@Satoshi Toyosawa

Very cool article.

I don't understand and How user-foo is associated with the testRole?

Part 4,Below output have not the user foo.

"name": "testRole", "userReferences": [ { "link": "; } ], "resourceGroupReferences": [ { "link": "; } ], "generation": 1, "lastUpdateMicros": 1521682931708662, "kind": "shared:authz:roles:rolesworkerstate", "selfLink": "; }

Thanks

Good spotting. Typo fixed. Thanks.

What does the format look like if you have multiple resources in the resource mask or multiple methods?

To specify multiple resourses you will simply add them to the collection in the context of "resources" by using a PATCH method (a POST would overwrite the collection).

Hello

Thanks, Peter

Hi Peter, no, it´s not. It seems to be reboot-proof. But it had to be restored after a software update. No idea, where the information is stored. We kept it in a script (stored in /config/) directory and executed it conditionally via /config/startup. Thanks, Stephan

Hi Stephen, We are using Big-IP 13.1.0.3 Build 0.0.5 Point Release 3.

It seems to work only when we leave the user "foo" in the iControl_REST_API_User reference group... When we delete its reference we get an 401 Authorization error... Do you know what might be the problem? Thank you, Steve

Hi Steve,

Hi Stephan, Thank you very much for the quick response!

The problem is that if we don`t delete the user from the iControl_REST_API_User reference group, it gets administrative permissions so that the RBAC model becomes irrelevant.

So the Rest API RBAC model does not work on Big-IP v13...?

Thank you, Steve

Hi Steve, I will check it tonight while travelling and provide an update. Will also check it´s behaviour on reboot and config restore. Cheers, Stephan

Thank you very much Stephan! Steve

Hi Steve, as described by Satoshi San an additional step is required for TMOS v13.1+. Here is what I just verified vs. TMOS v13.1.0.7:

Looks like it works as expected. Unfortunately I´m running out of time now to test the backup/restore now. More to follow. Cheers, Stephan

Hi Steve, tests above were actually made vs. TMOS v13.1.0.6. The open question was about the ability to restore the config or to roll forward. Results look promising. In TMOS v13.1.0.6 I saved a .ucs, performed a tmsh load sys config default and restored from the .ucs. User and role was available after the procedure. Same result after installing TMOS v13.1.0.7 to HD1.2 followed by cpcfg HD1.2; switchboot -b HD1.2; reboot. The new step for v13.1+ was indeed required because the new user got all privileges. There seemed to be no limitations ... After removing the user according to the procedure provided above it worked the same way as in previous versions. Cheers, Stephan

Hi Stephan, For some reason it does not work for us on version 13.1.0.3 I will try to do that on 12.1.3 and I will update with the results.

Thank you so much for all of your help and hard work! Steve

Hi Steve, for testing under v12 it should not be necessary to remove the newly created user from the "iControl_REST_API_User" role. Please keep us posted on your results. Cheers, Stephan

Hi Steve, it worked as usual under v12.1.3.4. No need to touch the iControl_REST_API_User. It worked as well under v13.1.0.3 in my environment after modifying the iControl_REST_API_User role.

After creating the new user via REST initially it looked as follows:

It was changed into the following (no need to worry about "kind", "generation" and "lastUpdateMicros" as they will be restored; make sure to create a proper JSON body; no trailing comma ...):

It was imported in the way described above and the RBAC worked properly (limited priviledges).

Cheers, Stephan

Hi Stephan, If it works for you I am obviously doing something wrong..

I will try some more tests and then I will post exactly what I am doing.. Thank you again so much! Steve

Hi Stephan, Ok,

1. I create the user "foo" { "name": "foo", "displayName": "Foo Bar", "encryptedPassword": "$6$YYD71I0t$TOpQJsDlz7TCjqpKvcQgVFWUVXCOwIV4s3LMQLsVdtnR7eULnI9dfjZhHAyiDTqEoR93RW2C1OPNUx1imRSWs/", "shell": "/sbin/nologin", "generation": 0, "lastUpdateMicros": 0, "kind": "shared:authz:users:usersworkerstate", "selfLink": "; }

    

