Due to problems people are facing with CORS we've already included further description and a video of how the JavaScript portal can be used. We'll work with the fantastic people from StackOps on the implementation of a basic HTTP proxy which could be used until we find a solution to implement CORS in OpenStack components.<div>
<br></div><div>In the meantime you can see video, description and code in here: <a href="http://ging.github.com/horizon-js/">http://ging.github.com/horizon-js/</a></div><div><br><div class="gmail_quote">On 30 April 2012 13:56, Nick Lothian <span dir="ltr"><<a href="mailto:nick.lothian@gmail.com" target="_blank">nick.lothian@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p>I'm testing out the existing JStack code at the moment.</p>
<p>It's been enjoyable process so far. </p><div><div>
<div class="gmail_quote">On Apr 30, 2012 7:30 PM, "javier cerviño" <<a href="mailto:jcervino@dit.upm.es" target="_blank">jcervino@dit.upm.es</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="gmail_extra">Hi Adrian,</div><div class="gmail_extra"><br></div><div class="gmail_extra">I've just seen you submitted your Swift-based CORS implementation to Gerrit. Would you mind if we do the same for Nova, Keystone and Glance? On the other hand, it could be better to wait for its approval because we could apply changes proposed by the reviewers to the rest of components.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">We've just started to implement Glance API support in jStack, and then I will started with Swift. Is anybody out there who wants to join this challenge? You're welcome to propose changes, write code, and so on. The idea is to develop full OpenStack API in JavaScript, so that community could start working with it.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Cheers,</div><div class="gmail_extra">Javier.</div><div class="gmail_extra"><br><div class="gmail_quote">2012/4/27 javier cerviño <span dir="ltr"><<a href="mailto:jcervino@dit.upm.es" target="_blank">jcervino@dit.upm.es</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_extra"><div class="gmail_extra">Hi!</div><div class="gmail_extra"><br></div><div class="gmail_extra">
We have just published the code of the portal in Github. You can find it in <a href="https://github.com/ging/horizon-js" target="_blank">https://github.com/ging/horizon-js</a>. It will only work with Keystone and Nova if they have CORS implemented. </div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Adrian, we didn't make big changes in your code, only logger classes and a little problem we found with PUT requests in some cases (I have to take a deeper look into this problem, anyway). We've made tests from iPhone, iPad, Safari, Firefox and Chrome and we didn't have any problems. But on the other hand CORS doesn't work in IE9 with PUT and DELETE methods. Next week I will test it with Android and Opera browsers. </div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Sure! It will be very interesting to submit your code to gerrit!! </div><div class="gmail_extra"><br></div><div class="gmail_extra">Diego, I will talk with Joaquin to check if we can show you a demo in two weeks!!</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Cheers,</div><div class="gmail_extra">Javier.</div><div><div><br><div class="gmail_quote">2012/4/27 Adrian Smith <span dir="ltr"><<a href="mailto:adrian_f_smith@dell.com" target="_blank">adrian_f_smith@dell.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_extra">I'd be really interested to hear how you go on with the CORS middleware <span>Javier. Did it work as-is or did you have to modify it? Was there much effort involved in using it with Nova?</span></div>
<div class="gmail_extra"><font color="#222222" face="arial, sans-serif"><br></font></div><div class="gmail_extra"><font color="#222222" face="arial, sans-serif">From your experience it sounds like there's decent CORS support in browsers now so it's probably time to submit this change to gerrit.</font></div>
<span><font color="#888888">
<div class="gmail_extra"><font color="#222222" face="arial, sans-serif"><br></font></div><div class="gmail_extra"><font color="#222222" face="arial, sans-serif">Adrian</font></div></font></span><div><div>
<div class="gmail_extra"><font color="#222222" face="arial, sans-serif"><br>
</font><br><div class="gmail_quote">2012/4/27 Diego Parrilla Santamaría <span dir="ltr"><<a href="mailto:diego.parrilla.santamaria@gmail.com" target="_blank">diego.parrilla.santamaria@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Awesome Javier!!!!<div><br></div><div>Anxiously waiting for a meeting with you guys to see your progress!</div><div><br></div><div>Cheers</div><div>Diego<br clear="all"> -- <br><span style="border-collapse:separate;font-family:Times"><span style="border-collapse:collapse;font-family:arial,sans-serif"><div align="left" style="font-size:13px">
