Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenStack: Dev

Using Nova APIs from Javascript: possible?

 

 

First page Previous page 1 2 Next page Last page  View All OpenStack dev RSS feed   Index | Next | Previous | View Threaded


nick.lothian at gmail

Apr 22, 2012, 10:19 PM

Post #1 of 39 (773 views)
Permalink
Using Nova APIs from Javascript: possible?

Hi,

I've been playing with the Nova APIs from Javascript, and I've run into a
problem.

The very first thing one needs to do to use the APIs is to get a token.

That requires a POST to the API endpoint. Using curl & trystack that looks
like this:

$ curl -k -X 'POST' -v https://nova-api.trystack.org:5443/v2.0/tokens -d
'{"auth":{"passwordCredentials":{"username": "<username>",
"password":"<password>"}}}' -H 'Content-type: application/json'


The Javascript equivalent (using JQuery) is:

$.ajax({
url: "https://nova-api.trystack.org:5443/v2.0/tokens",
type: 'POST',
headers: {"Content-Type": "application/json"},
data: {"auth":{"passwordCredentials":{"username":"<username>",
"password":"<password>"}}},
success: function(data) { alert(data); }
});

That fails because the call is cross-domain, and Nova doesn't support CORS (
http://en.wikipedia.org/wiki/Cross-origin_resource_sharing). <script> based
cross-domain requests only supports GET requests, so that doesn't work
either.

I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044, but I'm
really hoping someone can point out something obvious I'm missing here.

Regards
Nick Lothian


adrian at 17od

Apr 23, 2012, 1:10 AM

Post #2 of 39 (769 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

Hi Nick,

I did some work with CORS a few months back [1].

At the time I couldn't get any browser to work properly with CORS so I
just parked the code. The problem was lack of support for the
Access-Control-Expose-Headers header.

According to the Chrome bug report [2] this issue may well be fixed
now so I need to retest.

Adrian

[1] http://www.mail-archive.com/openstack [at] lists/msg07219.html
[2] http://code.google.com/p/chromium/issues/detail?id=87338


On 23 April 2012 06:19, Nick Lothian <nick.lothian [at] gmail> wrote:
> Hi,
>
> I've been playing with the Nova APIs from Javascript, and I've run into a
> problem.
>
> The very first thing one needs to do to use the APIs is to get a token.
>
> That requires a POST to the API endpoint. Using curl & trystack that looks
> like this:
>
> $ curl -k -X 'POST' -v https://nova-api.trystack.org:5443/v2.0/tokens -d
> '{"auth":{"passwordCredentials":{"username": "<username>",
> "password":"<password>"}}}' -H 'Content-type: application/json'
>
>
> The Javascript equivalent (using JQuery) is:
>
>     $.ajax({
>         url: "https://nova-api.trystack.org:5443/v2.0/tokens",
>         type: 'POST',
>         headers: {"Content-Type": "application/json"},
>         data:  {"auth":{"passwordCredentials":{"username":"<username>",
> "password":"<password>"}}},
>         success: function(data) { alert(data); }
>     });
>
> That fails because the call is cross-domain, and Nova doesn't support CORS
> (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing). <script> based
> cross-domain requests only supports GET requests, so that doesn't work
> either.
>
> I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044, but I'm
> really hoping someone can point out something obvious I'm missing here.
>
> Regards
>   Nick Lothian
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp


nick.lothian at gmail

Apr 23, 2012, 2:35 AM

Post #3 of 39 (769 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

Hi Adrian,

Good to know this is a known issue.

Why does the client need to see custom headers from the server anyway?
I know the client needs to pass the authorisation header to the server, but
I haven't seen any of the APIs yet that return custom headers. (It's likely
I'm missing them though)

Nick
On Apr 23, 2012 5:40 PM, "Adrian Smith" <adrian [at] 17od> wrote:

> Hi Nick,
>
> I did some work with CORS a few months back [1].
>
> At the time I couldn't get any browser to work properly with CORS so I
> just parked the code. The problem was lack of support for the
> Access-Control-Expose-Headers header.
>
> According to the Chrome bug report [2] this issue may well be fixed
> now so I need to retest.
>
> Adrian
>
> [1]
> http://www.mail-archive.com/openstack [at] lists/msg07219.html
> [2] http://code.google.com/p/chromium/issues/detail?id=87338
>
>
> On 23 April 2012 06:19, Nick Lothian <nick.lothian [at] gmail> wrote:
> > Hi,
> >
> > I've been playing with the Nova APIs from Javascript, and I've run into a
> > problem.
> >
> > The very first thing one needs to do to use the APIs is to get a token.
> >
> > That requires a POST to the API endpoint. Using curl & trystack that
> looks
> > like this:
> >
> > $ curl -k -X 'POST' -v https://nova-api.trystack.org:5443/v2.0/tokens -d
> > '{"auth":{"passwordCredentials":{"username": "<username>",
> > "password":"<password>"}}}' -H 'Content-type: application/json'
> >
> >
> > The Javascript equivalent (using JQuery) is:
> >
> > $.ajax({
> > url: "https://nova-api.trystack.org:5443/v2.0/tokens",
> > type: 'POST',
> > headers: {"Content-Type": "application/json"},
> > data: {"auth":{"passwordCredentials":{"username":"<username>",
> > "password":"<password>"}}},
> > success: function(data) { alert(data); }
> > });
> >
> > That fails because the call is cross-domain, and Nova doesn't support
> CORS
> > (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing). <script>
> based
> > cross-domain requests only supports GET requests, so that doesn't work
> > either.
> >
> > I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044, but
> I'm
> > really hoping someone can point out something obvious I'm missing here.
> >
> > Regards
> > Nick Lothian
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to : openstack [at] lists
> > Unsubscribe : https://launchpad.net/~openstack
> > More help : https://help.launchpad.net/ListHelp
> >
>


adrian at 17od

Apr 23, 2012, 3:09 AM

Post #4 of 39 (771 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

The authentication request returns X-Storage-Url and X-Auth-Token
headers. For the JS client to see them they need to be referenced in
Access-Control-Expose-Headers. As of the last time checked, both these
headers were being stripped from the response before being presented
to JS.

Adrian


On 23 April 2012 10:35, Nick Lothian <nick.lothian [at] gmail> wrote:
>
> Hi Adrian,
>
> Good to know this is a known issue.
>
> Why does the client need to see custom headers from the server anyway?
> I know the client needs to pass the authorisation header to the server, but
> I haven't seen any of the APIs yet that return custom headers. (It's likely
> I'm missing them though)
>
> Nick
>
> On Apr 23, 2012 5:40 PM, "Adrian Smith" <adrian [at] 17od> wrote:
>>
>> Hi Nick,
>>
>> I did some work with CORS a few months back [1].
>>
>> At the time I couldn't get any browser to work properly with CORS so I
>> just parked the code. The problem was lack of support for the
>> Access-Control-Expose-Headers header.
>>
>> According to the Chrome bug report [2] this issue may well be fixed
>> now so I need to retest.
>>
>> Adrian
>>
>> [1]
>> http://www.mail-archive.com/openstack [at] lists/msg07219.html
>> [2] http://code.google.com/p/chromium/issues/detail?id=87338
>>
>>
>> On 23 April 2012 06:19, Nick Lothian <nick.lothian [at] gmail> wrote:
>> > Hi,
>> >
>> > I've been playing with the Nova APIs from Javascript, and I've run into
>> > a
>> > problem.
>> >
>> > The very first thing one needs to do to use the APIs is to get a token.
>> >
>> > That requires a POST to the API endpoint. Using curl & trystack that
>> > looks
>> > like this:
>> >
>> > $ curl -k -X 'POST' -v https://nova-api.trystack.org:5443/v2.0/tokens -d
>> > '{"auth":{"passwordCredentials":{"username": "<username>",
>> > "password":"<password>"}}}' -H 'Content-type: application/json'
>> >
>> >
>> > The Javascript equivalent (using JQuery) is:
>> >
>> >     $.ajax({
>> >         url: "https://nova-api.trystack.org:5443/v2.0/tokens",
>> >         type: 'POST',
>> >         headers: {"Content-Type": "application/json"},
>> >         data:  {"auth":{"passwordCredentials":{"username":"<username>",
>> > "password":"<password>"}}},
>> >         success: function(data) { alert(data); }
>> >     });
>> >
>> > That fails because the call is cross-domain, and Nova doesn't support
>> > CORS
>> > (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing). <script>
>> > based
>> > cross-domain requests only supports GET requests, so that doesn't work
>> > either.
>> >
>> > I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044, but
>> > I'm
>> > really hoping someone can point out something obvious I'm missing here.
>> >
>> > Regards
>> >   Nick Lothian
>> >
>> > _______________________________________________
>> > Mailing list: https://launchpad.net/~openstack
>> > Post to     : openstack [at] lists
>> > Unsubscribe : https://launchpad.net/~openstack
>> > More help   : https://help.launchpad.net/ListHelp
>> >
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to     : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help   : https://help.launchpad.net/ListHelp
>

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp


adrian at 17od

Apr 23, 2012, 3:10 AM

Post #5 of 39 (766 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

This is for Swift of course. But I guess there are similar headers for Nova.

