<div class="gmail_extra">I'd be really interested to hear how you go on with the CORS middleware <span style>Javier. Did it work as-is or did you have to modify it? Was there much effort involved in using it with Nova?</span></div>
<div class="gmail_extra"><font color="#222222" face="arial, sans-serif"><br></font></div><div class="gmail_extra"><font color="#222222" face="arial, sans-serif">From your experience it sounds like there's decent CORS support in browsers now so it's probably time to submit this change to gerrit.</font></div>
<div class="gmail_extra"><font color="#222222" face="arial, sans-serif"><br></font></div><div class="gmail_extra"><font color="#222222" face="arial, sans-serif">Adrian</font></div><div class="gmail_extra"><font color="#222222" face="arial, sans-serif"><br>
</font><br><div class="gmail_quote">2012/4/27 Diego Parrilla Santamaría <span dir="ltr"><<a href="mailto:diego.parrilla.santamaria@gmail.com" target="_blank">diego.parrilla.santamaria@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Awesome Javier!!!!<div><br></div><div>Anxiously waiting for a meeting with you guys to see your progress!</div><div><br></div><div>Cheers</div><div>Diego<br clear="all"> -- <br><span style="border-collapse:separate;font-family:Times"><span style="border-collapse:collapse;font-family:arial,sans-serif"><div align="left" style="font-size:13px">
<div><font><span lang="ES" style="font-family:Arial">Diego Parrilla<br><a href="http://www.stackops.com/" title="file:///C:/Documents%20and%20Settings/carolina.capsir.per1/Application%20Data/Microsoft/Signatures/www.garrigues.com
www.garrigues.com" style="color:rgb(7,77,143)" target="_blank"><span title="file:///C:/Documents%20and%20Settings/carolina.capsir.per1/Application%20Data/Microsoft/Signatures/www.garrigues.com"></span></a></span></font><font face="Arial" size="2" style="font-family:arial,helvetica,sans-serif"><b>CEO</b><font size="1"><br>
</font></font><span style="border-collapse:separate;font-family:Times;font-size:medium"><span style="border-collapse:collapse;font-family:arial,sans-serif;font-size:13px"></span></span><b><font face="Arial" size="2" style="font-family:arial,helvetica,sans-serif"><a href="http://www.stackops.com/" target="_blank"><b>www.stackops.com</b></a> | </font></b><font face="Arial" size="2" style="font-family:arial,helvetica,sans-serif"><font size="1"> <a href="mailto:diego.parrilla@stackops.com" target="_blank">diego.parrilla@stackops.com</a></font></font><span style="border-collapse:separate;font-family:Times;font-size:medium"><span style="border-collapse:collapse;font-family:arial,sans-serif;font-size:13px"><font color="#004438" face="Arial"><b><b><span lang="EN-GB" style="font-size:10pt"></span></b></b></font></span></span><font face="Arial" size="2" style="font-family:arial,helvetica,sans-serif"><font size="1"> | </font></font><span style="border-collapse:separate;font-family:Times;font-size:medium"><span style="border-collapse:collapse;font-family:arial,sans-serif;font-size:13px"><font face="Arial" size="2" style="font-family:arial,helvetica,sans-serif"><font size="1"><a href="tel:%2B34%20649%2094%2043%2029" value="+34649944329" target="_blank">+34 649 94 43 29</a> | <a>skype:diegoparrilla</a></font></font></span></span><font face="Arial" size="2" style="font-family:arial,helvetica,sans-serif"><a href="http://www.stackops.com/" target="_blank"><b><br>
</b></a></font></div></div><div style="font-size:13px"><font color="#004438" face="Arial"><b><p><span style="border-collapse:separate;font-size:medium;font-family:Times"><span style="border-collapse:collapse;font-family:arial,sans-serif;font-size:13px"><span style="border-collapse:separate;font-family:Times;font-size:medium"><span style="border-collapse:collapse;font-family:arial,sans-serif;font-size:13px"><font color="#004438" face="Arial"><b><b><span lang="EN-GB" style="font-size:10pt"><img></span></b></b></font></span></span></span></span></p>
</b></font></div></span></span><div><div class="h5"><div><br></div><br>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Apr 26, 2012 at 9:50 AM, javier cerviño <span dir="ltr"><<a href="mailto:jcervino@dit.upm.es" target="_blank">jcervino@dit.upm.es</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
I'm glad to hear that there's a lot of interest in the implementation<br>
of Openstack JavaScript clients. Actually, in my group we're<br>
developing a "single page" application developed entirely in<br>
JavaScript, that widely supports Nova and Keystone APIs. This work is<br>
part of a European Project called FI-Ware (<a href="http://www.fi-ware.eu/" target="_blank">http://www.fi-ware.eu/</a>), in<br>
which we are currently using Openstack APIs.<br>
<br>
We've modified Nova and Keystone installations by adding CORS support.<br>
We did it by implementing a kind of filter on their APIs. For doing<br>
this we used Adam's implementation<br>
(<a href="https://github.com/adrian/swift/tree/cors" target="_blank">https://github.com/adrian/swift/tree/cors</a>), and we adapted it to Nova<br>
and Keystone components. We also developed a JS library<br>
(<a href="http://ging.github.com/jstack/" target="_blank">http://ging.github.com/jstack/</a>) that can be used by both web and<br>
