For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Elder_Thing's avatar
Elder_Thing
Icon for Nimbostratus rankNimbostratus
Sep 15, 2014

Remotely authenticated users for iControl Rest

My question is: Can a remotely authenticated user that is not an Administrator access the REST interface?

I have this functionality for the 'admin' account of course. It works fine.

When I use a remotely authenticated user (AD in my case) it ONLY works if I do the following:

    1) Create a Remote Role group
    2) Set the following: Remote Access - Enabled, Terminal - tmsh
    3) Make sure Attribute String matches AD group 
    4) The setting for Assigned Role doesn't matter as it turns out....  see below
`


Now, the above works for the GUI, but for REST access, I have to:


`    1) Create a local user
    2) 'User Name' must match the 'sAMAccountName' attribute
    3) Set Terminal Access to 'tmsh' and Role to 'Administrator'

The account in question will now have the ability to query the device through the REST interface.

Setting the role to anything else will prevent REST access from working. One will receive the "java.lang.SecurityException: Authorization failed:" error.

Is this by design? Am I missing something? btw, giving the account Admin in this manner makes the account admin in the GUI as well.

Any help here is greatly appreciated

application delivery
devops
iControl
iControlREST
LTM
management

4 Replies

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Sep 16, 2014

    Can't find anything useful regarding most of your queries but I can confirm the user must have the Administrator role unfortunately. Seeing as the entire device configuration could be deleted, this makes sense. Hopefully we'll see some related new user roles and improved granularity around this in future releases.

     

  • brad_11480's avatar
    brad_11480
    Icon for Nimbostratus rankNimbostratus
    May 02, 2016
    what version is the above?? i am on 11.5.3 and while I can use SOAP just fine, another user cannot (we use RADIUS authentication to Cisco). I changed his account to be administrator and tmsh like mine and it doesn't work with that change either..
  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    May 03, 2016

    This hasn't changed. From v12.0.0 user guide for iControlREST (p. 22):

    A user account must have administrative level access to the iControl ® REST namespace to make
iControl REST requests.
  • Mark_Saunders_1's avatar
    Mark_Saunders_1
    Icon for Altostratus rankAltostratus
    Jun 24, 2016

    Why not authenticate the user to AD, verify he's a member of a specific group, then proceed with the rest of the script with LTM admin credentials. This way the user won't have access to the LTM console, but will still work within your iRest script. I'm doing this with a web interface.