Forum Discussion

Mattias_Anderss's avatar
Mattias_Anderss
Icon for Nimbostratus rankNimbostratus
Mar 18, 2015

Multiple partitions in same route-domain

Hi,

 

we are currently working on a project where our developers should be allowed to use the API to configure certain VIPs, pools and nodes for there applications. The trendy word for it is DevOps I guess :)

 

First of all the user roles is a bit general in my opinion. To use the REST API the user needs to be "administrator", which is crazy. Im not sure if this have been changed in the latest releases but at the moment its not an option to give users that kind of rights just to use the API. What we would like to do is to restrict a certain user to only have access to the VIP, pools and nodes it have created or that we define that it could modify. But from what i understand this is not possible in F5. If you have any suggestion how this can be solved, please let me know.

 

So the workaround is to make a partition for each application so they cant break anything else and here is my real question; In our current production enviroment we have created two partitions, External_DMZ and Internal_DMZ with two different route-domains with RD 0 as a parent. Is it possible to create an additional partition with the same RD as External_DMZ when it is not RD 0? I have tried this but when I create a new partition i cannot select an existing RD except 0 or create a new one.

 

If you need further info about the problem, please let me know and ill try to explain it a bit better!

 

Cheers! // Mattias

 

  • Thank you for the info. Is there more detailed information on F5 DevCentral about these mask access controls?

     

    • StephanManthey's avatar
      StephanManthey
      Icon for MVP rankMVP
      Hi Mattias, I came across it and spend some time testing. I´m not aware of a more detailled documentation, sorry. Thanks, Stephan
  • Hi Stephan,

     

    thanks for this info it will sure be useful. But im not sure i feel too comfortable implementing this in a production enviroment as it seems not to be fully implemented as a feature when it will be removed after each upgrade. But i will surely test it out in the Lab to see if it is what we are looking for. But maybe wait until F5 implement this so i dont need to add the filter when its upgraded.

     

    Any idea on the other solution where to use two partition in the same route-domain?

     

    Cheers!

     

    • StephanManthey's avatar
      StephanManthey
      Icon for MVP rankMVP
      Hi Mattias, I never tried to use admin partitions in a combination as described. That´s why I cannot comment on this and even if I would test I have no clue, what the next TMOS version may change. For this reason we decided to follow the approach above and to script the re-installation of admin roles. Thanks, Stephan
  • Hi Mattias,

    you can use authorization roles and mask access control.

    I´m using it on v11.5.1 at one of my clients since a couple of months.

    It´s possible to create a list of masks for the differents REST methods in the following format:
    {
         "resourceMask": "/mgmt/tm/ltm/*/*/*/*/*", 
         "restMethod": "PUT"
    }, 
    

    This information (role definition for "iControl_REST_API_LTM_Pool_Change") is stored in a .json file.

    It will be imported this way:
    curl -sk -u admin:admin -X POST -H "Content-type: application/json" https://localhost/mgmt/shared/authz/roles -d @icr_ltm_pool.json
    

    There is a guest user (api_user) defined on the system who will get the role assigned:

    curl -sk -X PATCH -u admin:admin -H "Content-type: application/json" https://localhost/mgmt/shared/authz/roles/iControl_REST_API_LTM_Pool_Change -d '{"userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/'"${api_user}"'"}]}'
    

    This information is not stored in a .ucs archive and will get lost after software update.

    You need to restore it manually (lines above were taken from a script to automate this task).

    Thanks, Stephan