Forum Discussion

prole92_221949's avatar
prole92_221949
Icon for Cirrus rankCirrus
Jul 13, 2016

BIG-IP 11.6.1 iControl REST API access issues

Hi guys,   I'm having issues with BIG-IP version 11.6.1 and iControl REST API. On previous versions I was able to create an administrator account on the BIG-IP and use it to access the iControl RE...
11.6.1
application delivery
BIG-IP
iControlREST
  • Tikka_Nagi_1315's avatar
    Tikka_Nagi_1315
    Jul 14, 2016

    The behavior changed as part of an enhancement to allow role based access to REST resources. You can create different users as follows:

     

    1. Create new user in GUI or TMSH. Make sure to assign that user the appropriate role (e.g. Manager, etc)
    2. GET to /mgmt/shared/authz/users to verify that the user shows up in the users
    3. GET /mgmt/shared/authz/roles/iControl_REST_API_User and save contents
    4. Update userReferences property from the role resource you got in step 3 "userReferences": [ { "link": "https://localhost/mgmt/shared/authz/users/" }
    5. Do a PUT (or PATCH) to /mgmt/shared/authz/roles/iControl_REST_API_User with the modified userReferences array property
    6. Verify that the role is updated with the user reference: GET /mgmt/shared/authz/roles/iControl_REST_API_User
    7. Perform an icontrol command with that user to verify

    Note: if the role that you assigned in step 1 does not have access to a resource then you still won’t be able to read/write it

     

sara_125232's avatar
sara_125232
Historic F5 Account
Jan 19, 2018

-> 11.6.1-HF1 : you are not able to view/access "/mgmt/shared/authz/users" with a non-default admin account even though you PATCH that user to iControl_REST_API_User group with default admin credentials.

 

[root@BIGIP1:Active:Standalone] config curl -k -u admin:admin -X PATCH -d '{ "userReferences":[{"link":";}] }'

 

[root@BIGIP1:Active:Standalone] config curl -k -u sara:sara -X GET {"code":401,"message":"Authorization failed: user= resource=/mgmt/shared/authz/users verb=GET uri: referrer:127.0.0.1...}

 

HOWEVER, the user will be able to access other locations for instance, /mgmt/tm/sys/global-settings.

 

[root@BIGIP1:Active:Standalone] config curl -k -u sara:sara -X GET {"kind":"tm:sys:global-settings:global-settingsstate","selfLink":";{/shared/} {/tmp/}","guiSecurityBanner":"enabled","guiSecurityBannerText":"Welcome to the BIG-IP Configuration Utility...}

 

-> 11.6.1-HF2 && 11.6.2: You won't need to PATCH the user, it just works fine.

 

[root@BIGIP1:Active:Standalone] tmp curl -k -u sara1:sara1 -X GET {"items":[{"name":"admin","displayName":"Admin User","encryptedPassword":"$6$DntkOc/...{"name":"sara1","displayName":"sara1","encryptedPassword":"$6$...Jk15h1D21","generation":1,"lastUpdateMicros":1516111211817525,"kind":"shared:authz:users:usersworkerstate","selfLink":";}],"generation":5,"kind":"shared:authz:users:userscollectionstate","lastUpdateMicros":1516111211824400,"selfLink":";}

 

Hope it helps!