad.net/ListHelp
>>>>>> >
>>>>>>
>>>>>> _______________________________________________
>>>>>> Mailing list: https://launchpad.net/~openstack
>>>>>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>>>>>> Unsubscribe : https://launchpad.net/~openstack
>>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Mailing list: https://launchpad.net/~openstack
>>>>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>>>>> Unsubscribe : https://launchpad.net/~openstack
>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>>
>>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>
>

References