2. I create a role "testRole" and attach a "userReferences" and "resources" to it { "name": "testRole", "userReferences": [ { "link": "; } ], "resources": [ { "resourceMask": "/mgmt/tm/ltm/virtual/DVWA-master-vip", "restMethod": "GET" } ], "generation": 23, "lastUpdateMicros": 1531298163050205, "kind": "shared:authz:roles:rolesworkerstate", "selfLink": "; }

    

I have followed your post when I did that, What am I doing wrong? Thank you, Steve

Hi Steve, what TMOS version are you testing on now? There are syntax errors in your user reference and in the resource section. The trailing semicolon after the link in "userReference" will probably result in a malformed JSON body error message. There is another trailing semicolon behind the selfLink in the resources of your role which should cause errors as well. When testing versus your defined role please make sure to use the exact same path syntax. Your role will allow to send a GET request for /mgmt/tm/ltm/virtual/DVWA-master-vip only. It´s confusing me, that your role contains both references for localhost and a specific IP host of 192.168.203.11. My list of steps as described above can be executed remotely (including the setup for the user) completely and so I did. You are using local authentication? Cheers, Stephan

Hi Stephan, The output is from my lab environment . 1. The TMOS version is : Main Package Product BIG-IP Version 13.1.0.3 Build 0.0.5 Edition Point Release 3 Date Mon Feb 12 19:22:50 PST 2018

1. I think the semicolon was added by mistake in this post because on the Big-IP itself it ok. I will add the syntax again : { "name": "testRole", "userReferences": [ { "link": "; } ], "resources": [ { "resourceMask": "/mgmt/tm/ltm/virtual/DVWA-master-vip", "restMethod": "GET" } ], "generation": 23, "lastUpdateMicros": 1531298163050205, "kind": "shared:authz:roles:rolesworkerstate", "selfLink": "; }

    

2. I tried various ways to make this work that is why you see an IP address once and a "localhost" in an another reference. I have tried to do everything with an IP address and it didn`t work... Myabe I should try configuring everything with "localhost"?

    

3. Yes, I am using local authentication. I also use "Postman" for the API calls and not "curl"

    

I have opened a support case with F5, I will update with the results. If you have anymore ideas I would gladly listen and implement.

Thank you again so much! Steve

BTY, Yes, the semicolon is added by Devcentral automatically

Hi Stephan, Good news, It WORKS! When you wrote : "It´s confusing me, that your role contains both references for localhost and a specific IP host of 192.168.203.11." it got me thinking.. I changed everything to "localhost with no IP address and it worked!!!! Thank you so much again! Steve

Nice! Thanks for the update.

Hi ! As I understand this article, I can't give to a api user the permissions to POST or PATCH without give him the admin permissions. I try to give the rights to a user with the operator rôle to modify with iControl the gtm configuration (and only this part).

Indeed, the api user can bypass the fine grained permission of icontrol with the Configuration Utility and perform the actions manualy.

Hello,

How is it that you are using HTTP auth for non admin users? From 12.1 all authentication is done via token. Am I missing something?

Regards, Piotr

Hello !

 

Maybe it's me misunderstanding something. A token is given to an user(*) and if the user don't have the admin role, he can't do any POST or PATCH API request. How you can create a user with admin role without give it the access to the configuration utility with the same role ?

 

(*) As I can see here : https://clouddocs.f5.com/api/icontrol-soap/Authentication_with_the_F5_REST_API.html

 

I am inclined to agree with Olivier here. Unfortunately I don't have a unit to run tests on, but if I have understood the above article correctly, the fine-grained security control put in place here only applies to API requests.

As an example, Satoshi mentions giving access to the stats for a particular virtual server - which happens to be the exact use-case I have. To view stats normally, a user needs a role with administrative level privileges (which I can't make sense of, but that's another story!). Based on the example in the article, I am therefore concluding the role assigned to my user in the first step would need to be an administrative role. I would then create a new custom role as described above, attach the user to the custom role and apply the required restrictions (ie. GET only) via the custom resource-group mapped to the custom role.

