iControl REST Fine-Grained Role Based Access Control
Introduction
F5's role based access control (RBAC) mechanism allows a BIG-IP administrator to assign appropriate access privileges to the users (see Manual Chapter: User Roles). For example, with ...
Updated Jun 06, 2023
Version 2.0
I came across the auth issue yesterday after a client called me when getting a 401 for RADIUS authenticated REST API users.
The problem was observed an reproducable in TMOS v12.1.4.1 and v12.1.5.2.
I followed the steps described in K01293626 and the disabling/enabling of remote auth after creating a local account seemed to fix the issue.
After reenabling the remote auth the user was added to the remote role user reference as described in the solution.
Both token based and basic auth based access worked from now.
The solution mentioned above has minor mistakes and little room for optimization as described below (left as comment as well in the solution; got no feedback):
# 6.
# - does not require basic auth w/ "-u user:password", because credentials are posted with the payload)
# - requires the -H parameter declaration for the content type
# - use jq to pipe the output for human readable format
curl -sk -H "Content-Type: application/json" -X POST https://<BIGIP address>/mgmt/shared/authn/login -d '{"username": <user>,"password": <password>,"loginProviderName": "tmos"}' | jq
# 7.
# - does not require the content type declaration, because no data is provided to the service
curl -sk -H "X-F5-Auth-Token: <TOKEN>" https://<BIGIP address>/mgmt/tm/ltm/virtual/ | jqTo check the user was assigned to the remote role you might want to use the following:
curl -svk -u 'admin:<admin password>' 'https://<>/mgmt/shared/authz/roles/iControl_REST_API_User/?$select=userReferences' | python -m json.toolAs shown above the python -m json.tool might be use as an alternative to piping via jq depending on availability.