On 23 April 2012 11:09, Adrian Smith <adrian [at] 17od> wrote:
> The authentication request returns X-Storage-Url and X-Auth-Token
> headers. For the JS client to see them they need to be referenced in
> Access-Control-Expose-Headers. As of the last time checked, both these
> headers were being stripped from the response before being presented
> to JS.
>
> Adrian
>
>
> On 23 April 2012 10:35, Nick Lothian <nick.lothian [at] gmail> wrote:
>>
>> Hi Adrian,
>>
>> Good to know this is a known issue.
>>
>> Why does the client need to see custom headers from the server anyway?
>> I know the client needs to pass the authorisation header to the server, but
>> I haven't seen any of the APIs yet that return custom headers. (It's likely
>> I'm missing them though)
>>
>> Nick
>>
>> On Apr 23, 2012 5:40 PM, "Adrian Smith" <adrian [at] 17od> wrote:
>>>
>>> Hi Nick,
>>>
>>> I did some work with CORS a few months back [1].
>>>
>>> At the time I couldn't get any browser to work properly with CORS so I
>>> just parked the code. The problem was lack of support for the
>>> Access-Control-Expose-Headers header.
>>>
>>> According to the Chrome bug report [2] this issue may well be fixed
>>> now so I need to retest.
>>>
>>> Adrian
>>>
>>> [1]
>>> http://www.mail-archive.com/openstack [at] lists/msg07219.html
>>> [2] http://code.google.com/p/chromium/issues/detail?id=87338
>>>
>>>
>>> On 23 April 2012 06:19, Nick Lothian <nick.lothian [at] gmail> wrote:
>>> > Hi,
>>> >
>>> > I've been playing with the Nova APIs from Javascript, and I've run into
>>> > a
>>> > problem.
>>> >
>>> > The very first thing one needs to do to use the APIs is to get a token.
>>> >
>>> > That requires a POST to the API endpoint. Using curl & trystack that
>>> > looks
>>> > like this:
>>> >
>>> > $ curl -k -X 'POST' -v https://nova-api.trystack.org:5443/v2.0/tokens -d
>>> > '{"auth":{"passwordCredentials":{"username": "<username>",
>>> > "password":"<password>"}}}' -H 'Content-type: application/json'
>>> >
>>> >
>>> > The Javascript equivalent (using JQuery) is:
>>> >
>>> >     $.ajax({
>>> >         url: "https://nova-api.trystack.org:5443/v2.0/tokens",
>>> >         type: 'POST',
>>> >         headers: {"Content-Type": "application/json"},
>>> >         data:  {"auth":{"passwordCredentials":{"username":"<username>",
>>> > "password":"<password>"}}},
>>> >         success: function(data) { alert(data); }
>>> >     });
>>> >
>>> > That fails because the call is cross-domain, and Nova doesn't support
>>> > CORS
>>> > (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing). <script>
>>> > based
>>> > cross-domain requests only supports GET requests, so that doesn't work
>>> > either.
>>> >
>>> > I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044, but
>>> > I'm
>>> > really hoping someone can point out something obvious I'm missing here.
>>> >
>>> > Regards
>>> >   Nick Lothian
>>> >
>>> > _______________________________________________
>>> > Mailing list: https://launchpad.net/~openstack
>>> > Post to     : openstack [at] lists
>>> > Unsubscribe : https://launchpad.net/~openstack
>>> > More help   : https://help.launchpad.net/ListHelp
>>> >
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to     : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help   : https://help.launchpad.net/ListHelp
>>

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp


ayoung at redhat

Apr 23, 2012, 5:50 AM

Post #6 of 39 (769 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

I see this as a feature, not a drawback. The inability to access
portions of the HTTP protocol is there to defend against attacks such as
cross site request forgeries. If we suppress that mechanism, we open up
a lot of security holes.


On 04/23/2012 06:09 AM, Adrian Smith wrote:
> The authentication request returns X-Storage-Url and X-Auth-Token
> headers. For the JS client to see them they need to be referenced in
> Access-Control-Expose-Headers. As of the last time checked, both these
> headers were being stripped from the response before being presented
> to JS.
>
> Adrian
>
>
> On 23 April 2012 10:35, Nick Lothian<nick.lothian [at] gmail> wrote:
>> Hi Adrian,
>>
>> Good to know this is a known issue.
>>
>> Why does the client need to see custom headers from the server anyway?
>> I know the client needs to pass the authorisation header to the server, but
>> I haven't seen any of the APIs yet that return custom headers. (It's likely
>> I'm missing them though)
>>
>> Nick
>>
>> On Apr 23, 2012 5:40 PM, "Adrian Smith"<adrian [at] 17od> wrote:
>>> Hi Nick,
>>>
>>> I did some work with CORS a few months back [1].
>>>
>>> At the time I couldn't get any browser to work properly with CORS so I
>>> just parked the code. The problem was lack of support for the
>>> Access-Control-Expose-Headers header.
>>>
>>> According to the Chrome bug report [2] this issue may well be fixed
>>> now so I need to retest.
>>>
>>> Adrian
>>>
>>> [1]
>>> http://www.mail-archive.com/openstack [at] lists/msg07219.html
>>> [2] http://code.google.com/p/chromium/issues/detail?id=87338
>>>
>>>
>>> On 23 April 2012 06:19, Nick Lothian<nick.lothian [at] gmail> wrote:
>>>> Hi,
>>>>
>>>> I've been playing with the Nova APIs from Javascript, and I've run into
>>>> a
>>>> problem.
>>>>
>>>> The very first thing one needs to do to use the APIs is to get a token.
>>>>
>>>> That requires a POST to the API endpoint. Using curl& trystack that
>>>> looks
>>>> like this:
>>>>
>>>> $ curl -k -X 'POST' -v https://nova-api.trystack.org:5443/v2.0/tokens -d
>>>> '{"auth":{"passwordCredentials":{"username": "<username>",
>>>> "password":"<password>"}}}' -H 'Content-type: application/json'
>>>>
>>>>
>>>> The Javascript equivalent (using JQuery) is:
>>>>
>>>> $.ajax({
>>>> url: "https://nova-api.trystack.org:5443/v2.0/tokens",
>>>> type: 'POST',
>>>> headers: {"Content-Type": "application/json"},
>>>> data: {"auth":{"passwordCredentials":{"username":"<username>",
>>>> "password":"<password>"}}},
>>>> success: function(data) { alert(data); }
>>>> });
>>>>
>>>> That fails because the call is cross-domain, and Nova doesn't support
>>>> CORS
>>>> (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing).<script>
>>>> based
>>>> cross-domain requests only supports GET requests, so that doesn't work
>>>> either.
>>>>
>>>> I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044, but
>>>> I'm
>>>> really hoping someone can point out something obvious I'm missing here.
>>>>
>>>> Regards
>>>> Nick Lothian
>>>>
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~openstack
>>>> Post to : openstack [at] lists
>>>> Unsubscribe : https://launchpad.net/~openstack
>>>> More help : https://help.launchpad.net/ListHelp
>>>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp


_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp


tres at treshenry

Apr 23, 2012, 10:13 AM

Post #7 of 39 (769 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

Adam, in what way should the OS API support server-less clients? AFAIK the options are CORS or JSONP, no?

On Apr 23, 2012, at 5:50 AM, Adam Young wrote:

> I see this as a feature, not a drawback. The inability to access portions of the HTTP protocol is there to defend against attacks such as cross site request forgeries. If we suppress that mechanism, we open up a lot of security holes.
>
>
> On 04/23/2012 06:09 AM, Adrian Smith wrote:
>> The authentication request returns X-Storage-Url and X-Auth-Token
>> headers. For the JS client to see them they need to be referenced in
>> Access-Control-Expose-Headers. As of the last time checked, both these
>> headers were being stripped from the response before being presented
>> to JS.
>>
>> Adrian
>>
>>
>> On 23 April 2012 10:35, Nick Lothian<nick.lothian [at] gmail> wrote:
>>> Hi Adrian,
>>>
>>> Good to know this is a known issue.
>>>
>>> Why does the client need to see custom headers from the server anyway?
>>> I know the client needs to pass the authorisation header to the server, but
>>> I haven't seen any of the APIs yet that return custom headers. (It's likely
>>> I'm missing them though)
>>>
>>> Nick
>>>
>>> On Apr 23, 2012 5:40 PM, "Adrian Smith"<adrian [at] 17od> wrote:
>>>> Hi Nick,
>>>>
>>>> I did some work with CORS a few months back [1].
>>>>
>>>> At the time I couldn't get any browser to work properly with CORS so I
>>>> just parked the code. The problem was lack of support for the
>>>> Access-Control-Expose-Headers header.
>>>>
>>>> According to the Chrome bug report [2] this issue may well be fixed
>>>> now so I need to retest.
>>>>
>>>> Adrian
>>>>
>>>> [1]
>>>> http://www.mail-archive.com/openstack [at] lists/msg07219.html
>>>> [2] http://code.google.com/p/chromium/issues/detail?id=87338
>>>>
>>>>
>>>> On 23 April 2012 06:19, Nick Lothian<nick.lothian [at] gmail> wrote:
>>>>> Hi,
>>>>>
>>>>> I've been playing with the Nova APIs from Javascript, and I've run into
>>>>> a
>>>>> problem.
>>>>>
>>>>> The very first thing one needs to do to use the APIs is to get a token.
>>>>>
>>>>> That requires a POST to the API endpoint. Using curl& trystack that
>>>>> looks
>>>>> like this:
>>>>>
>>>>> $ curl -k -X 'POST' -v https://nova-api.trystack.org:5443/v2.0/tokens -d
>>>>> '{"auth":{"passwordCredentials":{"username": "<username>",
>>>>> "password":"<password>"}}}' -H 'Content-type: application/json'
>>>>>
>>>>>
>>>>> The Javascript equivalent (using JQuery) is:
>>>>>
>>>>> $.ajax({
>>>>> url: "https://nova-api.trystack.org:5443/v2.0/tokens",
>>>>> type: 'POST',
>>>>> headers: {"Content-Type": "application/json"},
>>>>> data: {"auth":{"passwordCredentials":{"username":"<username>",
>>>>> "password":"<password>"}}},
>>>>> success: function(data) { alert(data); }
>>>>> });
>>>>>
>>>>> That fails because the call is cross-domain, and Nova doesn't support
>>>>> CORS
>>>>> (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing).<script>
>>>>> based
>>>>> cross-domain requests only supports GET requests, so that doesn't work
>>>>> either.
>>>>>
>>>>> I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044, but
>>>>> I'm
>>>>> really hoping someone can point out something obvious I'm missing here.
>>>>>
>>>>> Regards
>>>>> Nick Lothian
>>>>>
>>>>> _______________________________________________
>>>>> Mailing list: https://launchpad.net/~openstack
>>>>> Post to : openstack [at] lists
>>>>> Unsubscribe : https://launchpad.net/~openstack
>>>>> More help : https://help.launchpad.net/ListHelp
>>>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to : openstack [at] lists
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help : https://help.launchpad.net/ListHelp
>>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp


_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp


ayoung at redhat

Apr 23, 2012, 12:33 PM

Post #8 of 39 (768 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

On 04/23/2012 01:13 PM, Tres Henry wrote:
> Adam, in what way should the OS API support server-less clients? AFAIK the options are CORS or JSONP, no?

