Accessing the metadata API?
Mike Pontillo
mike.pontillo at canonical.com
Wed Feb 1 18:00:08 UTC 2017
Hi Jim,
Typically the metadata API is only accessed by cloud-init at deployment
time, but if you have the correct credentials, you can access it.
When the PXE boot process gets the configuration, it goes something like
this, assuming the MAC address of the node is 52:54:00:0a:25:ac...
# curl tftp://localhost/pxelinux.cfg/01-52-54-00-0a-25-ac
APPEND nomodeset ... cloud-config-url=
http://172.16.99.2:5240/MAAS/metadata/latest/by-id/nrwbgy/?op=get_preseed
...
So the PXE process adds a kernel parameters which allows cloud-init to
access its configuration data. That configuration data will contain the
authentication parameters, such as:
# curl
http://172.16.99.2:5240/MAAS/metadata/latest/by-id/nrwbgy/?op=get_preseed
...
reporting:
maas: {consumer_key: wAV38gKN2rZKh9QHtX, endpoint: '
http://172.16.99.2:5240/MAAS/metadata/status/nrwbgy',
token_key: GKgqt9xJwDbAXwk7uX, token_secret:
nzGPjpEnA9HTfGTezwy2w2DV4SEuu6rR,
type: webhook}
...
Given that information, you can use an oauth1 library to generate
credentials. Note that a new signature must be used for each request. For
example:
# python3
>>> import oauthlib.oauth1 as oauth1
>>> import time
# Construct the OAuth client, using the consumer_key, resource_owner_key
as token_key, and token_secret as resource_owner_secret.
>>> client = oauth1.Client('wAV38gKN2rZKh9QHtX', client_secret='',
resource_owner_key='GKgqt9xJwDbAXwk7uX',
resource_owner_secret='nzGPjpEnA9HTfGTezwy2w2DV4SEuu6rR',
signature_method=oauth1.SIGNATURE_PLAINTEXT,
timestamp=str(int(time.time())))
# This line of code will format the OAuth key so we can use it as an HTTP
header.
>>> for k, v in client.sign('
http://172.16.99.2:5240/MAAS/metadata/status/nrwbgy')[1].items():
print("%s: %s" % (k, v))
...
Authorization: OAuth oauth_nonce="94760624936955683481482190759",
oauth_timestamp="1482190509", oauth_version="1.0",
oauth_signature_method="PLAINTEXT",
oauth_consumer_key="wAV38gKN2rZKh9QHtX", oauth_token="GKgqt9xJwDbAXwk7uX",
oauth_signature="%26nzGPjpEnA9HTfGTezwy2w2DV4SEuu6rR"
# Now you can use the credentials (for a single request). For example:
# curl -H 'Authorization: OAuth
oauth_nonce="94760624936955683481482190759", oauth_timestamp="1482190509",
oauth_version="1.0", oauth_signature_method="PLAINTEXT",
oauth_consumer_key="wAV38gKN2rZKh9QHtX", oauth_token="GKgqt9xJwDbAXwk7uX",
oauth_signature="%26nzGPjpEnA9HTfGTezwy2w2DV4SEuu6rR"'
http://172.16.99.2:5240/MAAS/metadata/status/nrwbgy
So, long story short: you should be able to parse /proc/cmdline yourself
to grab the cloud-config-url, which would then allow you to retrieve the
credentials you need to access the metadata server.
Regards,
Mike
On Wed, Feb 1, 2017 at 9:44 AM, Jim Tilander <jim at tilander.org> wrote:
>
> Hi,
>
> Is there some up to date information on how to access the metadata API?
>
> This seems woefully out of date and also incorrect: https://maas.
> ubuntu.com/docs/development/metadata.html
>
> Looking at the apache access logs, there are different paths that are
> begin accessed.
>
> * Is there a stable API endpoint that one can call during deployment
> scripts?
> * Can one call the metadata API post deployment?
> * How are the nodes supposed to authenticate? I keep getting Forbidden
> replies.
>
> Cheers,
> Jim
>
>
>
> --
> Maas-devel mailing list
> Maas-devel at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/
> mailman/listinfo/maas-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/maas-devel/attachments/20170201/787cff7b/attachment.html>
More information about the Maas-devel
mailing list