Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

rest calls not allowed by other-than-admin

With Firefox, I can successfully pull virtual information (user = admin):

https://IPADDRESS/mgmt/tm/ltm/virtual/mypool

However, with a user that is assigned the role 'Resource Administrator' it is denied.

Also, when I look at the user in the GUI, there are never any Failed Logins recorded.

I have written many c# programs for users with less-than-admin roles, with no problems.

What am I missing?

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

It is possible to use a non administrator user to access iControl REST. It does require a bit of setting up to get it working.

K84925527: Overview of iControl permissions

First you must create your user,
Here I create the guest user as 'notadmin' with password 'notadminpw'

(tmos)# create auth user notadmin partition-access add { all-partitions { role guest } } shell tmsh password notadminpw

Next you must find the selflink value for the user you have created (assuming your admin ID is 'admin' and password is 'secret'.)

curl -s -k -u admin:secret https://localhost/mgmt/shared/authz/users | jq .

you will see the output which will appear similar to this below..

{
  "items": [
.....
    {
      "name": "notadmin",
      "displayName": "notadmin",
      "encryptedPassword": "$6$Randomized_Characters_Of_Password",
      "generation": 1,
      "lastUpdateMicros": 1519056227960605,
      "kind": "shared:authz:users:usersworkerstate",
      "selfLink": "https://localhost/mgmt/shared/authz/users/notadmin"
    },
.......
  ],
  "generation": 11,
  "kind": "shared:authz:users:userscollectionstate",
  "lastUpdateMicros": 1519056227962971,
  "selfLink": "https://localhost/mgmt/shared/authz/users"
}

Locate the value for 'selfLink' for the user notadmin, here is is shown as

https://localhost/mgmt/shared/authz/users/notadmin

The next command will alter that userID so that it can be used for iControl REST, ensure that you set the 'link' value to be the same as the 'selfLink' value extracted in the step above.

# curl -s -k -u admin:secret --request PATCH --data '{"userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/notadmin"}]}' https://localhost/mgmt/shared/authz/roles/iControl_REST_API_User | jq .

This will produce a lot of output.

After this command you can then issue iControl REST command using your non-admin user id 'notadmin'

# curl -s -k -u notadmin:notadminpw https://localhost/mgmt/tm/ltm/virtual | jq .

I hope this is helpful - obviously you want to create a user with Resource Administrator role.

0
Comments on this Answer
Comment made 11-Jun-2018 by Shann_P 358

If you are running an Active/Standby pair, will this need to be done on both boxes manually or will it recognize the config change and require you to sync?

0
Comment made 14-Jun-2018 by OTS02 595

Thank you S Blakely. I performed this on an LTM, and I believe it worked. I tried it on a GTM, and got '-bash: jq: command not found'.

0
Comment made 14-Jun-2018 by OTS02 595

Thank you Shann_P. We are HA, so I will need to perform this on all appliances.

0
Comment made 14-Jun-2018 by S Blakely

I tried it on a GTM, and got '-bash: jq: command not found'.

What version of BigIP is your GTM?

0
Comment made 14-Jun-2018 by OTS02 595

BIG-IP 11.6.1 Build 2.0.338 Hotfix HF2

0
Comment made 14-Jun-2018 by S Blakely

Yeah, jq isn't available there. You can do it without jq, but the output is messier and harder to read.

0
Comment made 14-Jun-2018 by S Blakely

And you do need to link the REST role to the used on each member of the HA pair - the user will sync across, but not the REST roles.

0
Comment made 5 months ago by tatmotiv 1021

You can use | python -mjson.tool instead of | jq in order to get the json output into more human-readable form.

0
Comment made 5 months ago by S Blakely

@tatmotiv

That still does not work on 11.6.x or earlier

0
Comment made 5 months ago by Thiyagu 183

Hello All, I'm also facing the same issue and this solution is working when I don't have any special characters in the password string.

Could you please help me to know how to fix the issue if there are special characters in the password string.

Regards, Thiyagu

0
Comment made 5 months ago by S Blakely

What special characters are you using?

0
Comment made 5 months ago by Kevin Davies 3013

After playing with this I am getting the impression you can define your own custom roles and add a set of permissions such as GET /mgmt/tm/ltm/virtual/* Is that correct?

0
Comment made 5 months ago by Thiyagu 183

Hi' I tested with the character ">"

Could you please check once by using this character?

Regards, Thiyagu

0
Comment made 5 months ago by S Blakely

That > is a special character in bash - you probably need to escape it with "\" on the command line:

\>

However, be very careful about using special characters - I'd go with longer passwords using only alphanumerics to avoid the risk of an incompatibility

0