I am not quite sure what you mean by serverless clients, but I think
the answer to this is getting a real Single Sign On solution, which is
based on:

1. Kerberos,
2. X509

Kerberos is likely a non starter for Web applications due to some
current issues with handling multiple TGTs and also cross firewalls
(Kerberso tickets must get served out on port 88 without jumping through
considerable hoops.)

I've written up about X509 support here:
http://wiki.openstack.org/PKI

I think that X509 Client Authentication is the right long-term approach
for what we are doing. Specifically, short term X509 certificates
replacing the Keystone tokens as the mechanism for SSO.


>
> On Apr 23, 2012, at 5:50 AM, Adam Young wrote:
>
>> I see this as a feature, not a drawback. The inability to access portions of the HTTP protocol is there to defend against attacks such as cross site request forgeries. If we suppress that mechanism, we open up a lot of security holes.
>>
>>
>> On 04/23/2012 06:09 AM, Adrian Smith wrote:
>>> The authentication request returns X-Storage-Url and X-Auth-Token
>>> headers. For the JS client to see them they need to be referenced in
>>> Access-Control-Expose-Headers. As of the last time checked, both these
>>> headers were being stripped from the response before being presented
>>> to JS.
>>>
>>> Adrian
>>>
>>>
>>> On 23 April 2012 10:35, Nick Lothian<nick.lothian [at] gmail> wrote:
>>>> Hi Adrian,
>>>>
>>>> Good to know this is a known issue.
>>>>
>>>> Why does the client need to see custom headers from the server anyway?
>>>> I know the client needs to pass the authorisation header to the server, but
>>>> I haven't seen any of the APIs yet that return custom headers. (It's likely
>>>> I'm missing them though)
>>>>
>>>> Nick
>>>>
>>>> On Apr 23, 2012 5:40 PM, "Adrian Smith"<adrian [at] 17od> wrote:
>>>>> Hi Nick,
>>>>>
>>>>> I did some work with CORS a few months back [1].
>>>>>
>>>>> At the time I couldn't get any browser to work properly with CORS so I
>>>>> just parked the code. The problem was lack of support for the
>>>>> Access-Control-Expose-Headers header.
>>>>>
>>>>> According to the Chrome bug report [2] this issue may well be fixed
>>>>> now so I need to retest.
>>>>>
>>>>> Adrian
>>>>>
>>>>> [1]
>>>>> http://www.mail-archive.com/openstack [at] lists/msg07219.html
>>>>> [2] http://code.google.com/p/chromium/issues/detail?id=87338
>>>>>
>>>>>
>>>>> On 23 April 2012 06:19, Nick Lothian<nick.lothian [at] gmail> wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I've been playing with the Nova APIs from Javascript, and I've run into
>>>>>> a
>>>>>> problem.
>>>>>>
>>>>>> The very first thing one needs to do to use the APIs is to get a token.
>>>>>>
>>>>>> That requires a POST to the API endpoint. Using curl& trystack that
>>>>>> looks
>>>>>> like this:
>>>>>>
>>>>>> $ curl -k -X 'POST' -v https://nova-api.trystack.org:5443/v2.0/tokens -d
>>>>>> '{"auth":{"passwordCredentials":{"username": "<username>",
>>>>>> "password":"<password>"}}}' -H 'Content-type: application/json'
>>>>>>
>>>>>>
>>>>>> The Javascript equivalent (using JQuery) is:
>>>>>>
>>>>>> $.ajax({
>>>>>> url: "https://nova-api.trystack.org:5443/v2.0/tokens",
>>>>>> type: 'POST',
>>>>>> headers: {"Content-Type": "application/json"},
>>>>>> data: {"auth":{"passwordCredentials":{"username":"<username>",
>>>>>> "password":"<password>"}}},
>>>>>> success: function(data) { alert(data); }
>>>>>> });
>>>>>>
>>>>>> That fails because the call is cross-domain, and Nova doesn't support
>>>>>> CORS
>>>>>> (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing).<script>
>>>>>> based
>>>>>> cross-domain requests only supports GET requests, so that doesn't work
>>>>>> either.
>>>>>>
>>>>>> I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044, but
>>>>>> I'm
>>>>>> really hoping someone can point out something obvious I'm missing here.
>>>>>>
>>>>>> Regards
>>>>>> Nick Lothian
>>>>>>
>>>>>> _______________________________________________
>>>>>> Mailing list: https://launchpad.net/~openstack
>>>>>> Post to : openstack [at] lists
>>>>>> Unsubscribe : https://launchpad.net/~openstack
>>>>>> More help : https://help.launchpad.net/ListHelp
>>>>>>
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~openstack
>>>> Post to : openstack [at] lists
>>>> Unsubscribe : https://launchpad.net/~openstack
>>>> More help : https://help.launchpad.net/ListHelp
>>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to : openstack [at] lists
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help : https://help.launchpad.net/ListHelp
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp


_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp


tres at treshenry

Apr 23, 2012, 1:20 PM

Post #9 of 39 (769 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

Sorry, meant to say "server-less client applications". The OP is trying to create a client-side JS application that communicates directly to an OS endpoint (specifically trystack). I believe his problem is same origin policy, not authentication.

On Apr 23, 2012, at 12:33 PM, Adam Young wrote:

> On 04/23/2012 01:13 PM, Tres Henry wrote:
>> Adam, in what way should the OS API support server-less clients? AFAIK the options are CORS or JSONP, no?
>
> I am not quite sure what you mean by serverless clients, but I think the answer to this is getting a real Single Sign On solution, which is based on:
>
> 1. Kerberos,
> 2. X509
>
> Kerberos is likely a non starter for Web applications due to some current issues with handling multiple TGTs and also cross firewalls (Kerberso tickets must get served out on port 88 without jumping through considerable hoops.)
>
> I've written up about X509 support here:
> http://wiki.openstack.org/PKI
>
> I think that X509 Client Authentication is the right long-term approach for what we are doing. Specifically, short term X509 certificates replacing the Keystone tokens as the mechanism for SSO.
>
>
>>
>> On Apr 23, 2012, at 5:50 AM, Adam Young wrote:
>>
>>> I see this as a feature, not a drawback. The inability to access portions of the HTTP protocol is there to defend against attacks such as cross site request forgeries. If we suppress that mechanism, we open up a lot of security holes.
>>>
>>>
>>> On 04/23/2012 06:09 AM, Adrian Smith wrote:
>>>> The authentication request returns X-Storage-Url and X-Auth-Token
>>>> headers. For the JS client to see them they need to be referenced in
>>>> Access-Control-Expose-Headers. As of the last time checked, both these
>>>> headers were being stripped from the response before being presented
>>>> to JS.
>>>>
>>>> Adrian
>>>>
>>>>
>>>> On 23 April 2012 10:35, Nick Lothian<nick.lothian [at] gmail> wrote:
>>>>> Hi Adrian,
>>>>>
>>>>> Good to know this is a known issue.
>>>>>
>>>>> Why does the client need to see custom headers from the server anyway?
>>>>> I know the client needs to pass the authorisation header to the server, but
>>>>> I haven't seen any of the APIs yet that return custom headers. (It's likely
>>>>> I'm missing them though)
>>>>>
>>>>> Nick
>>>>>
>>>>> On Apr 23, 2012 5:40 PM, "Adrian Smith"<adrian [at] 17od> wrote:
>>>>>> Hi Nick,
>>>>>>
>>>>>> I did some work with CORS a few months back [1].
>>>>>>
>>>>>> At the time I couldn't get any browser to work properly with CORS so I
>>>>>> just parked the code. The problem was lack of support for the
>>>>>> Access-Control-Expose-Headers header.
>>>>>>
>>>>>> According to the Chrome bug report [2] this issue may well be fixed
>>>>>> now so I need to retest.
>>>>>>
>>>>>> Adrian
>>>>>>
>>>>>> [1]
>>>>>> http://www.mail-archive.com/openstack [at] lists/msg07219.html
>>>>>> [2] http://code.google.com/p/chromium/issues/detail?id=87338
>>>>>>
>>>>>>
>>>>>> On 23 April 2012 06:19, Nick Lothian<nick.lothian [at] gmail> wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I've been playing with the Nova APIs from Javascript, and I've run into
>>>>>>> a
>>>>>>> problem.
>>>>>>>
>>>>>>> The very first thing one needs to do to use the APIs is to get a token.
>>>>>>>
>>>>>>> That requires a POST to the API endpoint. Using curl& trystack that
>>>>>>> looks
>>>>>>> like this:
>>>>>>>
>>>>>>> $ curl -k -X 'POST' -v https://nova-api.trystack.org:5443/v2.0/tokens -d
>>>>>>> '{"auth":{"passwordCredentials":{"username": "<username>",
>>>>>>> "password":"<password>"}}}' -H 'Content-type: application/json'
>>>>>>>
>>>>>>>
>>>>>>> The Javascript equivalent (using JQuery) is:
>>>>>>>
>>>>>>> $.ajax({
>>>>>>> url: "https://nova-api.trystack.org:5443/v2.0/tokens",
>>>>>>> type: 'POST',
>>>>>>> headers: {"Content-Type": "application/json"},
>>>>>>> data: {"auth":{"passwordCredentials":{"username":"<username>",
>>>>>>> "password":"<password>"}}},
>>>>>>> success: function(data) { alert(data); }
>>>>>>> });
>>>>>>>
>>>>>>> That fails because the call is cross-domain, and Nova doesn't support
>>>>>>> CORS
>>>>>>> (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing).<script>
>>>>>>> based
>>>>>>> cross-domain requests only supports GET requests, so that doesn't work
>>>>>>> either.
>>>>>>>
>>>>>>> I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044, but
>>>>>>> I'm
>>>>>>> really hoping someone can point out something obvious I'm missing here.
>>>>>>>
>>>>>>> Regards
>>>>>>> Nick Lothian
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Mailing list: https://launchpad.net/~openstack
>>>>>>> Post to : openstack [at] lists
>>>>>>> Unsubscribe : https://launchpad.net/~openstack
>>>>>>> More help : https://help.launchpad.net/ListHelp
>>>>>>>
>>>>> _______________________________________________
>>>>> Mailing list: https://launchpad.net/~openstack
>>>>> Post to : openstack [at] lists
>>>>> Unsubscribe : https://launchpad.net/~openstack
>>>>> More help : https://help.launchpad.net/ListHelp
>>>>>
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~openstack
>>>> Post to : openstack [at] lists
>>>> Unsubscribe : https://launchpad.net/~openstack
>>>> More help : https://help.launchpad.net/ListHelp
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to : openstack [at] lists
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help : https://help.launchpad.net/ListHelp
>


