[Opendnssec-develop] An API for OpenDNSSEC and SoftHSM and more
Jerry Lundström
jerry at opendnssec.org
Wed Aug 15 06:11:53 UTC 2012
Hello all,
Some time ago we started to talk about an API for OpenDNSSEC here in
the .SE office and I came up with an idea that instead of changing the
code we have today we can quite quickly implement something that sits
on top of OpenDNSSEC, exposes different interfaces outwards and runs
commands inwards.
It would give us the possibility to have an API up and running without
much code change and as time goes along we could change the interface
between that software, which are now running console commands and
parsing output, to a more programmable interface (example protobuf) or
do enough change so that we can expose the interface directly.
- Lim
During the summer and my free time after work hours I've (ta-da!) just
happened to have written such a framework which I call Lim [1]
(swedish work for glue since it glues stuff together). Its a framework
written i Perl using AnyEvent (asynchronous event engine), HTTP::*,
JSON::XS, SOAP::Lite and XMLRPC::Lite that can receive requests in
RESTful JSON(/XML also coming), SOAP, XML-RPC and JSON-RPC (v2) using
HTTPS as transport layer.
- Remote Procedure Call (RPC)
It might sound funny and strange to support 4+ different RPC protocols
but I've worked with all of them for a while and I do not see any
problems overlaying them. RESTful, XML-RPC and JSON-RPC is not as
strict as SOAP (dependent on order of variables etc) and making SOAP
looser is easy and good since it makes it easier to understand and
use. All SOAP calls have also been tested with SoapUI [2] (Java SOAP)
and if they work and validates in that tool they will work from the
enterprise Java VM applications many large companies run (IBM, Oracle
and Sun). Currently the RESTful implementation is not fully up to the
RESTful spec, the call URI are for example /do_something_here rather
then /do/something/here but I'm working on that and it will be very
easy to map and rewrite URI's [3].
- Plugins
The framework itself knows nothing about OpenDNSSEC or SoftHSM, that
functionality is added by plugins and I've finished a plugin for
OpenDNSSEC [4] and for SoftHSM [5]. The OpenDNSSEC plugin supports all
commands that can be made to ods-control, ods-ksmutil, ods-signer,
ods-hsmutil (please let me know if I missed any) and to manage the
different configuration files that exists. SoftHSM plugin supports all
commands to softhsm and the configuration file. I am also working on a
new plugin called DNS [6] that can be used to manage zone files
unrelated to what software there is on the system, this plugin will be
able to create, modify and delete whole zone files or individual
resource records within a zone file (example getting all mx RR's in
example.com; GET /dns/zone/example.com/rr/mx).
- CLI
Beside the API there is also a CLI (lim-cli) that you can use to
manage remote Lim installations and the plugins that implemented CLI
support. This CLI has support for auto completion (with the right
libraries [7]) and it mimics Cisco iOS, tab twice to get a completion
list if there are more then one option and press ? anywhere to get the
help text of that section and available commands or what type of
argument it should have (right now there is only auto completion).
- Agent Daemon
To use the framework you run a agent daemon (lim-agentd) on the system
which you want to manage and it will load and initiate all the plugins
it finds on the system. The plugins will evaluate if there exists the
right software for it with the right version and if it does it will
expose the API. Right now there is only one way to authenticate
communication between the agent and CLI and that is by strict
validation of certification used in the HTTPS communication, so both
server and client will check the certification and it has to match
things in the key.pem you provide. Later on there will be more ways
and layers of authentication.
- Web Interface
As for a web interface, when I started coding Lim I was quick on
creating a web interface but it is really really hard to make a good
and intuitive web interface. This is still something that will be done
but I want to have a lot more functionality working before I start
looking into it again so it will be clearer what can and can not be
done and how to build a web interface framework so that it will be
easy for plugins to plug in their functionality.
- Packaging
To use the software I have packaged it [8] for most of the
distributions from the get go, mostly because I wanted to see how hard
it was to do and frankly it wasn't that hard. Please note that I have
not had time to install fresh VMs to test all the repositories.
Debian 6 (squeeze) / 7 (wheezy) and unstable (sid) apt repository and
instructions can be found at http://jelu.github.com/lim/debian/ .
Ubuntu 10.04 / 10.10 / 11.04 / 11.10 / 12.04 PPA repository and
instructions can be found at https://launchpad.net/~jelu/+archive/lim
.
EPEL 6 (Red Hat 6+ / CentOS 6+ / Scientific Linux 6+ etc...)
repository and instructions can be found at
http://jelu.github.com/lim/epel/ .
- TODO / What happens now?
There are still a lot to do before I want to release it to the general
public, mainly documentation and wiki pages (I will "soonish" create a
quick&dirty guide about getting it working on a fresh Ubuntu), but
please look it through and give your 2 cents. I have talked with
Patrik about this and he would like me to make a presentation about
this for the OAB meeting in September and maybe we could also have
some time for this on the developer meeting the days before to discuss
it more in detail.
Many thanks for reading it all :)
/Jerry
[1] https://github.com/jelu/lim
[2] http://www.soapui.org/
[3] https://github.com/jelu/lim/blob/master/TODO
[4] https://github.com/jelu/lim-plugin-opendnssec
[5] https://github.com/jelu/lim-plugin-softhsm
[6] https://github.com/jelu/lim-plugin-dns
[7] https://github.com/jelu/anyevent-readline-gnu
http://search.cpan.org/~hayashi/Term-ReadLine-Gnu
http://search.cpan.org/~mlehmann/AnyEvent-ReadLine-Gnu
[8] http://jelu.github.com/lim
--
Jerry Lundström - OpenDNSSEC Developer
http://www.opendnssec.org/
More information about the Opendnssec-develop
mailing list