Forum Discussion

GavinW_29074's avatar
Icon for Nimbostratus rankNimbostratus
Jun 01, 2012

Modify Dataclass with iRule

Hi there,



I've been tasked with investigating if it's possible to get an iRule to modify a dataclass on the F5's...



The background is that we've implemented HTTP Basic authentication within some of our iRules which references a dataclass.


We'd prefer not to have to drop into the gui to add/delete/modify user entries in this dataclass, and instead have a VIP on the F5's which serves an iRule which allows users to change their current password/add users/remove users/etc...



So is it possible to modify a dataclass from an iRule???







8 Replies

  • Hi Gavin,



    Natively, by design iRules can't modify the config on disk. I guess you could use a sideband connection to make an iControl call. Or you could log a specially formatted message and use a user_alert.conf script to make an iControl call to modify the data group.



    But the best practice in my mind for would be to build a separate iControl app to do this.



  • Aaron



    Cheers for the info...


    Might explore the sideband stuff in a bit more detail...



    iControl was guna be my next option, but it's guna be a bit of a nightmare to make sure all the users have the right software etc to be able to run an iControl app, which is why I liked the simplicity of having the functionality hosted on the F5...



    Will post back what I come up with...





  • You could set up a web app that makes iControl calls to modify the data group to avoid any client compatibility issues.



  • That could be another option, with a virtual app server sat behind the F5's...





  • Ok, I've done a bit more digging around making an iControl call from within an iRule, and it looks like that's a no-go, as the Sideband functionality doesn't appear to support basic authentication...



    So I've either got to get the iRule to call an intermediary system, or write a stand-alone iControl app...



    More to follow :)





  • GavinW: Well, that's not ENTIRELY true. Think of a sideband connection as a total "clean slate".

    You can absolutely send Basic Auth via a sideband connection, you just need to manually construct and send the "Authorization" header to the server in the transaction -- in other words, don't wait for the server to 401, just go ahead and send the header it wants, formatted properly. The Authorization header is basically the username and password joined with a colon, then base64 encoded. See here:

    Pretty simple on the BigIP:

    set username "user"
    set password "pass"
    HTTP::header insert Authorization "Basic [b64encode "${username}:${password}]" 

    ... or in the case of sideband, the header would just be another line of text you send out the socket. Cheers!
  • You could also open a sideband connection to another virtual that has an HTTP profile and then use HTTP:: iRule commands to modify the requests.



  • Ahh, cheers for the heads up...



    Will give it a go and see what I can do :)