_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp


sandy.walsh at rackspace

Apr 24, 2012, 4:27 AM

Post #10 of 39 (766 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

Due to the redirect nature of the auth system we may need JSONP support
for this to work.



_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp


nick.lothian at gmail

Apr 24, 2012, 7:19 AM

Post #11 of 39 (767 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

JSONP is great, but won't work with POST requests.

I don't quite understand what "Due to the redirect nature of the auth
system" means, though.

If I use a custom Webkit browser & allow cross domain XMLHttpRequests it
works fine - I do a POST to /v2.0/tokens, get the token and then use that.
What am I missing?

Nick

On Tue, Apr 24, 2012 at 8:57 PM, Sandy Walsh <sandy.walsh [at] rackspace>wrote:

> Due to the redirect nature of the auth system we may need JSONP support
> for this to work.
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>


nick.lothian at gmail

Apr 24, 2012, 7:20 AM

Post #12 of 39 (766 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

I was trying to write a pure Javascript client hosted on a different
domain. As you mentioned earlier JSONP is a potential solution, but it will
not work with POST requests.

Cross-site forgery issues need to be thought through carefully. I don't
believe they are insurmountable though - it isn't like OpenStack uses
session-based authentication where a cookie will automatically be sent
authorising the request. The user will need to enter their username &
password somewhere to generate the authentication token, and that will need
to be passed with every request.

Nick

On Tue, Apr 24, 2012 at 5:50 AM, Tres Henry <tres [at] treshenry> wrote:

> Sorry, meant to say "server-less client applications". The OP is trying to
> create a client-side JS application that communicates directly to an OS
> endpoint (specifically trystack). I believe his problem is same origin
> policy, not authentication.
>
> On Apr 23, 2012, at 12:33 PM, Adam Young wrote:
>
> > On 04/23/2012 01:13 PM, Tres Henry wrote:
> >> Adam, in what way should the OS API support server-less clients? AFAIK
> the options are CORS or JSONP, no?
> >
> > I am not quite sure what you mean by serverless clients, but I think
> the answer to this is getting a real Single Sign On solution, which is
> based on:
> >
> > 1. Kerberos,
> > 2. X509
> >
> > Kerberos is likely a non starter for Web applications due to some
> current issues with handling multiple TGTs and also cross firewalls
> (Kerberso tickets must get served out on port 88 without jumping through
> considerable hoops.)
> >
> > I've written up about X509 support here:
> > http://wiki.openstack.org/PKI
> >
> > I think that X509 Client Authentication is the right long-term approach
> for what we are doing. Specifically, short term X509 certificates
> replacing the Keystone tokens as the mechanism for SSO.
> >
> >
> >>
> >> On Apr 23, 2012, at 5:50 AM, Adam Young wrote:
> >>
> >>> I see this as a feature, not a drawback. The inability to access
> portions of the HTTP protocol is there to defend against attacks such as
> cross site request forgeries. If we suppress that mechanism, we open up a
> lot of security holes.
> >>>
> >>>
> >>> On 04/23/2012 06:09 AM, Adrian Smith wrote:
> >>>> The authentication request returns X-Storage-Url and X-Auth-Token
> >>>> headers. For the JS client to see them they need to be referenced in
> >>>> Access-Control-Expose-Headers. As of the last time checked, both these
> >>>> headers were being stripped from the response before being presented
> >>>> to JS.
> >>>>
> >>>> Adrian
> >>>>
> >>>>
> >>>> On 23 April 2012 10:35, Nick Lothian<nick.lothian [at] gmail> wrote:
> >>>>> Hi Adrian,
> >>>>>
> >>>>> Good to know this is a known issue.
> >>>>>
> >>>>> Why does the client need to see custom headers from the server
> anyway?
> >>>>> I know the client needs to pass the authorisation header to the
> server, but
> >>>>> I haven't seen any of the APIs yet that return custom headers. (It's
> likely
> >>>>> I'm missing them though)
> >>>>>
> >>>>> Nick
> >>>>>
> >>>>> On Apr 23, 2012 5:40 PM, "Adrian Smith"<adrian [at] 17od> wrote:
> >>>>>> Hi Nick,
> >>>>>>
> >>>>>> I did some work with CORS a few months back [1].
> >>>>>>
> >>>>>> At the time I couldn't get any browser to work properly with CORS
> so I
> >>>>>> just parked the code. The problem was lack of support for the
> >>>>>> Access-Control-Expose-Headers header.
> >>>>>>
> >>>>>> According to the Chrome bug report [2] this issue may well be fixed
> >>>>>> now so I need to retest.
> >>>>>>
> >>>>>> Adrian
> >>>>>>
> >>>>>> [1]
> >>>>>>
> http://www.mail-archive.com/openstack [at] lists/msg07219.html
> >>>>>> [2] http://code.google.com/p/chromium/issues/detail?id=87338
> >>>>>>
> >>>>>>
> >>>>>> On 23 April 2012 06:19, Nick Lothian<nick.lothian [at] gmail>
> wrote:
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> I've been playing with the Nova APIs from Javascript, and I've run
> into
> >>>>>>> a
> >>>>>>> problem.
> >>>>>>>
> >>>>>>> The very first thing one needs to do to use the APIs is to get a
> token.
> >>>>>>>
> >>>>>>> That requires a POST to the API endpoint. Using curl& trystack
> that
> >>>>>>> looks
> >>>>>>> like this:
> >>>>>>>
> >>>>>>> $ curl -k -X 'POST' -v
> https://nova-api.trystack.org:5443/v2.0/tokens -d
> >>>>>>> '{"auth":{"passwordCredentials":{"username": "<username>",
> >>>>>>> "password":"<password>"}}}' -H 'Content-type: application/json'
> >>>>>>>
> >>>>>>>
> >>>>>>> The Javascript equivalent (using JQuery) is:
> >>>>>>>
> >>>>>>> $.ajax({
> >>>>>>> url: "https://nova-api.trystack.org:5443/v2.0/tokens",
> >>>>>>> type: 'POST',
> >>>>>>> headers: {"Content-Type": "application/json"},
> >>>>>>> data:
> {"auth":{"passwordCredentials":{"username":"<username>",
> >>>>>>> "password":"<password>"}}},
> >>>>>>> success: function(data) { alert(data); }
> >>>>>>> });
> >>>>>>>
> >>>>>>> That fails because the call is cross-domain, and Nova doesn't
> support
> >>>>>>> CORS
> >>>>>>> (http://en.wikipedia.org/wiki/Cross-origin_resource_sharing)
> .<script>
> >>>>>>> based
> >>>>>>> cross-domain requests only supports GET requests, so that doesn't
> work
> >>>>>>> either.
> >>>>>>>
> >>>>>>> I have raised a bug: https://bugs.launchpad.net/nova/+bug/987044,
> but
> >>>>>>> I'm
> >>>>>>> really hoping someone can point out something obvious I'm missing
> here.
> >>>>>>>
> >>>>>>> Regards
> >>>>>>> Nick Lothian
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> Mailing list: https://launchpad.net/~openstack
> >>>>>>> Post to : openstack [at] lists
> >>>>>>> Unsubscribe : https://launchpad.net/~openstack
> >>>>>>> More help : https://help.launchpad.net/ListHelp
> >>>>>>>
> >>>>> _______________________________________________
> >>>>> Mailing list: https://launchpad.net/~openstack
> >>>>> Post to : openstack [at] lists
> >>>>> Unsubscribe : https://launchpad.net/~openstack
> >>>>> More help : https://help.launchpad.net/ListHelp
> >>>>>
> >>>> _______________________________________________
> >>>> Mailing list: https://launchpad.net/~openstack
> >>>> Post to : openstack [at] lists
> >>>> Unsubscribe : https://launchpad.net/~openstack
> >>>> More help : https://help.launchpad.net/ListHelp
> >>>
> >>> _______________________________________________
> >>> Mailing list: https://launchpad.net/~openstack
> >>> Post to : openstack [at] lists
> >>> Unsubscribe : https://launchpad.net/~openstack
> >>> More help : https://help.launchpad.net/ListHelp
> >
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>


ayoung at redhat

Apr 24, 2012, 7:31 AM

Post #13 of 39 (767 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

On 04/24/2012 10:19 AM, Nick Lothian wrote:
> JSONP is great, but won't work with POST requests.
>
> I don't quite understand what "Due to the redirect nature of the auth
> system" means, though.