Node.js applications, for example. This library aims to provide same<br>
functionalities as python-novaclient, adding support for Keystone API.<br>
<br>
And finally we are copying Openstack horizon functionality, using JS<br>
library and other frameworks such as jQuery and Backbone.js to<br>
implement the web application. This web application is an<br>
"early-stage" work, but we will probably publish it by the end of this<br>
week. I will let you know the github link.<br>
<br>
We didn't find much problems with CORS implementation and support in<br>
browsers. For the time being, according to our experiments, the only<br>
web browser that is not usable at all with this technology is Internet<br>
Explorer, but we have tried it in Google Chrome, Safari and Firefox as<br>
well and we didn't have any problems.<br>
<br>
Cheers,<br>
Javier Cerviño.<br>
<div><div><br>
On 26 April 2012 06:28, Nick Lothian <<a href="mailto:nick.lothian@gmail.com" target="_blank">nick.lothian@gmail.com</a>> wrote:<br>
><br>
><br>
> On Thu, Apr 26, 2012 at 5:49 AM, Adam Young <<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>> wrote:<br>
>><br>
>> Let me try to summarize:<br>
>><br>
>> 1. If you are running from a web browser, post requests to hosts or<br>
>> ports other than the origin are allowed, but the headers cannot be<br>
>> modified. This prevents the addition of the token from Keystone to provide<br>
>> single sign on.<br>
>><br>
>> 2. There are various browser side technologies (JSONP, CORS) that get<br>
>> around this limitation, but they are typically not enabled, and can be<br>
>> considered security issues. While implementing these might require support<br>
>> from teh Openstack server, they are fundamentally browser decisions.<br>
>><br>
><br>
> This is inaccurate. JSONP is supported by all browsers since ~Netscape 4.0.<br>
><br>
> CORS is supported by all modern browsers: IE > 8, Firefox > 3.5, Chrome > 3,<br>
> Safari > 4<br>
> (See <a href="http://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Browser_support" target="_blank">http://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Browser_support</a>).<br>
> Additionally, CORS support is not a browser decision - the server has to<br>
> EXPLICITLY opt-in to support it.<br>
><br>
> Obviously CORS support *can* be a security issue - that is why it is<br>
> disabled unless the server enables it.<br>
><br>
> I do not believe that CORS support adds any additional security issues above<br>
> what the OpenStack APIs already face. Specially, the most common problem<br>
> (CSRF) is not an issue here because the APIs are not authorised on a session<br>
> basis.<br>
><br>
> [snip]<br>
>><br>
>><br>
>> I've been working on Single Sign on Issues for another project for the<br>
>> past year and a half. Here's a couple things I've learned.<br>
>><br>
>><br>
>> Kerberos is designed to solve this problem. It has the benefit of being<br>
>> integrated into the browser. Where Kerberos fails is that: typically it<br>
>> only allows a single authentication provider (KDC in Kerberso speak) and it<br>
>> does not work well with Firewalls.<br>
>><br>
>> The only crytographically secure way to authenticate on the web that can<br>
>> get around the firewall issue is Client side X509 certificates. This is the<br>
>> foundation for <a href="https://blueprints.launchpad.net/keystone/+spec/pki" target="_blank">https://blueprints.launchpad.net/keystone/+spec/pki</a>. This<br>
>> could, in theory, work in with OAuth, OpenID, or some other distributed<br>
>> authorization service, or we could embed the authorization information<br>
>> right into the Certitificate, which is what I suggest we do.<br>
>><br>
>><br>
><br>
> To be clear, identity/authorisation is NOT the problem here. The OpenStack<br>
> APIs work well for my use cases, once I work around the cross domain POST<br>
> problem.<br>
><br>
> However, I've also worked with SSO solutions. The simple truth is that<br>
> client side certificates do not play well with the web - browser support<br>
> ranges from non-existent (on some mobile platforms -<br>
> see <a href="http://mobilitydojo.net/2010/12/28/client-certificate-support-across-mobile-platforms-a-summary/" target="_blank">http://mobilitydojo.net/2010/12/28/client-certificate-support-across-mobile-platforms-a-summary/</a>) to<br>
> abysmal (there is a reason why many websites that use certificates end up<br>
> using a Java applet), and their interaction with cross domain Javascript is<br>
> unknown.<br>
><br>
> Even if certificates did work for identification, CORS would still be needed<br>
> - many OpenStack APIs require a POST request which is impossible without<br>
> it.<br>
><br>
><br>
> Nick<br>
><br>
</div></div><div><div>> _______________________________________________<br>
> Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
> Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
> Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
> More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
><br>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</div></div></blockquote></div><br></div></div></div></div>
<br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br></div>