Difference between revisions of "Designate/Blueprints/IPABackend"
< Designate | Blueprints
(→API Changes) |
(→API Changes) |
||
Line 17: | Line 17: | ||
* A FreeIPA deployment, with an account that has access to manage the DNS portion. The admin@DOMAIN account can be used for testing, but is not recommended for production. You must generate a keytab file for this account, and Designate Central must have read access to the keytab file. | * A FreeIPA deployment, with an account that has access to manage the DNS portion. The admin@DOMAIN account can be used for testing, but is not recommended for production. You must generate a keytab file for this account, and Designate Central must have read access to the keytab file. | ||
* The CA cert file from FreeIPA (default /etc/ipa/ca.crt). | * The CA cert file from FreeIPA (default /etc/ipa/ca.crt). | ||
+ | |||
+ | == Kerberos == | ||
+ | |||
+ | The IPA backend uses the '''KRB5_CLIENT_KEYTAB''' feature of MIT Kerberos 1.11. For the HTTP communication with IPA, the backend uses the '''requests''' module, and sets the header ''Authorization: negotiate $token'' where $token is the Kerberos token generated by the python-kerberos module from the keytab file. | ||
+ | |||
+ | One current limitation is that only one identity can be used at a time. | ||
== API Changes == | == API Changes == |
Revision as of 21:32, 2 April 2014
Contents
Overview
Gerrit Patch | [] |
---|---|
Launchpad Blueprint | [1] |
Summary
This implements support for using FreeIPA as a backend. FreeIPA has full support for DNS, using the JSON RPC interface for dnszone (domain) and dnsrecord commands.
Requirements
- python-kerberos 1.1 or later
- MIT kerberos5 version 1.11.3 or later
- A FreeIPA deployment, with an account that has access to manage the DNS portion. The admin@DOMAIN account can be used for testing, but is not recommended for production. You must generate a keytab file for this account, and Designate Central must have read access to the keytab file.
- The CA cert file from FreeIPA (default /etc/ipa/ca.crt).
Kerberos
The IPA backend uses the KRB5_CLIENT_KEYTAB feature of MIT Kerberos 1.11. For the HTTP communication with IPA, the backend uses the requests module, and sets the header Authorization: negotiate $token where $token is the Kerberos token generated by the python-kerberos module from the keytab file.
One current limitation is that only one identity can be used at a time.
API Changes
None
One Per Change
Verb | Resource | Description |
---|---|---|
GET | /resource | Description of call |
GET | /resource/{id} | Description of call |
Database Changes
Description of Changes to DB schemas
eg -
Name | Data Type | Length | Nullable | Details |
---|---|---|---|---|
id | VARCHAR | 36 | False | Primary Key, Generated UUID |
name | VARCHAR | 255 | False | Domain name to be blacklisted |
version | INTEGER | - | False | Designate API version |
created_at | DATETIME | - | False | UTC time of creation |
updated_at | DATETIME | - | True | UTC time of creation |
description | VARCHAR | 160 | True | UTF-8 text field |