Forum Discussion

wuench_99164's avatar
wuench_99164
Icon for Altocumulus rankAltocumulus
Aug 04, 2016

iWorkflow 2.0 - Allowed REST URI Mask in User Roles

What are the rules to enter the "Allowed REST URI Mask" under User Roles in iWorkflow? Can we put asterisks anywhere? Does it allow reg-ex?   It looks like even the example URI in the dialog do...
devops
iWorkflow
  • Eric_Chen_12394's avatar
    Eric_Chen_12394
    Aug 05, 2016

    When I've tested this out I also see the red square, but I'm still able to save the URI Mask. Here's an example for limiting access to only allow to add/remove pool members. Replace UUID / Partition / Pool name with your own value.

     

    GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/sys 
GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool
GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool
GET, POST   /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool/members/
GET, DELETE /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool/members/*

     

    Another example with asterisks (will replace the entire path segment, does not appear to allow you to do partial paths)

     

    GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/sys 
GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool
GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*
GET, POST   /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*/members/
GET, DELETE /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*/members/*

     

Eric_Chen_12394's avatar
Eric_Chen_12394
Historic F5 Account

When I've tested this out I also see the red square, but I'm still able to save the URI Mask. Here's an example for limiting access to only allow to add/remove pool members. Replace UUID / Partition / Pool name with your own value.

 

GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/sys 
GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool
GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool
GET, POST   /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool/members/
GET, DELETE /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool/members/*

 

Another example with asterisks (will replace the entire path segment, does not appear to allow you to do partial paths)

 

GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/sys 
GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool
GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*
GET, POST   /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*/members/
GET, DELETE /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*/members/*

 

Eric_Chen_12394's avatar
Eric_Chen_12394
Historic F5 Account
Aug 05, 2016

Likely the only change from my example is that you will need to remove POST and add PUT/PATCH instead of DELETE. For the example above I started with using the F5 Python SDK to generate the commands that I wanted as admin first, then changed to a role user and kept on adding the URI that threw an exception.

 

Text: u'{"code":401,"message":"Authorization failed: user=https://localhost/mgmt/shared/authz/users/docker resource=/mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/891a87fb-b592-4fea-ae0f-f1590836027c/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool/members/~Docker~10.1.10.10:32801 verb=GET uri:http://localhost:8100/mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/.../rest-proxy/mgmt/tm/ltm/pool/~Docker~www_...

 

At the time that I did this I had to also patch the F5 Python SDK to support iWorkflow rest-proxy: https://github.com/F5Networks/f5-common-python/issues/549