Difference between revisions of "Designate/Blueprints/IPABackend"
< Designate | Blueprints
(→API Changes) |
(→API Changes) |
||
| Line 17: | Line 17: | ||
* A FreeIPA deployment, with an account that has access to manage the DNS portion. The admin@DOMAIN account can be used for testing, but is not recommended for production. You must generate a keytab file for this account, and Designate Central must have read access to the keytab file. | * A FreeIPA deployment, with an account that has access to manage the DNS portion. The admin@DOMAIN account can be used for testing, but is not recommended for production. You must generate a keytab file for this account, and Designate Central must have read access to the keytab file. | ||
* The CA cert file from FreeIPA (default /etc/ipa/ca.crt). | * The CA cert file from FreeIPA (default /etc/ipa/ca.crt). | ||
| + | |||
| + | == Kerberos == | ||
| + | |||
| + | The IPA backend uses the '''KRB5_CLIENT_KEYTAB''' feature of MIT Kerberos 1.11. For the HTTP communication with IPA, the backend uses the '''requests''' module, and sets the header ''Authorization: negotiate $token'' where $token is the Kerberos token generated by the python-kerberos module from the keytab file. | ||
| + | |||
| + | One current limitation is that only one identity can be used at a time. | ||
== API Changes == | == API Changes == | ||
Revision as of 21:32, 2 April 2014
Contents
Overview
| Gerrit Patch | [] |
|---|---|
| Launchpad Blueprint | [1] |
Summary
This implements support for using FreeIPA as a backend. FreeIPA has full support for DNS, using the JSON RPC interface for dnszone (domain) and dnsrecord commands.
Requirements
- python-kerberos 1.1 or later
- MIT kerberos5 version 1.11.3 or later
- A FreeIPA deployment, with an account that has access to manage the DNS portion. The admin@DOMAIN account can be used for testing, but is not recommended for production. You must generate a keytab file for this account, and Designate Central must have read access to the keytab file.
- The CA cert file from FreeIPA (default /etc/ipa/ca.crt).
Kerberos
The IPA backend uses the KRB5_CLIENT_KEYTAB feature of MIT Kerberos 1.11. For the HTTP communication with IPA, the backend uses the requests module, and sets the header Authorization: negotiate $token where $token is the Kerberos token generated by the python-kerberos module from the keytab file.
One current limitation is that only one identity can be used at a time.
API Changes
None
One Per Change
| Verb | Resource | Description |
|---|---|---|
| GET | /resource | Description of call |
| GET | /resource/{id} | Description of call |
Database Changes
Description of Changes to DB schemas
eg -
| Name | Data Type | Length | Nullable | Details |
|---|---|---|---|---|
| id | VARCHAR | 36 | False | Primary Key, Generated UUID |
| name | VARCHAR | 255 | False | Domain name to be blacklisted |
| version | INTEGER | - | False | Designate API version |
| created_at | DATETIME | - | False | UTC time of creation |
| updated_at | DATETIME | - | True | UTC time of creation |
| description | VARCHAR | 160 | True | UTF-8 text field |