<div><font><span lang="ES" style="font-family:Arial">Diego Parrilla<br><a href="http://www.stackops.com/" title="file:///C:/Documents%20and%20Settings/carolina.capsir.per1/Application%20Data/Microsoft/Signatures/www.garrigues.com
www.garrigues.com" style="color:rgb(7,77,143)" target="_blank"><span title="file:///C:/Documents%20and%20Settings/carolina.capsir.per1/Application%20Data/Microsoft/Signatures/www.garrigues.com"></span></a></span></font><font face="Arial" size="2" style="font-family:arial,helvetica,sans-serif"><b>CEO</b><font size="1"><br>
</font></font><span style="border-collapse:separate;font-family:Times;font-size:medium"><span style="border-collapse:collapse;font-family:arial,sans-serif;font-size:13px"></span></span><b><font face="Arial" size="2" style="font-family:arial,helvetica,sans-serif"><a href="http://www.stackops.com/" target="_blank"><b>www.stackops.com</b></a> | </font></b><font face="Arial" size="2" style="font-family:arial,helvetica,sans-serif"><font size="1"> <a href="mailto:diego.parrilla@stackops.com" target="_blank">diego.parrilla@stackops.com</a></font></font><span style="border-collapse:separate;font-family:Times;font-size:medium"><span style="border-collapse:collapse;font-family:arial,sans-serif;font-size:13px"><font color="#004438" face="Arial"><b><b><span lang="EN-GB" style="font-size:10pt"></span></b></b></font></span></span><font face="Arial" size="2" style="font-family:arial,helvetica,sans-serif"><font size="1"> | </font></font><span style="border-collapse:separate;font-family:Times;font-size:medium"><span style="border-collapse:collapse;font-family:arial,sans-serif;font-size:13px"><font face="Arial" size="2" style="font-family:arial,helvetica,sans-serif"><font size="1"><a href="tel:%2B34%20649%2094%2043%2029" value="+34649944329" target="_blank">+34 649 94 43 29</a> | <a>skype:diegoparrilla</a></font></font></span></span><font face="Arial" size="2" style="font-family:arial,helvetica,sans-serif"><a href="http://www.stackops.com/" target="_blank"><b><br>
</b></a></font></div></div><div style="font-size:13px"><font color="#004438" face="Arial"><b><p><span style="border-collapse:separate;font-size:medium;font-family:Times"><span style="border-collapse:collapse;font-family:arial,sans-serif;font-size:13px"><span style="border-collapse:separate;font-family:Times;font-size:medium"><span style="border-collapse:collapse;font-family:arial,sans-serif;font-size:13px"><font color="#004438" face="Arial"><b><b><span lang="EN-GB" style="font-size:10pt"><img></span></b></b></font></span></span></span></span></p>
</b></font></div></span></span><div><div><div><br></div><br>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Apr 26, 2012 at 9:50 AM, javier cerviño <span dir="ltr"><<a href="mailto:jcervino@dit.upm.es" target="_blank">jcervino@dit.upm.es</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
I'm glad to hear that there's a lot of interest in the implementation<br>
of Openstack JavaScript clients. Actually, in my group we're<br>
developing a "single page" application developed entirely in<br>
JavaScript, that widely supports Nova and Keystone APIs. This work is<br>
part of a European Project called FI-Ware (<a href="http://www.fi-ware.eu/" target="_blank">http://www.fi-ware.eu/</a>), in<br>
which we are currently using Openstack APIs.<br>
<br>
We've modified Nova and Keystone installations by adding CORS support.<br>
We did it by implementing a kind of filter on their APIs. For doing<br>
this we used Adam's implementation<br>
(<a href="https://github.com/adrian/swift/tree/cors" target="_blank">https://github.com/adrian/swift/tree/cors</a>), and we adapted it to Nova<br>
and Keystone components. We also developed a JS library<br>
(<a href="http://ging.github.com/jstack/" target="_blank">http://ging.github.com/jstack/</a>) that can be used by both web and<br>
Node.js applications, for example. This library aims to provide same<br>
functionalities as python-novaclient, adding support for Keystone API.<br>
<br>
And finally we are copying Openstack horizon functionality, using JS<br>
library and other frameworks such as jQuery and Backbone.js to<br>
implement the web application. This web application is an<br>
"early-stage" work, but we will probably publish it by the end of this<br>
week. I will let you know the github link.<br>
<br>
We didn't find much problems with CORS implementation and support in<br>
browsers. For the time being, according to our experiments, the only<br>
web browser that is not usable at all with this technology is Internet<br>
Explorer, but we have tried it in Google Chrome, Safari and Firefox as<br>
well and we didn't have any problems.<br>
<br>
Cheers,<br>
Javier Cerviño.<br>
<div><div><br>
On 26 April 2012 06:28, Nick Lothian <<a href="mailto:nick.lothian@gmail.com" target="_blank">nick.lothian@gmail.com</a>> wrote:<br>
