From a co-worker:
amend is new to me… will the updated patch be a full patch to the original source or a patch to the previous patch?
Here’s how I explain it.
Continue reading
Amending a patch in git
Reply
Public Key Document Signing for Oslo Messaging
The PKI version of the Keystone tokens use a standard format for cryptographic signing of documents. Crypto Message Syntax (CMS) is the mechanism behind S/MIME and is well supported by the major cryptographic libraries: OpenSSL and NSS both have well documented CMS support. Messaging in OpenStack requires guaranteed identification of the author.
certmonger-session
There is more to the certmonger story. A lot more. After my last attempt I tried to use certmonger:
- as a user-launched process
- to get a user certificate
- direct from the dogtag instance behind FreeIPA
I was not 100% successful, but the attempt did have some positive results.
FreeIPA web call from Python
This was a response to a post of mine in 2010. The comment was unformatted in the response, and I wanted to get it readable. Its a great example of making a Kerberized web call.
Courtesy of Rich Megginson
Note: requires MIT kerberos 1.11 or later if you want to skip doing the kinit, and just let the script do the kinit implicitly with the keytab.
import kerberos import sys import os from requests.auth import AuthBase import requests import json class IPAAuth(AuthBase): def __init__(self, hostname, keytab): self.hostname = hostname self.keytab = keytab self.token = None self.refresh_auth() def __call__(self, request): if not self.token: self.refresh_auth() request.headers['Authorization'] = 'negotiate ' + self.token return request def refresh_auth(self): if self.keytab: os.environ['KRB5_CLIENT_KTNAME'] = self.keytab else: LOG.warn('No IPA client kerberos keytab file given') service = "HTTP@" + self.hostname flags = kerberos.GSS_C_MUTUAL_FLAG | kerberos.GSS_C_SEQUENCE_FLAG try: (_, vc) = kerberos.authGSSClientInit(service, flags) except kerberos.GSSError, e: LOG.error("caught kerberos exception %r" % e) raise e try: kerberos.authGSSClientStep(vc, "") except kerberos.GSSError, e: LOG.error("caught kerberos exception %r" % e) raise e self.token = kerberos.authGSSClientResponse(vc) hostname, url, keytab, cacert = sys.argv[1:] request = requests.Session() request.auth = IPAAuth(hostname, keytab) ipaurl = 'https://%s/ipa' % hostname jsonurl = url % {'hostname': hostname} request.headers.update({'Content-Type': 'application/json', 'Referer': ipaurl}) request.verify = cacert myargs = {'method': 'dnsrecord_add', 'params': [["testdomain.com", "test4.testdomain.com"], {'a_part_ip_address': '172.31.11.4'}], 'id': 0} resp = request.post(jsonurl, data=json.dumps(myargs)) print resp.json() myargs = {'method': 'dnsrecord_find', 'params': [["testdomain.com"], {}], 'id': 0} resp = request.post(jsonurl, data=json.dumps(myargs)) print resp.json() |
Run the script like this:
python script.py ipahost.domain.tld ‘https://%(hostname)s/ipa/json’ myuser.keytab /etc/ipa/ca.crt |
Using Certmonger to Generate a selfsign Cert for CMS
We want to replace the shell call to openssl for certificate generation in Keystone (and the rest of OpenStack) with calls to Certmonger. Certmonger supports both OpenSSL and NSS. Certmonger can support a selfsigned approach, as well as tie in to a real Certificate Authority. Here are the steps I took to test out selfsigning, as well as my notes for follow on work.
Continue reading
Compressed tokens
The maximum header size between a HTTPD and an WSGI process is fixed at 8 Kilobytes. With a sufficiently large catalog, the token in PKI format won’t fit. Compression seems like it would be such an easy solution. But the there is a Hobgoblin or two hiding in the shadows.
Continue reading
MIDI, ALSA, USB, and JACK
Akai recently released a USB version of their Electronic Wind Instrument (EWI) which I was able to purchase for under $200. I was fairly quickly able to get it running using QJackCtl and QSynth. But then I wanted to understand what was happening. That involved spelunking into the four subsystems that make up the title of this post.
Continue readingEfficient Revocation Checking
The majority of web service calls in OpenStack require token validation. Checking a token ID against a list is a cheap hashtable lookup. Comparing a token to a set of events is more expensive. How can we keep costs down?
Continue reading
Splitting a patch
To make things easier for your code reviewer, each patch should be small, and hold one well defined change. I break this rule all the time, and it comes back to bite me. What happens is that I get heads down coding, and I have a solution that involves changes to wide number of files and subsystems, new abstractions, etc. Here is how I am currently dealing with breaking down a big patch.
Avoiding a deep rebase when posting a patch
OpenStack Milestone Icehouse 2 (I2) is due this Tuesday. The gate is deep and the penalty for messing it up is costly. I recently had to update a patch that depends on three patches that are approved but but not merged to master. Using the git review command line, all 5 patches would get resubmitted. This was too high a risk for me.