Sorry, I am working on a few things that are related. OpenID and
various other systems have issues along these lines that are due to the
fact that they are done with redirects. UI'll try to be clearer in the
future.


That actually works fine because the token is not in the header when it
comes from Keystone. However, if you were to post toa web app that
then needed to make your browser post to a remote system (which is where
the same origin policy comes in to play) you need to set that Auth
token into a custom header, and Javascript is forbidden to do that.
Yes, the Javascript can say "post to glance" or some other openstack
API server, but it can't set the X auth header with the token from
Keystone in order to make the call authenticated.



>
> Nick
>
> On Tue, Apr 24, 2012 at 8:57 PM, Sandy Walsh
> <sandy.walsh [at] rackspace <mailto:sandy.walsh [at] rackspace>> wrote:
>
> Due to the redirect nature of the auth system we may need JSONP
> support
> for this to work.
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> <https://launchpad.net/%7Eopenstack>
> Post to : openstack [at] lists
> <mailto:openstack [at] lists>
> Unsubscribe : https://launchpad.net/~openstack
> <https://launchpad.net/%7Eopenstack>
> More help : https://help.launchpad.net/ListHelp
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp


sandy.walsh at rackspace

Apr 24, 2012, 7:49 AM

Post #14 of 39 (765 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

On 04/24/2012 11:19 AM, Nick Lothian wrote:
> JSONP is great, but won't work with POST requests.

Hmm, good point.

> I don't quite understand what "Due to the redirect nature of the auth
> system" means, though.
>
> If I use a custom Webkit browser & allow cross domain XMLHttpRequests it
> works fine - I do a POST to /v2.0/tokens, get the token and then use
> that. What am I missing?

The Auth system will give you a token and then a new "management" url
where the actual commands are issued (the real Nova API endpoint). These
are often two different systems (domains), so cross-site requests are
mandatory.

-S



> Nick
>
> On Tue, Apr 24, 2012 at 8:57 PM, Sandy Walsh <sandy.walsh [at] rackspace
> <mailto:sandy.walsh [at] rackspace>> wrote:
>
> Due to the redirect nature of the auth system we may need JSONP support
> for this to work.
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> <mailto:openstack [at] lists>
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp


semarjt at gmail

Apr 24, 2012, 9:04 AM

Post #15 of 39 (767 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

Nick,

I know you said 'serverless clients' but you have to be serving the js from
somewhere right?

If you are using nginx it can be as simple as:

location /nova/ {
proxy_pass: http://nova-api.trystack.org;
}

then you can POST to yourserver/nova/v.02/. from the browser

etc.
(it's just about as simple on apache but you'd have to look it up)


But then i guess this won't work for you if you are writing
some distributable component/plugin/library.

(sorry if you've already dismissed this option but i thought it worth a
shot since it has worked flawlessly for me in the past)



On Tue, Apr 24, 2012 at 9:49 AM, Sandy Walsh <sandy.walsh [at] rackspace>wrote:

>
>
> On 04/24/2012 11:19 AM, Nick Lothian wrote:
> > JSONP is great, but won't work with POST requests.
>
> Hmm, good point.
>
> > I don't quite understand what "Due to the redirect nature of the auth
> > system" means, though.
> >
> > If I use a custom Webkit browser & allow cross domain XMLHttpRequests it
> > works fine - I do a POST to /v2.0/tokens, get the token and then use
> > that. What am I missing?
>
> The Auth system will give you a token and then a new "management" url
> where the actual commands are issued (the real Nova API endpoint). These
> are often two different systems (domains), so cross-site requests are
> mandatory.
>
> -S
>
>
>
> > Nick
> >
> > On Tue, Apr 24, 2012 at 8:57 PM, Sandy Walsh <sandy.walsh [at] rackspace
> > <mailto:sandy.walsh [at] rackspace>> wrote:
> >
> > Due to the redirect nature of the auth system we may need JSONP
> support
> > for this to work.
> >
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to : openstack [at] lists
> > <mailto:openstack [at] lists>
> > Unsubscribe : https://launchpad.net/~openstack
> > More help : https://help.launchpad.net/ListHelp
> >
> >
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to : openstack [at] lists
> > Unsubscribe : https://launchpad.net/~openstack
> > More help : https://help.launchpad.net/ListHelp
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>



--
Cheers,

Joel


tres at treshenry

Apr 24, 2012, 10:11 AM

Post #16 of 39 (765 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

Jsonp sucks (get only) but might be the best choice. That's generally how AWS supports these use cases, fwiw.

On Apr 24, 2012, at 7:49 AM, Sandy Walsh <sandy.walsh [at] rackspace> wrote:

>
>
> On 04/24/2012 11:19 AM, Nick Lothian wrote:
>> JSONP is great, but won't work with POST requests.
>
> Hmm, good point.
>
>> I don't quite understand what "Due to the redirect nature of the auth
>> system" means, though.
>>
>> If I use a custom Webkit browser & allow cross domain XMLHttpRequests it
>> works fine - I do a POST to /v2.0/tokens, get the token and then use
>> that. What am I missing?
>
> The Auth system will give you a token and then a new "management" url
> where the actual commands are issued (the real Nova API endpoint). These
> are often two different systems (domains), so cross-site requests are
> mandatory.
>
> -S
>
>
>
>> Nick
>>
>> On Tue, Apr 24, 2012 at 8:57 PM, Sandy Walsh <sandy.walsh [at] rackspace
>> <mailto:sandy.walsh [at] rackspace>> wrote:
>>
>> Due to the redirect nature of the auth system we may need JSONP support
>> for this to work.
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> <mailto:openstack [at] lists>
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp


tres at treshenry

Apr 24, 2012, 10:39 AM

Post #17 of 39 (767 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

The JS may be served from a CDN. You can't assume a server-side proxy. Here's an example of a sever-less JS application that communicates directly to EC2: http://aws.amazon.com/developertools/1424 (there are versions for other services like SQS and SDB as well). Server-less JS applications are a fairly new breed of app that OpenStack should enable.


On Apr 24, 2012, at 9:04 AM, Joel Semar wrote:

> Nick,
>
> I know you said 'serverless clients' but you have to be serving the js from somewhere right?
>
> If you are using nginx it can be as simple as:
>
> location /nova/ {
> proxy_pass: http://nova-api.trystack.org;
> }
>
> then you can POST to yourserver/nova/v.02/. from the browser
>
> etc.
> (it's just about as simple on apache but you'd have to look it up)
>
>
> But then i guess this won't work for you if you are writing some distributable component/plugin/library.
>
> (sorry if you've already dismissed this option but i thought it worth a shot since it has worked flawlessly for me in the past)
>
>
>
> On Tue, Apr 24, 2012 at 9:49 AM, Sandy Walsh <sandy.walsh [at] rackspace> wrote:
>
>
> On 04/24/2012 11:19 AM, Nick Lothian wrote:
> > JSONP is great, but won't work with POST requests.
>
> Hmm, good point.
>
> > I don't quite understand what "Due to the redirect nature of the auth
> > system" means, though.
> >
> > If I use a custom Webkit browser & allow cross domain XMLHttpRequests it
> > works fine - I do a POST to /v2.0/tokens, get the token and then use
> > that. What am I missing?
>
> The Auth system will give you a token and then a new "management" url
> where the actual commands are issued (the real Nova API endpoint). These
> are often two different systems (domains), so cross-site requests are
> mandatory.
>
> -S
>
>
>
> > Nick
> >
> > On Tue, Apr 24, 2012 at 8:57 PM, Sandy Walsh <sandy.walsh [at] rackspace
> > <mailto:sandy.walsh [at] rackspace>> wrote:
> >
> > Due to the redirect nature of the auth system we may need JSONP support
> > for this to work.
> >
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to : openstack [at] lists
> > <mailto:openstack [at] lists>
> > Unsubscribe : https://launchpad.net/~openstack
> > More help : https://help.launchpad.net/ListHelp
> >
> >
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to : openstack [at] lists
> > Unsubscribe : https://launchpad.net/~openstack
> > More help : https://help.launchpad.net/ListHelp
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
> --
> Cheers,
>
> Joel
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp


nick.lothian at gmail

Apr 24, 2012, 6:04 PM

Post #18 of 39 (769 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

Javascript *can* set custom headers, but only by using XMLHttpRequest. That
cannot work cross-domain unless the appropriate CORS headers are set.

Hence this issue :)
On Apr 25, 2012 12:21 AM, "Adam Young" <ayoung [at] redhat> wrote:

> On 04/24/2012 10:19 AM, Nick Lothian wrote:
>
> JSONP is great, but won't work with POST requests.
>
> I don't quite understand what "Due to the redirect nature of the auth
> system" means, though.
>
>
> Sorry, I am working on a few things that are related. OpenID and various
> other systems have issues along these lines that are due to the fact that
> they are done with redirects. UI'll try to be clearer in the future.
>
>
> That actually works fine because the token is not in the header when it
> comes from Keystone. However, if you were to post toa web app that then
> needed to make your browser post to a remote system (which is where the
> same origin policy comes in to play) you need to set that Auth token into
> a custom header, and Javascript is forbidden to do that. Yes, the
> Javascript can say "post to glance" or some other openstack API server,
> but it can't set the X auth header with the token from Keystone in order to
> make the call authenticated.
>
>
>
>
> Nick
>
> On Tue, Apr 24, 2012 at 8:57 PM, Sandy Walsh <sandy.walsh [at] rackspace>wrote:
>
>> Due to the redirect nature of the auth system we may need JSONP support
>> for this to work.
>>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>


nick.lothian at gmail

Apr 24, 2012, 6:07 PM

Post #19 of 39 (764 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

I actually like JSONP, but supporting it would be quite a substantial
change to the APIs

Adding CORS support is a relatively small change, and probably a more
"technically correct" solution.

