Forum Discussion

prole92_221949's avatar
prole92_221949
Icon for Cirrus rankCirrus
Jul 13, 2016
Solved

BIG-IP 11.6.1 iControl REST API access issues

Hi guys,

 

I'm having issues with BIG-IP version 11.6.1 and iControl REST API. On previous versions I was able to create an administrator account on the BIG-IP and use it to access the iControl REST API. On version 11.6.1 it seems that this is not possible. The only account that I can use is the builtin admin account.

 

Did any of you experience this issue and do you have any suggestions on how to solve this?

 

Thanks in advance

 

11.6.1
application delivery
BIG-IP
iControlREST
  • Tikka_Nagi_1315's avatar
    Tikka_Nagi_1315
    Jul 14, 2016

    The behavior changed as part of an enhancement to allow role based access to REST resources. You can create different users as follows:

     

    1. Create new user in GUI or TMSH. Make sure to assign that user the appropriate role (e.g. Manager, etc)
    2. GET to /mgmt/shared/authz/users to verify that the user shows up in the users
    3. GET /mgmt/shared/authz/roles/iControl_REST_API_User and save contents
    4. Update userReferences property from the role resource you got in step 3 "userReferences": [ { "link": "https://localhost/mgmt/shared/authz/users/" }
    5. Do a PUT (or PATCH) to /mgmt/shared/authz/roles/iControl_REST_API_User with the modified userReferences array property
    6. Verify that the role is updated with the user reference: GET /mgmt/shared/authz/roles/iControl_REST_API_User
    7. Perform an icontrol command with that user to verify

    Note: if the role that you assigned in step 1 does not have access to a resource then you still won’t be able to read/write it

     

6 Replies

Sort By
  • sara_125232's avatar
    sara_125232
    Historic F5 Account
    Jan 19, 2018

    -> 11.6.1-HF1 : you are not able to view/access "/mgmt/shared/authz/users" with a non-default admin account even though you PATCH that user to iControl_REST_API_User group with default admin credentials.

     

    [root@BIGIP1:Active:Standalone] config curl -k -u admin:admin -X PATCH -d '{ "userReferences":[{"link":";}] }'

     

    [root@BIGIP1:Active:Standalone] config curl -k -u sara:sara -X GET {"code":401,"message":"Authorization failed: user= resource=/mgmt/shared/authz/users verb=GET uri: referrer:127.0.0.1...}

     

    HOWEVER, the user will be able to access other locations for instance, /mgmt/tm/sys/global-settings.

     

    [root@BIGIP1:Active:Standalone] config curl -k -u sara:sara -X GET {"kind":"tm:sys:global-settings:global-settingsstate","selfLink":";{/shared/} {/tmp/}","guiSecurityBanner":"enabled","guiSecurityBannerText":"Welcome to the BIG-IP Configuration Utility...}

     

    -> 11.6.1-HF2 && 11.6.2: You won't need to PATCH the user, it just works fine.

     

    [root@BIGIP1:Active:Standalone] tmp curl -k -u sara1:sara1 -X GET {"items":[{"name":"admin","displayName":"Admin User","encryptedPassword":"$6$DntkOc/...{"name":"sara1","displayName":"sara1","encryptedPassword":"$6$...Jk15h1D21","generation":1,"lastUpdateMicros":1516111211817525,"kind":"shared:authz:users:usersworkerstate","selfLink":";}],"generation":5,"kind":"shared:authz:users:userscollectionstate","lastUpdateMicros":1516111211824400,"selfLink":";}

     

    Hope it helps!

     

  • bobmacks_329472's avatar
    bobmacks_329472
    Icon for Nimbostratus rankNimbostratus
    Aug 09, 2017

    Hi,

     

    Sorry for re-opening an old thread but I'm wondering if the RBAC setup to REST services have changed in 12.1.2?

     

    I can confirm Basic Auth works okay if the user has an admin role but fails with a 401 authentication error when I try to retrieve a login token when sending a POST to /mgmt/shared/authn/login with username, password and login provider in the JSON body.

     

    The same user can login without issues via the web UI so I suspected the issue is most likely an RBAC issue for REST.

     

    Thanks in advance,

     

    Bobby

     

  • Javs_281612's avatar
    Javs_281612
    Icon for Nimbostratus rankNimbostratus
    Jul 27, 2016

    There is a known issue in v11.6.1 (only) for RBAC. If you need to install this version try adding another step in upgrading process:

     

    old version --> v11.6.0 --> v11.6.1

     

    Or install a newer version (12.x)

     

  • Tikka_Nagi_1315's avatar
    Tikka_Nagi_1315
    Historic F5 Account
    Jul 14, 2016

    The behavior changed as part of an enhancement to allow role based access to REST resources. You can create different users as follows:

     

    1. Create new user in GUI or TMSH. Make sure to assign that user the appropriate role (e.g. Manager, etc)
    2. GET to /mgmt/shared/authz/users to verify that the user shows up in the users
    3. GET /mgmt/shared/authz/roles/iControl_REST_API_User and save contents
    4. Update userReferences property from the role resource you got in step 3 "userReferences": [ { "link": "https://localhost/mgmt/shared/authz/users/" }
    5. Do a PUT (or PATCH) to /mgmt/shared/authz/roles/iControl_REST_API_User with the modified userReferences array property
    6. Verify that the role is updated with the user reference: GET /mgmt/shared/authz/roles/iControl_REST_API_User
    7. Perform an icontrol command with that user to verify

    Note: if the role that you assigned in step 1 does not have access to a resource then you still won’t be able to read/write it

     

  • rodolfosalgado_'s avatar
    rodolfosalgado_
    Icon for Altostratus rankAltostratus
    Jul 14, 2016

    I had the same exactly issue when I upgraded from 11.5.3 HF2 to 11.6.1 Final. I had to change all my scripts to use the admin account, I'm hoping to upgrade to 12.1.0 HF1 to get rid of this issue.