For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

wuench_99164's avatar
wuench_99164
Icon for Altocumulus rankAltocumulus
Aug 04, 2016
Solved

iWorkflow 2.0 - Allowed REST URI Mask in User Roles

What are the rules to enter the "Allowed REST URI Mask" under User Roles in iWorkflow? Can we put asterisks anywhere? Does it allow reg-ex?   It looks like even the example URI in the dialog do...
devops
iWorkflow
  • Eric_Chen_12394's avatar
    Eric_Chen_12394
    Aug 05, 2016

    When I've tested this out I also see the red square, but I'm still able to save the URI Mask. Here's an example for limiting access to only allow to add/remove pool members. Replace UUID / Partition / Pool name with your own value.

     

    GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/sys 
GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool
GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool
GET, POST   /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool/members/
GET, DELETE /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool/members/*

     

    Another example with asterisks (will replace the entire path segment, does not appear to allow you to do partial paths)

     

    GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/sys 
GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool
GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*
GET, POST   /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*/members/
GET, DELETE /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*/members/*

     

Eric_Chen_12394's avatar
Eric_Chen_12394
Historic F5 Account
Aug 05, 2016

When I've tested this out I also see the red square, but I'm still able to save the URI Mask. Here's an example for limiting access to only allow to add/remove pool members. Replace UUID / Partition / Pool name with your own value.

 

GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/sys 
GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool
GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool
GET, POST   /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool/members/
GET, DELETE /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool/members/*

 

Another example with asterisks (will replace the entire path segment, does not appear to allow you to do partial paths)

 

GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/sys 
GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool
GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*
GET, POST   /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*/members/
GET, DELETE /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*/members/*

 

wuench_99164's avatar
wuench_99164
Icon for Altocumulus rankAltocumulus
Aug 05, 2016

Thanks Eric. I need to up/down pool members right now so those more specific calls will work for my use case.