It does have less browser support though.
On Apr 25, 2012 4:01 AM, "Tres Henry" <tres [at] treshenry> wrote:

> Jsonp sucks (get only) but might be the best choice. That's generally how
> AWS supports these use cases, fwiw.
>
> On Apr 24, 2012, at 7:49 AM, Sandy Walsh <sandy.walsh [at] rackspace>
> wrote:
>
> >
> >
> > On 04/24/2012 11:19 AM, Nick Lothian wrote:
> >> JSONP is great, but won't work with POST requests.
> >
> > Hmm, good point.
> >
> >> I don't quite understand what "Due to the redirect nature of the auth
> >> system" means, though.
> >>
> >> If I use a custom Webkit browser & allow cross domain XMLHttpRequests it
> >> works fine - I do a POST to /v2.0/tokens, get the token and then use
> >> that. What am I missing?
> >
> > The Auth system will give you a token and then a new "management" url
> > where the actual commands are issued (the real Nova API endpoint). These
> > are often two different systems (domains), so cross-site requests are
> > mandatory.
> >
> > -S
> >
> >
> >
> >> Nick
> >>
> >> On Tue, Apr 24, 2012 at 8:57 PM, Sandy Walsh <sandy.walsh [at] rackspace
> >> <mailto:sandy.walsh [at] rackspace>> wrote:
> >>
> >> Due to the redirect nature of the auth system we may need JSONP
> support
> >> for this to work.
> >>
> >>
> >>
> >> _______________________________________________
> >> Mailing list: https://launchpad.net/~openstack
> >> Post to : openstack [at] lists
> >> <mailto:openstack [at] lists>
> >> Unsubscribe : https://launchpad.net/~openstack
> >> More help : https://help.launchpad.net/ListHelp
> >>
> >>
> >>
> >>
> >> _______________________________________________
> >> Mailing list: https://launchpad.net/~openstack
> >> Post to : openstack [at] lists
> >> Unsubscribe : https://launchpad.net/~openstack
> >> More help : https://help.launchpad.net/ListHelp
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to : openstack [at] lists
> > Unsubscribe : https://launchpad.net/~openstack
> > More help : https://help.launchpad.net/ListHelp
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>


nick.lothian at gmail

Apr 24, 2012, 6:09 PM

Post #20 of 39 (766 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

Yes, this will work if I know in advance what server I will be connecting
too.

However, it does remove the ability to support any cloud without
intervention on the serverside.
On Apr 25, 2012 2:46 AM, "Joel Semar" <semarjt [at] gmail> wrote:

> Nick,
>
> I know you said 'serverless clients' but you have to be serving the js
> from somewhere right?
>
> If you are using nginx it can be as simple as:
>
> location /nova/ {
> proxy_pass: http://nova-api.trystack.org;
> }
>
> then you can POST to yourserver/nova/v.02/. from the browser
>
> etc.
> (it's just about as simple on apache but you'd have to look it up)
>
>
> But then i guess this won't work for you if you are writing
> some distributable component/plugin/library.
>
> (sorry if you've already dismissed this option but i thought it worth a
> shot since it has worked flawlessly for me in the past)
>
>
>
> On Tue, Apr 24, 2012 at 9:49 AM, Sandy Walsh <sandy.walsh [at] rackspace>wrote:
>
>>
>>
>> On 04/24/2012 11:19 AM, Nick Lothian wrote:
>> > JSONP is great, but won't work with POST requests.
>>
>> Hmm, good point.
>>
>> > I don't quite understand what "Due to the redirect nature of the auth
>> > system" means, though.
>> >
>> > If I use a custom Webkit browser & allow cross domain XMLHttpRequests it
>> > works fine - I do a POST to /v2.0/tokens, get the token and then use
>> > that. What am I missing?
>>
>> The Auth system will give you a token and then a new "management" url
>> where the actual commands are issued (the real Nova API endpoint). These
>> are often two different systems (domains), so cross-site requests are
>> mandatory.
>>
>> -S
>>
>>
>>
>> > Nick
>> >
>> > On Tue, Apr 24, 2012 at 8:57 PM, Sandy Walsh <sandy.walsh [at] rackspace
>> > <mailto:sandy.walsh [at] rackspace>> wrote:
>> >
>> > Due to the redirect nature of the auth system we may need JSONP
>> support
>> > for this to work.
>> >
>> >
>> >
>> > _______________________________________________
>> > Mailing list: https://launchpad.net/~openstack
>> > Post to : openstack [at] lists
>> > <mailto:openstack [at] lists>
>> > Unsubscribe : https://launchpad.net/~openstack
>> > More help : https://help.launchpad.net/ListHelp
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Mailing list: https://launchpad.net/~openstack
>> > Post to : openstack [at] lists
>> > Unsubscribe : https://launchpad.net/~openstack
>> > More help : https://help.launchpad.net/ListHelp
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>
>
>
> --
> Cheers,
>
> Joel
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>


luis at woorea

Apr 24, 2012, 7:05 PM

Post #21 of 39 (766 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

The solution until the webservice deliver that headers is:

Solution 1:

1. Put the webservice behind a remote or local proxy
2. Apply some a filter (decorator) for each response with the CORS headers
(in the proxy) in order to trick the browser

Solution 2:

Some time ago I tested it with Chrome (disabling security) and it worked
for me

Solution 3 (really dirty, but works):

Embedded Flash Proxy


On Wed, Apr 25, 2012 at 3:09 AM, Nick Lothian <nick.lothian [at] gmail>wrote:

> Yes, this will work if I know in advance what server I will be connecting
> too.
>
> However, it does remove the ability to support any cloud without
> intervention on the serverside.
> On Apr 25, 2012 2:46 AM, "Joel Semar" <semarjt [at] gmail> wrote:
>
>> Nick,
>>
>> I know you said 'serverless clients' but you have to be serving the js
>> from somewhere right?
>>
>> If you are using nginx it can be as simple as:
>>
>> location /nova/ {
>> proxy_pass: http://nova-api.trystack.org;
>> }
>>
>> then you can POST to yourserver/nova/v.02/. from the browser
>>
>> etc.
>> (it's just about as simple on apache but you'd have to look it up)
>>
>>
>> But then i guess this won't work for you if you are writing
>> some distributable component/plugin/library.
>>
>> (sorry if you've already dismissed this option but i thought it worth a
>> shot since it has worked flawlessly for me in the past)
>>
>>
>>
>> On Tue, Apr 24, 2012 at 9:49 AM, Sandy Walsh <sandy.walsh [at] rackspace>wrote:
>>
>>>
>>>
>>> On 04/24/2012 11:19 AM, Nick Lothian wrote:
>>> > JSONP is great, but won't work with POST requests.
>>>
>>> Hmm, good point.
>>>
>>> > I don't quite understand what "Due to the redirect nature of the auth
>>> > system" means, though.
>>> >
>>> > If I use a custom Webkit browser & allow cross domain XMLHttpRequests
>>> it
>>> > works fine - I do a POST to /v2.0/tokens, get the token and then use
>>> > that. What am I missing?
>>>
>>> The Auth system will give you a token and then a new "management" url
>>> where the actual commands are issued (the real Nova API endpoint). These
>>> are often two different systems (domains), so cross-site requests are
>>> mandatory.
>>>
>>> -S
>>>
>>>
>>>
>>> > Nick
>>> >
>>> > On Tue, Apr 24, 2012 at 8:57 PM, Sandy Walsh <
>>> sandy.walsh [at] rackspace
>>> > <mailto:sandy.walsh [at] rackspace>> wrote:
>>> >
>>> > Due to the redirect nature of the auth system we may need JSONP
>>> support
>>> > for this to work.
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Mailing list: https://launchpad.net/~openstack
>>> > Post to : openstack [at] lists
>>> > <mailto:openstack [at] lists>
>>> > Unsubscribe : https://launchpad.net/~openstack
>>> > More help : https://help.launchpad.net/ListHelp
>>> >
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Mailing list: https://launchpad.net/~openstack
>>> > Post to : openstack [at] lists
>>> > Unsubscribe : https://launchpad.net/~openstack
>>> > More help : https://help.launchpad.net/ListHelp
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to : openstack [at] lists
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help : https://help.launchpad.net/ListHelp
>>>
>>
>>
>>
>> --
>> Cheers,
>>
>> Joel
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>


--
-------------------------------------------
Luis Alberto Gervaso Martin
Woorea Solutions, S.L
CEO & CTO
mobile: (+34) 627983344
luis@ <luis.gervaso [at] gmail>woorea.es


jan_drake at hotmail

Apr 24, 2012, 8:03 PM

Post #22 of 39 (767 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

So, why such a focus on this? IMO both JSONP and CORS are way too early stage to adopt and the security risks outweigh the rewards. Usually, I see people doing this to enable mashups across separate providers.

Just curious why the focus/need is perceived in the community? If this is really because of redirects then we probably have a broken model and/or improper distribution of responsibilities.

Love to know if I'm missing a real use case. Can help fix model if it is broken. Have much experience in this area.

IMO no solution should trick the browser.