I understand this works for API requests. However, my confusion is over how (or if) this new role has any effect on the new users' ability to login to the Configuration Utility? If the custom role has no bearing on login to the config utility, then I've just given a user GUI admin privileges when all I wanted was to let them see stats.

Very happy to be corrected if I've misunderstood something here.

Cheers.

@BenJ and @Oliver

I managed to get this to work. As a non-admin user you need to have token and RBAC policy for example to modify pool member can be written in sucha a way:

If you only write {"restMethod":"PATCH", "resourceMask":"/mgmt/tm/ltm/pool/*" } then it's not enough.

Hope that helps.

Regards, Piotr

Hi, thanks for the well written article. I've tested on versions 12.1.2 and 13.0.0 and I don't get any 401 responses. Foo is able to successfully make each call with a 200 response. I'm guessing this only works for 13.1.0 and above (like step 2), is that correct? If so is there any other way to restrict API calls in lower versions?

Step 2 is a specific instruction for 13.1.0 and above. Skip it for older versions. iControl REST RBAC should work for 11.6 and above.

I know there is the statement "It does not work for remote authentication mechanisms such as RADIUS or Active Directory." But could this work if I added a local user with the same username and gave it a role? I have tried but if I get a token I can pretty much do anything on the API with my AD user.

I also struggle with this sentence.

Will this work if I have in parallel remote authenticaton for i.e. ssh admins ?

Because I get authorization errors and can not find what the reason is.

But with a remote authenticated admin user I do get a response on my get request via curl.

Whre can I check for authentication/authorization ?

Are there any logs ?

 I came across the auth issue yesterday after a client called me when getting a 401 for RADIUS authenticated REST API users.

The problem was observed an reproducable in TMOS v12.1.4.1 and v12.1.5.2.

I followed the steps described in K01293626 and the disabling/enabling of remote auth after creating a local account seemed to fix the issue.

After reenabling the remote auth the user was added to the remote role user reference as described in the solution.

Both token based and basic auth based access worked from now.

The solution mentioned above has minor mistakes and little room for optimization as described below (left as comment as well in the solution; got no feedback):

To check the user was assigned to the remote role you might want to use the following:

As shown above the python -m json.tool might be use as an alternative to piping via jq depending on availability.

I am not sure, but it looks like this fine grained access controll does not work, when tacacs authentication is enabled.

The user I created will be authenticated agains my tacacs remote auth server, and this auth ist failing.

Just checked `/var/log/secure` to see it authc against tacacs.

 What TMOS version are you on? Is it TACACS based authentication only or are you using remote roles as well?

For some TMOS versions a TOKEN based REST API access was working only with TACACS (fixed in v15.1.1 according to the release notes).

Thank's Stephan, this also clarifies the need for a central authenticated user.

So https://support.f5.com/csp/article/K01293626 also mentions that the user needs to authenticat against radius.

"4. You should be able to log in with the RADIUS credentials."

 have not mentinoed I use version 14.1.2.6 and also configured remote roles groups. Hope I do not need a remote-role group also for this user.

Dear all,

Is there a way to automate step 2 : delete the user entry added in iControl_REST_API_User

role using a curl request ?

Addind a user in a role needs to send a PATCH request to /mgmt/shared/authz/roles/<ROLE_NAME>

with json payload '{ "userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/<USER_NAME>"}] }'

But how to delete, with a curl request, an entry in the userReferences array/subcollection (not using your manual method even if the suppression can be done with sed or ...)?

I try to find infos in icontrol user guide pdf but no way (https://cdn.f5.com/websites/devcentral.f5.com/downloads/icontrol-rest-api-user-guide-14-1-0.pdf).

Thanks for help ...

Hi ,

according to an article written by Jason Rahm, you may add items to the list.

But items can be deleted only, if it´s kind of subcollection.

So you may want to replace the whole collection by a new one, as far as I can say.

Kind regards, Stephan

Good day, Does this method still work in 15.1.2? I have been trying to get it and a similar method (https://support.f5.com/csp/article/K55510624) to work that last couple days. I cannot get either to restrict to only a single VIP or pool.

Thank you, Jason

This is not working for me Version: 14.1.4 Build 0.0.11.

This worked thank you