Forum Discussion

Cyril_M's avatar
Cyril_M
Icon for Altostratus rankAltostratus
Dec 30, 2019

DELETE method with AS3 is too powerful !

Am I the only one totally freaking out about the fact that with AS3, you just have to send a DELETE method to mgmt/shared/appsvcs/declare and everything is gone ?? All your production system could be wiped off that easily ...

From my understanding it's mandatory to have the administrator privilege to use AS3, and administrators can access all the partitions ; so you cannot even create users that would be allowed to manage only specific partitions ... It's all or nothing.

In my opinion the least you should do is to get rid of this dangerous default behavior, and instead use the keyword "ALL" to remove all tenants ...

==========================

Extract from the doc :

Use DELETE to remove configurations for one or more declared Tenants from the target ADC. If you do not specify any Tenants, DELETE removes all of them, which is to say, it removes the entire declared configuration. Indicate the target device and Tenants to remove by appending elements to the main AS3 URL path (/mgmt/shared/appsvcs/declare). By default (just main URL) DELETE removes all Tenants from target localhost.

DELETE examples:

DELETE https://192.0.2.10/mgmt/shared/appsvcs/declare
removes all tenants
DELETE https://192.0.2.10/mgmt/shared/appsvcs/declare/T1,T2,T5
removes Tenants T1, T2, and T5 leaving the rest of the most recent declared configuration for localhost in place

==========================

Does anyone agree, or have a suggestion to add some security ?

  • Using AS3 in conjunction with BIG-IQ does allow RBAC control over REST cmds. You can use prebuilt roles or create granular custom sets and select individual commands or command sets.

     

    But yea, since AS3 is declarative and not iterative, it doesn't have the same order of operation that regular DELETE commands would limit damage with. It's up there with sending backups to /dev/null. You CAN do it, but should you? 😃

     

    More here: https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/userguide/big-iq.html

     

      Right Jason?

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin

      Chase is correct. This is the expected behavior for a declarative interface. With great power comes great responsibility, right? :)

       

      If that's too much power given the access controls that make sense in your environment, the imperative interfaces are still available.

  • Well first of all I'm not using BigIQ :) But I get the point

     

    Don't get me wrong I'm not saying that it is too much power to be allowed to delete everything ; I'm saying that it's too easy to make a mistake, and it could totally happen by accident ... If you just miss the argument, because you used a variable that has not been populated for instance ... I totally see that coming from miles away :)

     

    tenant=$1

    DELETE https://192.0.2.10/mgmt/shared/appsvcs/declare/$tenant

     

    How are you sure that it will not delete everything while you just wanted to delete the TEST tenant ? :)

    I'm really afraid of a collateral damage, due to a totally honest mistake in code management or postman misuse ...

    And that's why I'm saying that I would feel a little bit more confident if a parameter was mandatory associated with the DELETE command

     

    You could argue that it like the "rm /." when you wanted to "rm ./" but at least there is the -f to save your sorry ass :)

     

     

    • Chase_Abbott's avatar
      Chase_Abbott
      Icon for Employee rankEmployee

      Really the better answer would be RBAC within BIG-IP native to allow a basic subset of roles that BIG-IQ uses. But that's my opinion only. 😐

       

      Update: I think we'll follow up internally on this to see if there's an interesting discussion around your question and idea.