Jan



On Apr 24, 2012, at 7:05 PM, Luis Gervaso <luis [at] woorea> wrote:

> The solution until the webservice deliver that headers is:
>
> Solution 1:
>
> 1. Put the webservice behind a remote or local proxy
> 2. Apply some a filter (decorator) for each response with the CORS headers (in the proxy) in order to trick the browser
>
> Solution 2:
>
> Some time ago I tested it with Chrome (disabling security) and it worked for me
>
> Solution 3 (really dirty, but works):
>
> Embedded Flash Proxy
>
>
> On Wed, Apr 25, 2012 at 3:09 AM, Nick Lothian <nick.lothian [at] gmail> wrote:
> Yes, this will work if I know in advance what server I will be connecting too.
>
> However, it does remove the ability to support any cloud without intervention on the serverside.
>
> On Apr 25, 2012 2:46 AM, "Joel Semar" <semarjt [at] gmail> wrote:
> Nick,
>
> I know you said 'serverless clients' but you have to be serving the js from somewhere right?
>
> If you are using nginx it can be as simple as:
>
> location /nova/ {
> proxy_pass: http://nova-api.trystack.org;
> }
>
> then you can POST to yourserver/nova/v.02/. from the browser
>
> etc.
> (it's just about as simple on apache but you'd have to look it up)
>
>
> But then i guess this won't work for you if you are writing some distributable component/plugin/library.
>
> (sorry if you've already dismissed this option but i thought it worth a shot since it has worked flawlessly for me in the past)
>
>
>
> On Tue, Apr 24, 2012 at 9:49 AM, Sandy Walsh <sandy.walsh [at] rackspace> wrote:
>
>
> On 04/24/2012 11:19 AM, Nick Lothian wrote:
> > JSONP is great, but won't work with POST requests.
>
> Hmm, good point.
>
> > I don't quite understand what "Due to the redirect nature of the auth
> > system" means, though.
> >
> > If I use a custom Webkit browser & allow cross domain XMLHttpRequests it
> > works fine - I do a POST to /v2.0/tokens, get the token and then use
> > that. What am I missing?
>
> The Auth system will give you a token and then a new "management" url
> where the actual commands are issued (the real Nova API endpoint). These
> are often two different systems (domains), so cross-site requests are
> mandatory.
>
> -S
>
>
>
> > Nick
> >
> > On Tue, Apr 24, 2012 at 8:57 PM, Sandy Walsh <sandy.walsh [at] rackspace
> > <mailto:sandy.walsh [at] rackspace>> wrote:
> >
> > Due to the redirect nature of the auth system we may need JSONP support
> > for this to work.
> >
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to : openstack [at] lists
> > <mailto:openstack [at] lists>
> > Unsubscribe : https://launchpad.net/~openstack
> > More help : https://help.launchpad.net/ListHelp
> >
> >
> >
> >
> > _______________________________________________
> > Mailing list: https://launchpad.net/~openstack
> > Post to : openstack [at] lists
> > Unsubscribe : https://launchpad.net/~openstack
> > More help : https://help.launchpad.net/ListHelp
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
> --
> Cheers,
>
> Joel
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>
>
>
> --
> -------------------------------------------
> Luis Alberto Gervaso Martin
> Woorea Solutions, S.L
> CEO & CTO
> mobile: (+34) 627983344
> luis [at] woorea
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp


nick.lothian at gmail

Apr 25, 2012, 3:46 AM

Post #23 of 39 (767 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

JSONP has been used for years - for example Solr has supported it since
2008 (and possibly earlier). CORS matches the Openstack APIs better though.

Redirects are unrelated to the problem as far as I can see.

I think that toolmakers trying to build Javascript tools that connect to
multiple service providers is a completely valid use case. It is supported
for pretty much any other language, why not Javascript?
On Apr 25, 2012 12:33 PM, "Jan Drake" <jan_drake [at] hotmail> wrote:

> So, why such a focus on this? IMO both JSONP and CORS are way too early
> stage to adopt and the security risks outweigh the rewards. Usually, I see
> people doing this to enable mashups across separate providers.
>
> Just curious why the focus/need is perceived in the community? If this is
> really because of redirects then we probably have a broken model and/or
> improper distribution of responsibilities.
>
> Love to know if I'm missing a real use case. Can help fix model if it is
> broken. Have much experience in this area.
>
> IMO no solution should trick the browser.
>
>
> Jan
>
>
>
> On Apr 24, 2012, at 7:05 PM, Luis Gervaso <luis [at] woorea> wrote:
>
> The solution until the webservice deliver that headers is:
>
> Solution 1:
>
> 1. Put the webservice behind a remote or local proxy
> 2. Apply some a filter (decorator) for each response with the CORS headers
> (in the proxy) in order to trick the browser
>
> Solution 2:
>
> Some time ago I tested it with Chrome (disabling security) and it worked
> for me
>
> Solution 3 (really dirty, but works):
>
> Embedded Flash Proxy
>
>
> On Wed, Apr 25, 2012 at 3:09 AM, Nick Lothian <nick.lothian [at] gmail>wrote:
>
>> Yes, this will work if I know in advance what server I will be connecting
>> too.
>>
>> However, it does remove the ability to support any cloud without
>> intervention on the serverside.
>> On Apr 25, 2012 2:46 AM, "Joel Semar" <semarjt [at] gmail> wrote:
>>
>>> Nick,
>>>
>>> I know you said 'serverless clients' but you have to be serving the js
>>> from somewhere right?
>>>
>>> If you are using nginx it can be as simple as:
>>>
>>> location /nova/ {
>>> proxy_pass: http://nova-api.trystack.org;
>>> }
>>>
>>> then you can POST to yourserver/nova/v.02/. from the browser
>>>
>>> etc.
>>> (it's just about as simple on apache but you'd have to look it up)
>>>
>>>
>>> But then i guess this won't work for you if you are writing
>>> some distributable component/plugin/library.
>>>
>>> (sorry if you've already dismissed this option but i thought it worth a
>>> shot since it has worked flawlessly for me in the past)
>>>
>>>
>>>
>>> On Tue, Apr 24, 2012 at 9:49 AM, Sandy Walsh <sandy.walsh [at] rackspace>wrote:
>>>
>>>>
>>>>
>>>> On 04/24/2012 11:19 AM, Nick Lothian wrote:
>>>> > JSONP is great, but won't work with POST requests.
>>>>
>>>> Hmm, good point.
>>>>
>>>> > I don't quite understand what "Due to the redirect nature of the auth
>>>> > system" means, though.
>>>> >
>>>> > If I use a custom Webkit browser & allow cross domain XMLHttpRequests
>>>> it
>>>> > works fine - I do a POST to /v2.0/tokens, get the token and then use
>>>> > that. What am I missing?
>>>>
>>>> The Auth system will give you a token and then a new "management" url
>>>> where the actual commands are issued (the real Nova API endpoint). These
>>>> are often two different systems (domains), so cross-site requests are
>>>> mandatory.
>>>>
>>>> -S
>>>>
>>>>
>>>>
>>>> > Nick
>>>> >
>>>> > On Tue, Apr 24, 2012 at 8:57 PM, Sandy Walsh <
>>>> sandy.walsh [at] rackspace
>>>> > <mailto:sandy.walsh [at] rackspace>> wrote:
>>>> >
>>>> > Due to the redirect nature of the auth system we may need JSONP
>>>> support
>>>> > for this to work.
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > Mailing list: https://launchpad.net/~openstack
>>>> > Post to : openstack [at] lists
>>>> > <mailto:openstack [at] lists>
>>>> > Unsubscribe : https://launchpad.net/~openstack
>>>> > More help : https://help.launchpad.net/ListHelp
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > Mailing list: https://launchpad.net/~openstack
>>>> > Post to : openstack [at] lists
>>>> > Unsubscribe : https://launchpad.net/~openstack
>>>> > More help : https://help.launchpad.net/ListHelp
>>>>
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~openstack
>>>> Post to : openstack [at] lists
>>>> Unsubscribe : https://launchpad.net/~openstack
>>>> More help : https://help.launchpad.net/ListHelp
>>>>
>>>
>>>
>>>
>>> --
>>> Cheers,
>>>
>>> Joel
>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~openstack
>>> Post to : openstack [at] lists
>>> Unsubscribe : https://launchpad.net/~openstack
>>> More help : https://help.launchpad.net/ListHelp
>>>
>>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>
>
> --
> -------------------------------------------
> Luis Alberto Gervaso Martin
> Woorea Solutions, S.L
> CEO & CTO
> mobile: (+34) 627983344
> luis@ <luis.gervaso [at] gmail>woorea.es
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp
>
>


tres at treshenry

Apr 25, 2012, 9:49 AM

Post #24 of 39 (765 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

Jan: is the concern that you don't see the value in the use case or that you don't believe the proposed technologies are sufficiently mature?

In order to keep the thread somewhat linear I'm basically going to +1 what Nick said and add that as an application developer I should be able to serve the JS, HTML and CSS for my application from a CDN and have my application talk directly to an OpenStack endpoint. This is an important scenario now but will become critical with the wave of PAAS offerings coming for OpenStack (i.e. my application should be able to talk directly to FathomDB running on OS).


