Read-only access to iControl REST API

Hi Phil,

 

the REST API does support a RBAC model, to control which part is accessible by whom and how the information could be accessed (read/write)

 

Read the section "About iControl and RBAC for user accounts" in the guide below, to see how its getting implemented...

 

https://devcentral.f5.com/d/the-user-guide-for-the-icontrol-rest-interface-in-big-ip-version-1160?download=true

 

Cheers, Kai

 

Thanks Kai, I'll take a look.

 

Regards,

 

Phil

 

Hi Phil,

this is the PUT request I've just used to grant the guest-user "Test" read-only access to my pool related APIs...

PUT https://1.1.1.1/mgmt/shared/authz/roles/iControl_REST_API_User

{"userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/Test"}],"resources":[{"resourceMask":"/mgmt/tm/ltm/pool","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/pool/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/pool/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/pool/*/*/*","restMethod":"GET"}]}

Cheers, Kai

Not sure if you got this fully answered.

 

The roles you are setting for users on the BIGIP follow the GUI/Rest interface. First you need to create a user, since your doing Guest Roles, giving them Guest access makes sense already =).

 

After you have the account created you need to have to get the self link to patch the group. once the user is patched into the group roles and rights should follow.

 

Since this is your first account into the rest group you will have to use admin to start.

 

Finding the Selflink: GET https://{{big_iq_mgmt}}/mgmt/shared/authz/users

 

Editing the Group: PATCH https://{{big_iq_mgmt}}/mgmt/shared/authz/roles/iControl_REST_API_User Body:

 

{ "userReferences": [ { "link": "; } ] }

 

Verify your user is added. GET https://{{big_iq_mgmt}}/mgmt/shared/authz/users

 

Try some rest calls =D

 

I've also added these to a postman collection here, with a few other things, remember to change your mgmt address https://github.com/jmcalalang/BIG-IQ-Postman-Collections

 

Bigipreport generates the config in Json format. You could even skip the web part and build your own front end. Not sure if it covers your needs though?

 

https://devcentral.f5.com/codeshare/bigip-report

 

/Patrik

 

Do things change or get any better with version 12.x? Is it really that nearly impossible to setup a read-only user for the iControl REST API? Our users, other than the main admin account, are not local accounts. They are authenticated on a remote (ACS) server.

 

We need to provide API access for some groups who would like to check the status of resources. I know this will grow to providing users update access to certain objects, but starting with read-only would help a lot.

 

I defined a user as 'guest' role. I look at the structures and it appears to be defined like other accounts-- which seem to be full access.. But perhaps it is no access as that is how it seems to behave.

 

I would want to generate a token for this read-only user that could then be used.

 

The token is only for a specific time. There's some examples here that you can use if you're unsure if your version is supporting token based auth or not:

 

https://loadbalancing.se/2017/05/10/using-f5-rest-api-with-roles/

 

From the error message above it looks like there might be some mistakes in the json payload?

 

/Patrik

 

Hoping that there is a guide to setup a read-only service account to use this iControl REST API. There seems to be an assumption that anyone using this needs to have all rights to do anything they wish.. Contrary-- we can't allow this to be free reign and need to be able to establish users with rights to access specific resources / modules.

 

For those of us with very limited background with REST API, any resource would be much appreciated.

 

Thanks..