An OpenAPI client for FASJSON
Project description
fasjson-client
A python client library for the FASJSON API
This client uses the bravado library to build dynamic api methods based on open-api specs (version 2.0): https://github.com/Yelp/bravado
Usage
Instantiate the client with the FASJSON URL you want to use.
>>> from fasjson_client import Client
>>> c = Client('http://fasjson.example.com')
>>> c.me.whoami().response().result
{'result': {'dn': 'uid=admin,cn=users,cn=accounts,dc=example,dc=test', 'username': 'admin', 'service': None, 'uri': 'http://fasjson.example.test/fasjson/v1/users/admin/'}}
Authentication
Authentication is done with Kerberos. If you want to explicitely specify a principal to authenticate as, use the principal constructor argument.
c = Client('http://fasjson.example.com', principal='admin@EXAMPLE.TEST')
Configuring an application for Kerberos authentication
Users authenticate via kinit, applications authenticate via keytabs. It is highly recommended to use gssproxy in order to keep your keytabs secure.
- First, install gssproxy with
dnf install gssproxy - Create the service that you want to authenticate as in IPA:
ipa service-add SERVICE/host-fqdn(for exampleipa service-add HTTP/server.example.com) - Get the keytab for that service and store it in gssproxy's directory:
ipa-getkeytab -p SERVICE/host-fqdn -k /var/lib/gssproxy/service.keytab(for exampleipa-getkeytab -p HTTP/server.example.com -k /var/lib/gssproxy/httpd.keytab) - Add a configuration file for your service in gssproxy's configuration directory:
# /etc/gssproxy/50-servicename.conf
[service/servicename]
mechs = krb5
cred_store = keytab:/var/lib/gssproxy/service.keytab
cred_store = client_keytab:/var/lib/gssproxy/service.keytab
allow_constrained_delegation = true
allow_client_ccache_sync = true
cred_usage = both
euid = user_the_service_runs_as
For example:
# /etc/gssproxy/80-httpd.conf
[service/httpd]
mechs = krb5
cred_store = keytab:/var/lib/gssproxy/httpd.keytab
cred_store = client_keytab:/var/lib/gssproxy/httpd.keytab
allow_constrained_delegation = true
allow_client_ccache_sync = true
cred_usage = both
euid = apache
- Restart gssproxy with
systemctl restart gssproxy - Configure the service to run with the
GSS_USE_PROXYenvironment variable set. Services started by systemd can be configured with a service configuration file, for example with the httpd service:
# /etc/systemd/system/httpd.service.d/gssproxy.conf
# /usr/lib/systemd/system/httpd.service.d/gssproxy.conf
[Service]
Environment=KRB5CCNAME=/tmp/krb5cc-httpd
Environment=GSS_USE_PROXY=yes
Your service should now be able to authenticate with Kerberos
Development
Install dependencies:
poetry install
Run the tests:
tox
License
Licensed under lgpl-3.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file fasjson-client-0.0.1.tar.gz.
File metadata
- Download URL: fasjson-client-0.0.1.tar.gz
- Upload date:
- Size: 11.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.0.5 CPython/3.7.7 Linux/5.5.17-200.fc31.x86_64
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | df61302ab5d7edc839ea97258256050412d61e1706691f3e4b3f6f1469ab668e |
|
| MD5 | b95e805d5387051a14973ff4b68fc4c9 |
|
| BLAKE2b-256 | 80f991a22994fc960a372923c37c5ca79df380dc8037353093959258d4111fe7 |
File details
Details for the file fasjson_client-0.0.1-py3-none-any.whl.
File metadata
- Download URL: fasjson_client-0.0.1-py3-none-any.whl
- Upload date:
- Size: 13.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.0.5 CPython/3.7.7 Linux/5.5.17-200.fc31.x86_64
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 712ef5ad475b9d2063eb3053e3cf332b5d80a74aaec64c8ae1724e22a06a969d |
|
| MD5 | 9fd0219f6dabcbe4aedbefd806f87185 |
|
| BLAKE2b-256 | 34b9fc962739adb040c9e75514161f693cbcc31c50ad911454eff4be359853b1 |
