Forum Discussion

OTS02's avatar
OTS02
Icon for Cirrus rankCirrus
Jun 08, 2018

rest calls not allowed by other-than-admin

With Firefox, I can successfully pull virtual information (user = admin):

 

 

However, with a user that is assigned the role 'Resource Administrator' it is denied.

 

Also, when I look at the user in the GUI, there are never any Failed Logins recorded.

 

I have written many c programs for users with less-than-admin roles, with no problems.

 

What am I missing?

 

application delivery
LTM
  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Jun 10, 2018

    It is possible to use a non administrator user to access iControl REST. It does require a bit of setting up to get it working.

    K84925527: Overview of iControl permissions

    First you must create your user,

    Here I create the guest user as 'notadmin' with password 'notadminpw' 

    (tmos) create auth user notadmin partition-access add { all-partitions { role guest } } shell tmsh password notadminpw

    Next you must find the selflink value for the user you have created (assuming your admin ID is 'admin' and password is 'secret'.)

    curl -s -k -u admin:secret https://localhost/mgmt/shared/authz/users | jq .

    you will see the output which will appear similar to this below..

    {
  "items": [
.....
    {
      "name": "notadmin",
      "displayName": "notadmin",
      "encryptedPassword": "$6$Randomized_Characters_Of_Password",
      "generation": 1,
      "lastUpdateMicros": 1519056227960605,
      "kind": "shared:authz:users:usersworkerstate",
      "selfLink": "https://localhost/mgmt/shared/authz/users/notadmin"
    },
.......
  ],
  "generation": 11,
  "kind": "shared:authz:users:userscollectionstate",
  "lastUpdateMicros": 1519056227962971,
  "selfLink": "https://localhost/mgmt/shared/authz/users"
}

    Locate the value for 'selfLink' for the user notadmin, here is is shown as

    The next command will alter that userID so that it can be used for iControl REST, ensure that you set the 'link' value to be the same as the 'selfLink' value extracted in the step above.

     curl -s -k -u admin:secret --request PATCH --data '{"userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/notadmin"}]}'     https://localhost/mgmt/shared/authz/roles/iControl_REST_API_User | jq .

    This will produce a lot of output.

    After this command you can then issue iControl REST command using your non-admin user id 'notadmin'

     curl -s -k -u notadmin:notadminpw  https://localhost/mgmt/tm/ltm/virtual | jq .

    I hope this is helpful - obviously you want to create a user with Resource Administrator role.