iREST RBAC Questions

Salutations Good People!

 

I am attempting to configure RBAC Access on my Lab instance, as to not break Production (despite how fun that is), and i am running into some odd issues that i was hoping to get some feedback on (in order to tell me what i am doing wrong).

 

I set up RBAC following this guide, modifying things as needed for my environment: https://devcentral.f5.com/s/articles/icontrol-rest-fine-grained-role-based-access-control-30773

 

We are running v13.1.0.6.

 

We are wanting to use the RBAC control to allow for a limited user to be able to swap the active node in a specific pool in order to change the active server for Blue Green Application Deployments.

 

As our F5 is Active Directory integrated, we have set up a new user in AD and added a AD Group to the Remote Role Groups in the F5 configuration. This group is set up with the assigned role of Operator.

 

I was able to configure a working setup for the RBAC user but i am getting intermittent Access Denied messages when attempting to enable or disable a node in a pool.

 

I created a Custom Resource Group and a Custom Role for this using the Steps in the guide linked above. I made sure to grant the resource group PATCH, PUT, and GET http rest methods.

 

How can we avoid the Access Denied messages? From what i was reading, this is due to the account not being an administrator on the F5, which we dont want.

 

The other thing that i have questions on is the Token Based Authentication. The Default time limit is 20 minutes for the life of the Token, and i have found how to extend that. The question i have is this: 1. So far in order to get the token i have to pass the admin credentials in order to get the token for the service account or local non admin account i am trying to use. Is there a way to get the token or use basic Authentication directly as either a non admin local user, or as the service account from AD?

 

Thank you for taking the time to look at this and read this wall of text.

 

After searching on the answers section here, i came across how to get the auth token via powershell (https://gist.github.com/jasonrahm/2bc6958926a8c3ffcebefd0270cbbfae).

 

In looking at that i was able to determine how to get the auth token with just the non admin account.

 

Has anyone else had a RBAC Custom Role, Custom Resource Group and user returns access denied intermittently when attempting to disable a member node of a pool?

 

When i created the resource group i granted it PATCH, PUT, and GET rights.