For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Andrea_Arquint's avatar
Andrea_Arquint
Icon for Nimbostratus rankNimbostratus
Mar 29, 2012

iControl permissions

Hi there

 

 

Is it possible to set operator permissions to the icontrol api user on the F5 bigip?

 

I just want that icontrol requests are able only to enable or disable pool members.

 

 

 

thanx for help

 

bb

 

dev
devops
iControl

6 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 29, 2012
    Hi BB,

     

     

    iControl authentication and authorization is done based on the user account specified in the iControl calls. If you prevent someone from getting the admin credentials they wouldn't be able to use admin functionality via iControl. If you give someone the admin credentials they'd be able to make admin level changes via the GUI and/or iControl.

     

     

    Aaron
  • Andrea_Arquint's avatar
    Andrea_Arquint
    Icon for Nimbostratus rankNimbostratus
    Mar 30, 2012
    Hi hoolio

     

     

    Many thanx for your fast answer.

     

    Okay so iControl uses normal system permission based concept.

     

     

     

     

     

    thanx a lot

     

    bb

     

  • Andrea_Arquint's avatar
    Andrea_Arquint
    Icon for Nimbostratus rankNimbostratus
    Mar 30, 2012
    Hello

     

     

    I have a further question.

     

     

     

    We plan to use icontrol interface to stear pool member inactivation/activation via Microsoft's WFF (Web Farm Framework). The iControl api runs for example on a web server with IIS installed.

     

     

     

    How do I configure API access to a floating self-ip address?

     

    As far as I see it's only possible to access the bigip via 443 on a dedicated self-ip but not on a floating one.

     

     

     

    This means if someone wants to disable a pool member via icontrol he needs to know first, which bigip cluster member is the active one.

     

     

     

    Does that mean that the api developer needs to ask first which LTM is the active one?

     

     

     

     

     

    Many thanx for your help

     

     

     

    bb

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 30, 2012
    Hi bb,

     

     

    You can enable port 443 in port lockdown on a floating self IP address and access the GUI and iControl API on the active unit without knowing which unit is active.

     

     

    Aaron
  • Andrea_Arquint's avatar
    Andrea_Arquint
    Icon for Nimbostratus rankNimbostratus
    Apr 20, 2012
    Hi again

     

     

    We configured user login via radius. Now, the problem is when I login with a radius user which has attributes set for a specific partition and operational permission then the user gets in via web interface correctly but via iControl the user stays in the common partition after sucessfull login.

     

     

    Does iControl login ignore radius assigned attributes?

     

     

    Kind regards

     

    bb
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Apr 20, 2012
    API requests will default to the "Common" partition unless you make a call to the Management.Partition.set_active_partition() method to change the current partition context. You can use the Management.UserManagement.get_my_permission() method to determine what partitions the current user has access to.

     

     

    -Joe