For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sulaiman_85782's avatar
Sulaiman_85782
Icon for Nimbostratus rankNimbostratus
Jul 02, 2014

Updating "Default Pool" via Portal

Hi All

 

Hope someone has accomplished this before.

 

In our scenario we have multiple Support teams. One team specifically manages the F5.

 

What I want to do is delegate permission to some of the other Support teams or the NOC so that they can change the Default Pool settings in a Virtual Server. I do however want to accomplish this via a Portal of some kind where the users dont need to log directly onto the device but instead log onto a portal and maybe have some sort of drop down options to update the Default Pool settings as required.

 

Has anyone got some guidance that I can use so that I can get this tested, as I want to get some load from the F5 team.

 

Thanx

 

application delivery
availability
LTM
management

6 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 02, 2014

    There's no functionality to limit what is displayed on a configuration screen, or to project some of that configuration into another environment. You could technically attempt to expose the BIG-IP management GUI through an APM portal, technically possible but not trivial. But your best bet probably, given that you want to expose a very limited setting, is to roll your own iControl. Thankfully the new iControl REST interface makes that exceedingly easier.

     

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Jul 02, 2014

    Hi!

    You could achieve this with iControl, but the catch is that you'd need to save the username and password in a file. Do you have any experience in scripting?

    Also you might be able to do it with iStats and iRules. Jason Rahm wrote an excellent article on how to use iStats to execute tmsh commands:

    https://devcentral.f5.com/articles/icall-triggers-invalidating-cache-from-irules

    Then use this command:

    modify ltm virtual [virtual server name] pool [pool name]

    Instead of:

    tmsh::modify wam application dc.wa_hero content-expiration-time now

    You'd have to change the iRule too. Maybe something like this?

    when HTTP_REQUEST {
  if { [HTTP::path] eq "/setdefaultpool" } {
    set defpool [URI::query [HTTP::uri] defpool]
    if { [class match $defpool equals allowedpools] } {
      ISTATS::set "WA policy string [virtual name]$defpool" 1
      HTTP::respond 200 content "Set $defpool as default pool on [virtual name]."
    } else { HTTP::respond 200 content "Please specify a valid pool /setdefaultpool?defpool=pool_name" }
  }
}

    Note that this is a bit messy and requires quite alot of config. I have not tested this but it should be possible.

    Hopefully Kevin Stewart or Nitas comes up with something brilliant alternative!

    /Patrik

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 02, 2014

    These are interesting techniques Patrik. I think the absolute simplest approach though is still an iControl. I'm not going to venture too far down the "which language is better for this" sort of thing, because it depends on what you're comfortable with. But if I was doing this, and I wanted to do it quickly, I'd probably build a Perl or Python script, or PHP-based webpage on some web server and use iControl REST. That would be very easy to incorporate into some third party portal product.