An OpenAPI client for FASJSON
Project description
fasjson-client
A python client library for the FASJSON API
This client uses the bravado library to build dynamic api methods based on open-api specs (version 2.0): https://github.com/Yelp/bravado
Usage
Instantiate the client with the FASJSON URL you want to use.
>>> from fasjson_client import Client
>>> c = Client('http://fasjson.example.com')
>>> c.me.whoami().response().result
{'result': {'dn': 'uid=admin,cn=users,cn=accounts,dc=example,dc=test', 'username': 'admin', 'service': None, 'uri': 'http://fasjson.example.test/fasjson/v1/users/admin/'}}
Authentication
Authentication is done with Kerberos. If you want to explicitely specify a principal to authenticate as, use the principal
constructor argument.
c = Client('http://fasjson.example.com', principal='admin@EXAMPLE.TEST')
Configuring an application for Kerberos authentication
Users authenticate via kinit
, applications authenticate via keytabs. It is highly recommended to use gssproxy in order to keep your keytabs secure.
- First, install gssproxy with
dnf install gssproxy
- Create the service that you want to authenticate as in IPA:
ipa service-add SERVICE/host-fqdn
(for exampleipa service-add HTTP/server.example.com
) - Get the keytab for that service and store it in gssproxy's directory:
ipa-getkeytab -p SERVICE/host-fqdn -k /var/lib/gssproxy/service.keytab
(for exampleipa-getkeytab -p HTTP/server.example.com -k /var/lib/gssproxy/httpd.keytab
) - Add a configuration file for your service in gssproxy's configuration directory:
# /etc/gssproxy/50-servicename.conf
[service/servicename]
mechs = krb5
cred_store = keytab:/var/lib/gssproxy/service.keytab
cred_store = client_keytab:/var/lib/gssproxy/service.keytab
allow_constrained_delegation = true
allow_client_ccache_sync = true
cred_usage = both
euid = user_the_service_runs_as
For example:
# /etc/gssproxy/80-httpd.conf
[service/httpd]
mechs = krb5
cred_store = keytab:/var/lib/gssproxy/httpd.keytab
cred_store = client_keytab:/var/lib/gssproxy/httpd.keytab
allow_constrained_delegation = true
allow_client_ccache_sync = true
cred_usage = both
euid = apache
- Restart gssproxy with
systemctl restart gssproxy
- Configure the service to run with the
GSS_USE_PROXY
environment variable set. Services started by systemd can be configured with a service configuration file, for example with the httpd service:
# /etc/systemd/system/httpd.service.d/gssproxy.conf
# /usr/lib/systemd/system/httpd.service.d/gssproxy.conf
[Service]
Environment=KRB5CCNAME=/tmp/krb5cc-httpd
Environment=GSS_USE_PROXY=yes
Your service should now be able to authenticate with Kerberos
Development
Install dependencies:
poetry install
Run the tests:
tox
License
Licensed under lgpl-3.0
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for fasjson_client-0.0.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 712ef5ad475b9d2063eb3053e3cf332b5d80a74aaec64c8ae1724e22a06a969d |
|
MD5 | 9fd0219f6dabcbe4aedbefd806f87185 |
|
BLAKE2b-256 | 34b9fc962739adb040c9e75514161f693cbcc31c50ad911454eff4be359853b1 |