[Openstack] Using Nova APIs from Javascript: possible?
Nick Lothian
nick.lothian at gmail.com
Tue Apr 24 14:20:05 UTC 2012
I was trying to write a pure Javascript client hosted on a different
domain. As you mentioned earlier JSONP is a potential solution, but it will
not work with POST requests.
Cross-site forgery issues need to be thought through carefully. I don't
believe they are insurmountable though - it isn't like OpenStack uses
session-based authentication where a cookie will automatically be sent
authorising the request. The user will need to enter their username &
password somewhere to generate the authentication token, and that will need
to be passed with every request.
Nick
On Tue, Apr 24, 2012 at 5:50 AM, Tres Henry <tres at treshenry.net> wrote:
> Sorry, meant to say "server-less client applications". The OP is trying to
> create a client-side JS application that communicates directly to an OS
> endpoint (specifically trystack). I believe his problem is same origin
> policy, not authentication.
>
> On Apr 23, 2012, at 12:33 PM, Adam Young wrote:
>
> > On 04/23/2012 01:13 PM, Tres Henry wrote:
> >> Adam, in what way should the OS API support server-less clients? AFAIK
> the options are CORS or JSONP, no?
> >
> > I am not quite sure what you mean by serverless clients, but I think
> the answer to this is getting a real Single Sign On solution, which is
> based on:
> >
> > 1. Kerberos,
> > 2. X509
> >
> > Kerberos is likely a non starter for Web applications due to some
> current issues with handling multiple TGTs and also cross firewalls
> (Kerberso tickets must get served out on port 88 without jumping through
> considerable hoops.)
> >
> > I've written up about X509 support here:
> > http://wiki.openstack.org/PKI
> >
> > I think that X509 Client Authentication is the right long-term approach
> for what we are doing. Specifically, short term X509 certificates
> replacing the Keystone tokens as the mechanism for SSO.
> >
> >
> >>
> >> On Apr 23, 2012, at 5:50 AM, Adam Young wrote:
> >>
> >>> I see this as a feature, not a drawback. The inability to access
> portions of the HTTP protocol is there to defend against attacks such as
> cross site request forgeries. If we suppress that mechanism, we open up a
> lot of security holes.
> >>>
> >>>
> >>> On 04/23/2012 06:09 AM, Adrian Smith wrote:
> >>>> The authentication request returns X-Storage-Url and X-Auth-Token
> >>>> headers. For the JS client to see them they need to be referenced in
> >>>> Access-Control-Expose-Headers. As of the last time checked, both these
> >>>> headers were being stripped from the response before being presented
> >>>> to JS.
> >>>>
> >>>> Adrian
> >>>>
> >>>>
> >>>> On 23 April 2012 10:35, Nick Lothian<nick.lothian at gmail.com> wrote:
> >>>>> Hi Adrian,
> >>>>>
> >>>>> Good to know this is a known issue.
> >>>>>
> >>>>> Why does the client need to see custom headers from the server
> anyway?
> >>>>> I know the client needs to pass the authorisation header to the
> server, but
> >>>>> I haven't seen any of the APIs yet that return custom headers. (It's
> likely
> >>>>> I'm missing them though)
> >>>>>
> >>>>> Nick
> >>>>>
> >>>>> On Apr 23, 2012 5:40 PM, "Adrian Smith"<adrian at 17od.com> wrote:
> >>>>>> Hi Nick,
> >>>>>>
> >>>>>> I did some work with CORS a few months back [1].
> >>>>>>
> >>>>>> At the time I couldn't get any browser to work properly with CORS
> so I
> >>>>>> just parked the code. The problem was lack of support for the
> >>>>>> Access-Control-Expose-Headers header.
> >>>>>>
> >>>>>> According to the Chrome bug report [2] this issue may well be fixed
> >>>>>> now so I need to retest.
> >>>>>>
> >>>>>> Adrian
> >>>>>>
> >>>>>> [1]
> >>>>>>
> http://www.mail-archive.com/openstack@lists.launchpad.net/msg07219.html
> >>>>>> [2] http://code.google.com/p/chromium/issues/detail?id=87338
> >>>>>>
> >>>>>>
> >>>>>> On 23 April 2012 06:19, Nick Lothian<nick.lothian at gmail.com>
> wrote:
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> I've been playing with the Nova APIs from Javascript, and I've run
> into
> >>>>>>> a
> >>>>>>> problem.
> >>>>>>>
> >>>>>>> The very first thing one needs to do to use the APIs is to get a
> token.
> >>>>>>>
> >>>>>>> That requires a POST to the API endpoint. Using curl& trystack
> that
> >>>>>>> looks
> >>>>>>> like this:
> >>>>>>>
> >>>>>>> $ curl -k -X 'POST' -v
> https://nova-api.trystack.org:5443/v2.0/tokens -d
> >>>>>>> '{"auth":{"passwordCredentials":{"username": "<username>",
> >>>>>>> "password":"<password>"}}}' -H 'Content-type: application/json'
> >>>>>>>
> >>>>>>>
> >>>>>>> The Javascript equivalent (using JQuery) is:
> >>>>>>>
> >>>>>>> $.ajax({
> >>>>>>> url: "https://nova-api.trystack.org:5443/v2.0/tokens",
> >>>>>>> type: 'POST',
> >>>>>>> headers: {"Content-Type": "application/json"},
> >>>>>>> data:
> {"auth":{"passwordCredentials":{"username":"<username>",
> >>>>>>> "password":"<password>"}}},
> >>>>>>> success: function(data) { alert(data); }
> >>>>>>> });
> >>>>>>>
> >>>>>>> That fails because the call is cross-domain, and Nova doesn't
> support
> >>>>>>> CORS
> >>>>>>> (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing)
> .<script>
> >>>>>>> based
> >>>>>>> cross-domain requests only supports GET requests, so that doesn't
> work
> >>>>>>> either.
> >>>>>>>
> >>>>>>> I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044,
> but
> >>>>>>> I'm
> >>>>>>> really hoping someone can point out something obvious I'm missing
> here.
> >>>>>>>
> >>>>>>> Regards
> >>>>>>> Nick Lothian
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Mailing list: https://launchpad.net/~openstack
> >>>>>>> Post to : openstack at lists.launchpad.net
> >>>>>>> Unsubscribe : https://launchpad.net/~openstack
> >>>>>>> More help : https://help.launchpad.net/ListHelp
> >>>>>>>
> >>>>> _______________________________________________
> >>>>> Mailing list: https://launchpad.net/~openstack
> >>>>> Post to : openstack at lists.launchpad.net
> >>>>> Unsubscribe : https://launchpad.net/~openstack
> >>>>> More help : https://help.launchpad.net/ListHelp
> >>>>>
> >>>> _______________________________________________
> >>>> Mailing list: https://launchpad.net/~openstack
> >>>> Post to : openstack at lists.launchpad.net
> >>>> Unsubscribe : https://launchpad.net/~openstack
> >>>> More help : https://help.launchpad.net/ListHelp
> >>>
> >>> _______________________________________________
> >>> Mailing list: https://launchpad.net/~openstack
> >>> Post to : openstack at lists.launchpad.net
> >>> Unsubscribe : https://launchpad.net/~openstack
> >>> More help : https://help.launchpad.net/ListHelp
> >
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack at lists.launchpad.net
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120424/4a2fdef8/attachment.html>
More information about the Openstack
mailing list