Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Read-only access to iControl REST API

We would like to have a scheduled background process to "scrape" configuration detail for all pools, nodes, monitors, virtual servers and iRules, into a structured format to be made available to our applications support / operations teams. We do not want to use an administrative account for this, i.e. one that can actually change configuration on the devices.

So, is it possible to have a user account with the necessary role / permissions configured such that the only thing they can do is perform read-only requests for object configuration?

Thanks,

Phil

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hoping that there is a guide to setup a read-only service account to use this iControl REST API. There seems to be an assumption that anyone using this needs to have all rights to do anything they wish.. Contrary-- we can't allow this to be free reign and need to be able to establish users with rights to access specific resources / modules.

For those of us with very limited background with REST API, any resource would be much appreciated.

Thanks..

1
Comments on this Answer
Comment made 09-Feb-2018 by James Rodgers 153

I heartily agree with Brad. "REST-API Reader" should just be another role in the drop-down list when creating a new user. The need for various GUI and CLI roles is already recognised, and it applies to API as well.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Phil,

the REST API does support a RBAC model, to control which part is accessible by whom and how the information could be accessed (read/write)

Read the section "About iControl and RBAC for user accounts" in the guide below, to see how its getting implemented...

https://devcentral.f5.com/d/the-user-guide-for-the-icontrol-rest-interface-in-big-ip-version-1160?download=true

Cheers, Kai

0
Comments on this Answer
Comment made 10-Feb-2016 by Philip Street 2
Page 23 of that document contains the following; Note: A user account must have administrative level access to the iControl® REST namespace to make iControl REST requests. So, we could create an administrator user but restrict access to certain GET requests, yes? Phil
0
Comment made 10-Feb-2016 by Kai Wilke 7293
The note is a little misleading. You just have to use admin permission to configure the RBAC access. But the given user could be even a "guest" user with added GET permissions on selected ressources...
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Thanks Kai, I'll take a look.

Regards,

Phil

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Phil,

this is the PUT request I've just used to grant the guest-user "Test" read-only access to my pool related APIs...

PUT https://1.1.1.1/mgmt/shared/authz/roles/iControl_REST_API_User

{"userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/Test"}],"resources":[{"resourceMask":"/mgmt/tm/ltm/pool","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/pool/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/pool/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/pool/*/*/*","restMethod":"GET"}]}

Cheers, Kai

0
Comments on this Answer
Comment made 24-Mar-2016 by SJH 0
I would suggest using a post (to create a new rule) rather than a put (which updates the existing default rule. POST https://1.1.1.1/mgmt/shared/authz/roles {"name": "iControl_REST_API_User_Test","userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/Test"}],"resources":[{"resourceMask":"/mgmt/tm/ltm/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*/*/*","restMethod":"GET"}]}
0
Comment made 21-Dec-2016 by Thiyagu KL 0

I am getting an 401 Authorization failed message when I try to run the command "curl -H "Content-Type: application/json" -X POST -k -d '{"name": "iControl_REST_API_Guest_User","userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/glapuser";}],"resources":[{"resourceMask":"/mgmt/tm/ltm/","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm//","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm///","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm////","restMethod":"GET”}]}' https://localhost/mgmt/shared/authz/roles";..

I am logged in as admin.

{"code":401,"message":"Authorization failed: user=https://localhost/mgmt/shared/authz/users/null resource=/mgmt/shared/authz/roles verb=POST uri:http://localhost:8100/mgmt/shared/authz/roles referrer:127.0.0.1 sender:127.0.0.1","referer":"127.0.0.1","restOperationId":19120589,"errorStack":["java.lang.SecurityException: Authorization failed: user=https://localhost/mgmt/shared/authz/users/null resource=/mgmt/shared/authz/roles verb=POST uri:http://localhost:8100/mgmt/shared/authz/roles referrer:127.0.0.1 sender:127.0.0.1","at com.f5.rest.workers.ForwarderWorker.failPermissionValidation(ForwarderWorker.java:565)","at com.f5.rest.workers.ForwarderWorker.evaluateUserPermission(ForwarderWorker.java:633)","at com.f5.rest.workers.ForwarderWorker.evaluatePermission(ForwarderWorker.java:537)","at com.f5.rest.workers.ForwarderPassThroughWorker.onForward(ForwarderPassThroughWorker.java:202)","at com.f5.rest.workers.ForwarderPassThroughWorker.onPost(ForwarderPassThroughWorker.java:380)","at com.f5.rest.common.RestWorker.callDerivedRestMethod(RestWorker.java:939)","at com.f5.rest.common.RestWorker.callRestMethodHandler(RestWorker.java:899)","at com.f5.rest.common.RestServer.processQueuedRequests(RestServer.java:802)","at com.f5.rest.common.RestServer.access$000(RestServer.java:43)","at com.f5.rest.common.RestServer$1.run(RestServer.java:135)","at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)","at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)","at java.lang.Thread.run(Thread.java:722)\n"]}

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Not sure if you got this fully answered.

The roles you are setting for users on the BIGIP follow the GUI/Rest interface. First you need to create a user, since your doing Guest Roles, giving them Guest access makes sense already =).

After you have the account created you need to have to get the self link to patch the group. once the user is patched into the group roles and rights should follow.

Since this is your first account into the rest group you will have to use admin to start.

Finding the Selflink: GET https://{{big_iq_mgmt}}/mgmt/shared/authz/users

Editing the Group: PATCH https://{{big_iq_mgmt}}/mgmt/shared/authz/roles/iControl_REST_API_User Body:

{ "userReferences": [ { "link": "https://localhost/mgmt/shared/authz/users/########USERACCOUNT!#########"; } ] }

Verify your user is added. GET https://{{big_iq_mgmt}}/mgmt/shared/authz/users

Try some rest calls =D

I've also added these to a postman collection here, with a few other things, remember to change your mgmt address https://github.com/jmcalalang/BIG-IQ-Postman-Collections

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Bigipreport generates the config in Json format. You could even skip the web part and build your own front end. Not sure if it covers your needs though?

https://devcentral.f5.com/codeshare/bigip-report

/Patrik

0
Comments on this Answer
Comment made 18-Jul-2017 by brad 376

tried the above. the PATCH returns a 400 error.
"message": "Invalid JSON posted - could not deserialize to class com.f5.rest.workers.RolesWorkerState";,

0
Comment made 24-Jul-2017 by Patrik Jonsson 3524

I think you commented on the wrong answer. :)

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Do things change or get any better with version 12.x? Is it really that nearly impossible to setup a read-only user for the iControl REST API? Our users, other than the main admin account, are not local accounts. They are authenticated on a remote (ACS) server.

We need to provide API access for some groups who would like to check the status of resources. I know this will grow to providing users update access to certain objects, but starting with read-only would help a lot.

I defined a user as 'guest' role. I look at the structures and it appears to be defined like other accounts-- which seem to be full access.. But perhaps it is no access as that is how it seems to behave.

I would want to generate a token for this read-only user that could then be used.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

The token is only for a specific time. There's some examples here that you can use if you're unsure if your version is supporting token based auth or not:

https://loadbalancing.se/2017/05/10/using-f5-rest-api-with-roles/

From the error message above it looks like there might be some mistakes in the json payload?

/Patrik

0