On Apr 25, 2012, at 3:46 AM, Nick Lothian wrote:

> JSONP has been used for years - for example Solr has supported it since 2008 (and possibly earlier). CORS matches the Openstack APIs better though.
>
> Redirects are unrelated to the problem as far as I can see.
>
> I think that toolmakers trying to build Javascript tools that connect to multiple service providers is a completely valid use case. It is supported for pretty much any other language, why not Javascript?
>
> On Apr 25, 2012 12:33 PM, "Jan Drake" <jan_drake [at] hotmail> wrote:
> So, why such a focus on this? IMO both JSONP and CORS are way too early stage to adopt and the security risks outweigh the rewards. Usually, I see people doing this to enable mashups across separate providers.
>
> Just curious why the focus/need is perceived in the community? If this is really because of redirects then we probably have a broken model and/or improper distribution of responsibilities.
>
> Love to know if I'm missing a real use case. Can help fix model if it is broken. Have much experience in this area.
>
> IMO no solution should trick the browser.
>
>
> Jan
>
>
>
> On Apr 24, 2012, at 7:05 PM, Luis Gervaso <luis [at] woorea> wrote:
>
>> The solution until the webservice deliver that headers is:
>>
>> Solution 1:
>>
>> 1. Put the webservice behind a remote or local proxy
>> 2. Apply some a filter (decorator) for each response with the CORS headers (in the proxy) in order to trick the browser
>>
>> Solution 2:
>>
>> Some time ago I tested it with Chrome (disabling security) and it worked for me
>>
>> Solution 3 (really dirty, but works):
>>
>> Embedded Flash Proxy
>>
>>
>> On Wed, Apr 25, 2012 at 3:09 AM, Nick Lothian <nick.lothian [at] gmail> wrote:
>> Yes, this will work if I know in advance what server I will be connecting too.
>>
>> However, it does remove the ability to support any cloud without intervention on the serverside.
>>
>> On Apr 25, 2012 2:46 AM, "Joel Semar" <semarjt [at] gmail> wrote:
>> Nick,
>>
>> I know you said 'serverless clients' but you have to be serving the js from somewhere right?
>>
>> If you are using nginx it can be as simple as:
>>
>> location /nova/ {
>> proxy_pass: http://nova-api.trystack.org;
>> }
>>
>> then you can POST to yourserver/nova/v.02/. from the browser
>>
>> etc.
>> (it's just about as simple on apache but you'd have to look it up)
>>
>>
>> But then i guess this won't work for you if you are writing some distributable component/plugin/library.
>>
>> (sorry if you've already dismissed this option but i thought it worth a shot since it has worked flawlessly for me in the past)
>>
>>
>>
>> On Tue, Apr 24, 2012 at 9:49 AM, Sandy Walsh <sandy.walsh [at] rackspace> wrote:
>>
>>
>> On 04/24/2012 11:19 AM, Nick Lothian wrote:
>> > JSONP is great, but won't work with POST requests.
>>
>> Hmm, good point.
>>
>> > I don't quite understand what "Due to the redirect nature of the auth
>> > system" means, though.
>> >
>> > If I use a custom Webkit browser & allow cross domain XMLHttpRequests it
>> > works fine - I do a POST to /v2.0/tokens, get the token and then use
>> > that. What am I missing?
>>
>> The Auth system will give you a token and then a new "management" url
>> where the actual commands are issued (the real Nova API endpoint). These
>> are often two different systems (domains), so cross-site requests are
>> mandatory.
>>
>> -S
>>
>>
>>
>> > Nick
>> >
>> > On Tue, Apr 24, 2012 at 8:57 PM, Sandy Walsh <sandy.walsh [at] rackspace
>> > <mailto:sandy.walsh [at] rackspace>> wrote:
>> >
>> > Due to the redirect nature of the auth system we may need JSONP support
>> > for this to work.
>> >
>> >
>> >
>> > _______________________________________________
>> > Mailing list: https://launchpad.net/~openstack
>> > Post to : openstack [at] lists
>> > <mailto:openstack [at] lists>
>> > Unsubscribe : https://launchpad.net/~openstack
>> > More help : https://help.launchpad.net/ListHelp
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Mailing list: https://launchpad.net/~openstack
>> > Post to : openstack [at] lists
>> > Unsubscribe : https://launchpad.net/~openstack
>> > More help : https://help.launchpad.net/ListHelp
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>>
>> --
>> Cheers,
>>
>> Joel
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
>>
>>
>>
>>
>> --
>> -------------------------------------------
>> Luis Alberto Gervaso Martin
>> Woorea Solutions, S.L
>> CEO & CTO
>> mobile: (+34) 627983344
>> luis [at] woorea
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~openstack
>> Post to : openstack [at] lists
>> Unsubscribe : https://launchpad.net/~openstack
>> More help : https://help.launchpad.net/ListHelp
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack
> Post to : openstack [at] lists
> Unsubscribe : https://launchpad.net/~openstack
> More help : https://help.launchpad.net/ListHelp


jan_drake at hotmail

Apr 25, 2012, 10:01 AM

Post #25 of 39 (761 views)
Permalink
Re: Using Nova APIs from Javascript: possible? [In reply to]

A little of both. Serving JS, et al from a CDN for a set of domain services is easy peasey stuff and we do it all the time... but we tend to do so with a common edge (at the very least in DNS space) that precludes the need for JSONP/CORS. I'm not sure if the use case here is:

1) JS client talking to multiple service providers hosting openstack, (seems low priority to me but potentially valid)
2) JS client talking to multiple openstack services within a single hosting provider (seems high priority to me)

#2 is easy we do it all the time. #1 gets messy but I probably wouldn't just use a JS only mashup client to get the job done.

Anyway, just thoughts... re maturity: our enterprise security folks have issues with using jsonp/cors and consider it contraindicated at the moment.



Jan


Subject: Re: [Openstack] Using Nova APIs from Javascript: possible?
From: tres [at] treshenry
Date: Wed, 25 Apr 2012 09:49:15 -0700
CC: openstack [at] lists
To: jan_drake [at] hotmail

Jan: is the concern that you don't see the value in the use case or that you don't believe the proposed technologies are sufficiently mature?
In order to keep the thread somewhat linear I'm basically going to +1 what Nick said and add that as an application developer I should be able to serve the JS, HTML and CSS for my application from a CDN and have my application talk directly to an OpenStack endpoint. This is an important scenario now but will become critical with the wave of PAAS offerings coming for OpenStack (i.e. my application should be able to talk directly to FathomDB running on OS).

On Apr 25, 2012, at 3:46 AM, Nick Lothian wrote:JSONP has been used for years - for example Solr has supported it since 2008 (and possibly earlier). CORS matches the Openstack APIs better though. Redirects are unrelated to the problem as far as I can see.I think that toolmakers trying to build Javascript tools that connect to multiple service providers is a completely valid use case. It is supported for pretty much any other language, why not Javascript?
On Apr 25, 2012 12:33 PM, "Jan Drake" <jan_drake [at] hotmail> wrote:

So, why such a focus on this? IMO both JSONP and CORS are way too early stage to adopt and the security risks outweigh the rewards. Usually, I see people doing this to enable mashups across separate providers.

Just curious why the focus/need is perceived in the community? If this is really because of redirects then we probably have a broken model and/or improper distribution of responsibilities.

Love to know if I'm missing a real use case. Can help fix model if it is broken. Have much experience in this area.
IMO no solution should trick the browser.


Jan


On Apr 24, 2012, at 7:05 PM, Luis Gervaso <luis [at] woorea> wrote:


The solution until the webservice deliver that headers is:

Solution 1:

1. Put the webservice behind a remote or local proxy
2. Apply some a filter (decorator) for each response with the CORS headers (in the proxy) in order to trick the browser



Solution 2:

Some time ago I tested it with Chrome (disabling security) and it worked for me

Solution 3 (really dirty, but works):

Embedded Flash Proxy


On Wed, Apr 25, 2012 at 3:09 AM, Nick Lothian <nick.lothian [at] gmail> wrote:


Yes, this will work if I know in advance what server I will be connecting too.However, it does remove the ability to support any cloud without intervention on the serverside.
On Apr 25, 2012 2:46 AM, "Joel Semar" <semarjt [at] gmail> wrote:



Nick,
I know you said 'serverless clients' but you have to be serving the js from somewhere right?




If you are using nginx it can be as simple as:
location /nova/ { proxy_pass: http://nova-api.trystack.org;



}
then you can POST to yourserver/nova/v.02/. from the browser
etc.



(it's just about as simple on apache but you'd have to look it up)

But then i guess this won't work for you if you are writing some distributable component/plugin/library.




(sorry if you've already dismissed this option but i thought it worth a shot since it has worked flawlessly for me in the past)






On Tue, Apr 24, 2012 at 9:49 AM, Sandy Walsh <sandy.walsh [at] rackspace> wrote:








On 04/24/2012 11:19 AM, Nick Lothian wrote:

> JSONP is great, but won't work with POST requests.



Hmm, good point.



> I don't quite understand what "Due to the redirect nature of the auth

> system" means, though.

>

> If I use a custom Webkit browser & allow cross domain XMLHttpRequests it

> works fine - I do a POST to /v2.0/tokens, get the token and then use

> that. What am I missing?



The Auth system will give you a token and then a new "management" url

where the actual commands are issued (the real Nova API endpoint). These

are often two different systems (domains), so cross-site requests are

mandatory.



-S







> Nick

>

> On Tue, Apr 24, 2012 at 8:57 PM, Sandy Walsh <sandy.walsh [at] rackspace

> <mailto:sandy.walsh [at] rackspace>> wrote:

>

> Due to the redirect nature of the auth system we may need JSONP support

> for this to work.

>

>

>

> _______________________________________________

> Mailing list: https://launchpad.net/~openstack

> Post to : openstack [at] lists

> <mailto:openstack [at] lists>

> Unsubscribe : https://launchpad.net/~openstack

> More help : https://help.launchpad.net/ListHelp

>

>

>

>

> _______________________________________________

> Mailing list: https://launchpad.net/~openstack

> Post to : openstack [at] lists

> Unsubscribe : https://launchpad.net/~openstack

> More help : https://help.launchpad.net/ListHelp



_______________________________________________

Mailing list: https://launchpad.net/~openstack

Post to : openstack [at] lists

Unsubscribe : https://launchpad.net/~openstack

More help : https://help.launchpad.net/ListHelp



--
Cheers,
Joel



_______________________________________________

Mailing list: https://launchpad.net/~openstack

Post to : openstack [at] lists

Unsubscribe : https://launchpad.net/~openstack

More help : https://help.launchpad.net/ListHelp




_______________________________________________

Mailing list: https://launchpad.net/~openstack

Post to : openstack [at] lists

Unsubscribe : https://launchpad.net/~openstack

More help : https://help.launchpad.net/ListHelp




--
-------------------------------------------
Luis Alberto Gervaso MartinWoorea Solutions, S.L
CEO & CTO
mobile: (+34) 627983344

luis [at] woorea



_______________________________________________
Mailing list: https://launchpad.net/~openstack

Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack

More help : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~openstack
Post to : openstack [at] lists
Unsubscribe : https://launchpad.net/~openstack
More help : https://help.launchpad.net/ListHelp

First page Previous page 1 2 Next page Last page  View All OpenStack dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.