><br>
><br>
> On Thu, Apr 26, 2012 at 5:49 AM, Adam Young <<a href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>> wrote:<br>
>><br>
>> Let me try to summarize:<br>
>><br>
>> 1. If you are running from a web browser, post requests to hosts or<br>
>> ports other than the origin are allowed, but the headers cannot be<br>
>> modified. This prevents the addition of the token from Keystone to provide<br>
>> single sign on.<br>
>><br>
>> 2. There are various browser side technologies (JSONP, CORS) that get<br>
>> around this limitation, but they are typically not enabled, and can be<br>
>> considered security issues. While implementing these might require support<br>
>> from teh Openstack server, they are fundamentally browser decisions.<br>
>><br>
><br>
> This is inaccurate. JSONP is supported by all browsers since ~Netscape 4.0.<br>
><br>
> CORS is supported by all modern browsers: IE > 8, Firefox > 3.5, Chrome > 3,<br>
> Safari > 4<br>
> (See <a href="http://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Browser_support" target="_blank">http://en.wikipedia.org/wiki/Cross-origin_resource_sharing#Browser_support</a>).<br>
> Additionally, CORS support is not a browser decision - the server has to<br>
> EXPLICITLY opt-in to support it.<br>
><br>
> Obviously CORS support *can* be a security issue - that is why it is<br>
> disabled unless the server enables it.<br>
><br>
> I do not believe that CORS support adds any additional security issues above<br>
> what the OpenStack APIs already face. Specially, the most common problem<br>
> (CSRF) is not an issue here because the APIs are not authorised on a session<br>
> basis.<br>
><br>
> [snip]<br>
>><br>
>><br>
>> I've been working on Single Sign on Issues for another project for the<br>
>> past year and a half. Here's a couple things I've learned.<br>
>><br>
>><br>
>> Kerberos is designed to solve this problem. It has the benefit of being<br>
>> integrated into the browser. Where Kerberos fails is that: typically it<br>
>> only allows a single authentication provider (KDC in Kerberso speak) and it<br>
>> does not work well with Firewalls.<br>
>><br>
>> The only crytographically secure way to authenticate on the web that can<br>
>> get around the firewall issue is Client side X509 certificates. This is the<br>
>> foundation for <a href="https://blueprints.launchpad.net/keystone/+spec/pki" target="_blank">https://blueprints.launchpad.net/keystone/+spec/pki</a>. This<br>
>> could, in theory, work in with OAuth, OpenID, or some other distributed<br>
>> authorization service, or we could embed the authorization information<br>
>> right into the Certitificate, which is what I suggest we do.<br>
>><br>
>><br>
><br>
> To be clear, identity/authorisation is NOT the problem here. The OpenStack<br>
> APIs work well for my use cases, once I work around the cross domain POST<br>
> problem.<br>
><br>
> However, I've also worked with SSO solutions. The simple truth is that<br>
> client side certificates do not play well with the web - browser support<br>
> ranges from non-existent (on some mobile platforms -<br>
> see <a href="http://mobilitydojo.net/2010/12/28/client-certificate-support-across-mobile-platforms-a-summary/" target="_blank">http://mobilitydojo.net/2010/12/28/client-certificate-support-across-mobile-platforms-a-summary/</a>) to<br>
> abysmal (there is a reason why many websites that use certificates end up<br>
> using a Java applet), and their interaction with cross domain Javascript is<br>
> unknown.<br>
><br>
> Even if certificates did work for identification, CORS would still be needed<br>
> - many OpenStack APIs require a POST request which is impossible without<br>
> it.<br>
><br>
><br>
> Nick<br>
><br>
</div></div><div><div>> _______________________________________________<br>
> Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
> Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
> Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
> More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
><br>
<br>
_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
</div></div></blockquote></div><br></div></div></div></div>
<br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br></div>
</div></div></blockquote></div><br></div></div></div>
</blockquote></div><br></div>
<br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div>
</div></div><br>_______________________________________________<br>
Mailing list: <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
Post to : <a href="mailto:openstack@lists.launchpad.net" target="_blank">openstack@lists.launchpad.net</a><br>
Unsubscribe : <a href="https://launchpad.net/~openstack" target="_blank">https://launchpad.net/~openstack</a><br>
More help : <a href="https://help.launchpad.net/ListHelp" target="_blank">https://help.launchpad.net/ListHelp</a><br>
<br></blockquote></div><br>
</div>