bitva_135199
Oct 12, 2016Nimbostratus
iControlREST access for user other than admin
Hi! I can login to the GUI with both the admin account and a separate account I created. Both have the same permissions in the GUI.
If I try to access the REST interface with both users, I get two different results:
With the "admin" user it looks good:
curl -sk -u 'admin:passwd' -H "Content-Type: application/json" https://192.168.1.110/mgmt/tm/ltm/pool |python -m json.tool
{
"items": [
{
"allowNat": "yes",
"allowSnat": "yes",
"appService": "/Common/Test-iApp.app/Test-iApp",
"fullPath": "/Common/Test-iApp.app/Test-iApp_pool",
"generation": 234,
"ignorePersistedWeight": "disabled",
"ipTosToClient": "pass-through",
"ipTosToServer": "pass-through",
"kind": "tm:ltm:pool:poolstate",
"linkQosToClient": "pass-through",
"linkQosToServer": "pass-through",
"loadBalancingMode": "least-connections-member",
"membersReference": {
"isSubcollection": true,
"link": "https://localhost/mgmt/tm/ltm/pool/~Common~Test-iApp.app~Test-iApp_pool/members?ver=11.6.1"
},
"minActiveMembers": 0,
"minUpMembers": 0,
"minUpMembersAction": "failover",
"minUpMembersChecking": "disabled",
"monitor": "/Common/Test-iApp.app/Test-iApp_http_monitor ",
"name": "Test-iApp_pool",
"partition": "Common",
"queueDepthLimit": 0,
"queueOnConnectionLimit": "disabled",
"queueTimeLimit": 0,
"reselectTries": 0,
"selfLink": "https://localhost/mgmt/tm/ltm/pool/~Common~Test-iApp.app~Test-iApp_pool?ver=11.6.1",
"serviceDownAction": "none",
"slowRampTime": 300,
"subPath": "Test-iApp.app"
}
],
"kind": "tm:ltm:pool:poolcollectionstate",
"selfLink": "https://localhost/mgmt/tm/ltm/pool?ver=11.6.1"
}
Now, if I change the username:
curl -sk -u 'otheruser:passwd' -H "Content-Type: application/json" https://192.168.1.110/mgmt/tm/ltm/pool |python -m json.tool
{
"code": 401,
"errorStack": [
"java.lang.SecurityException: Authorization failed: user=https://localhost/mgmt/shared/authz/users/otheruser resource=/mgmt/tm/ltm/pool verb=GET uri:http://localhost:8100/mgmt/tm/ltm/pool referrer:192.168.1.15 sender:192.168.1.15",
"at com.f5.rest.workers.ForwarderWorker.failPermissionValidation(ForwarderWorker.java:565)",
"at com.f5.rest.workers.ForwarderWorker.evaluateUserPermission(ForwarderWorker.java:633)",
"at com.f5.rest.workers.ForwarderWorker.evaluatePermission(ForwarderWorker.java:537)",
"at com.f5.rest.workers.ForwarderPassThroughWorker.onForward(ForwarderPassThroughWorker.java:202)",
"at com.f5.rest.workers.ForwarderPassThroughWorker.onGet(ForwarderPassThroughWorker.java:370)",
"at com.f5.rest.common.RestWorker.callDerivedRestMethod(RestWorker.java:1009)",
"at com.f5.rest.common.RestWorker.callRestMethodHandler(RestWorker.java:976)",
"at com.f5.rest.common.RestServer.processQueuedRequests(RestServer.java:889)",
"at com.f5.rest.common.RestServer.access$000(RestServer.java:43)",
"at com.f5.rest.common.RestServer$1.run(RestServer.java:165)",
"at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)",
"at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)",
"at java.lang.Thread.run(Thread.java:744)\n"
],
"message": "Authorization failed: user=https://localhost/mgmt/shared/authz/users/otheruser resource=/mgmt/tm/ltm/pool verb=GET uri:http://localhost:8100/mgmt/tm/ltm/pool referrer:192.168.1.15 sender:192.168.1.15",
"referer": "192.168.1.15",
"restOperationId": 7895
}
It's local authentication. This is BIG-IP 11.6.1 Build 1.0.326 Hotfix HF1 if it matters.
What I find interesting is that this output is blank:
curl -sk -u 'admin:passwd' -H "Content-Type: application/json" https://192.168.1.110/mgmt/shared/authz/users |python -m json.tool
{
"generation": 0,
"items": [],
"kind": "shared:authz:users:userscollectionstate",
"lastUpdateMicros": 0,
"selfLink": "https://localhost/mgmt/shared/authz/users"
}
I think I'm missing and misunderstanding something here. Any help would be greatly appreciated!
Thanks!
-Matt