Forum Discussion
GavinW_29074
Nimbostratus
NimbostratusModify Dataclass with iRule
Hi there,
I've been tasked with investigating if it's possible to get an iRule to modify a dataclass on the F5's...
The background is that we've implemented HTTP Basic authentication within some of our iRules which references a dataclass.
We'd prefer not to have to drop into the gui to add/delete/modify user entries in this dataclass, and instead have a VIP on the F5's which serves an iRule which allows users to change their current password/add users/remove users/etc...
So is it possible to modify a dataclass from an iRule???
Cheers
Gavin
8 Replies
hoolioCirrostratus
Hi Gavin,
Natively, by design iRules can't modify the config on disk. I guess you could use a sideband connection to make an iControl call. Or you could log a specially formatted message and use a user_alert.conf script to make an iControl call to modify the data group.
But the best practice in my mind for would be to build a separate iControl app to do this.
Aaron
GavinW_29074Aaron
Cheers for the info...
Might explore the sideband stuff in a bit more detail...
iControl was guna be my next option, but it's guna be a bit of a nightmare to make sure all the users have the right software etc to be able to run an iControl app, which is why I liked the simplicity of having the functionality hosted on the F5...
Will post back what I come up with...
Cheers
Gavin- hoolioYou could set up a web app that makes iControl calls to modify the data group to avoid any client compatibility issues.
Aaron - GavinW_29074That could be another option, with a virtual app server sat behind the F5's...
Cheers
Gav - GavinW_29074Ok, I've done a bit more digging around making an iControl call from within an iRule, and it looks like that's a no-go, as the Sideband functionality doesn't appear to support basic authentication...
So I've either got to get the iRule to call an intermediary system, or write a stand-alone iControl app...
More to follow :)
Cheers
Gav 
Joel_MosesGavinW: Well, that's not ENTIRELY true. Think of a sideband connection as a total "clean slate".
You can absolutely send Basic Auth via a sideband connection, you just need to manually construct and send the "Authorization" header to the server in the transaction -- in other words, don't wait for the server to 401, just go ahead and send the header it wants, formatted properly. The Authorization header is basically the username and password joined with a colon, then base64 encoded. See here: http://en.wikipedia.org/wiki/Basic_access_authentication
Pretty simple on the BigIP:set username "user" set password "pass" HTTP::header insert Authorization "Basic [b64encode "${username}:${password}]"
... or in the case of sideband, the header would just be another line of text you send out the socket. Cheers!- hoolioYou could also open a sideband connection to another virtual that has an HTTP profile and then use HTTP:: iRule commands to modify the requests.
Aaron - GavinW_29074Ahh, cheers for the heads up...
Will give it a go and see what I can do :)
Cheers
Gavin
