on 07-Nov-201803:00 - edited on 05-Jun-202321:54 by JimmyPackets
Introduction
F5's role based access control (RBAC) mechanism allows a BIG-IP administrator to assign appropriate access privileges to the users (see Manual Chapter: User Roles). For example, with the
operator
role, the user is specifically allowed to enable or disable nodes and pool members. The mechanism is generally the best way to manage users easily and consistently, however, finer access management may be required from time to time: e.g., allow only to view the stats of a predefined set of virtuals. Restricting access is especially important in iControl REST because users can remotely and directly access the system.
The existing roles and their access permissions are defined in
/mgmt/shared/authz/roles
and
/mgmt/shared/authz/resource-groups
. You can add custom roles with custom permissions for particular users to these resources (iControl REST endpoints). The resources are described in BIG-IQ Systems REST API References, however, they are not exactly easy to follow. To fill the gap, this article describes a method to configure users and roles in a much finer manner.
Note
This method is only applicable to iControl REST: It does not apply to Configuration Utility or ssh.
The method relies on the resources for local users (i.e.,
/mgmt/tm/auth/user
and
/mgmt/shared/authz/users
). It does not work for remote authentication mechanisms such as RADIUS or Active Directory.
Setup
In this example, a local user "foo" and a custom role "testRole" are created. The role allows users to
GET
(list) only the virtual server "vs". The access method and resource are defined in "testResourceGroup", that is referenced from the "testRole". No other operation such as
PATCH
(modify) or DELETE is permitted. Also, no other resource such as another virtual is allowed. All the REST calls are done using curl: You may want to consider using other methods such as F5 Python SDK .
1. Create a new user
The following curl command creates the user "foo". The password is "foo", the description is "Foo Bar", and the role is "operator" for all the partitions.
The role is important. When the access privileges conflict between the role and the fine grained RBAC, the stricter authorization is chosen. For example, if the RBAC is configured to allow PATCH or POST but the user's role is guest (no alteration allowed), the user won't be able to perform these methods.
You can create a user from tmsh or Configuration Utility if that's your preferred method.
2. (13.1.0 and later) Remove the user from
/mgmt/shared/authz/roles/iControl_REST_API_User
From v13.1.0, a newly created local user is automatically added to
iControl_REST_API_User
, which grants access to iControl REST without any setup. To avoid assigning multiple permissions, you need to remove the user reference from
Remove the line including the opening and ending curly brackets plus the comma. Save the file.
Overwrite the current data by putting the file to the endpoint.
curl -sku admin:<pass> https://<mgmtIP>/mgmt/shared/authz/roles/iControl_REST_API_User -X PUT -d@file
3. Create a custom resource-group
A resource-group consists of a set of resources and methods. In this example, the resource-group is named "testResourceGroup", which allows a role to perform
GET
request to the resource
/mgmt/tm/ltm/virtual/vs
. "testResourceGroup" is later used in the custom role.
Note that a resource-group entry is keyed by "id", not "name". The id is automatically generated.
As you can see, the resources field is a list of multiple objects, each containing the endpoint and the method. To add more permissions to the resource-group, add objects to the list.
4. Create a custom role
Create a role "testRole" with the user "foo" and the resource-groups "testResourceGroup". This makes the user to become a member of the role "testRole", hence allows the users to perform
To specify multiple resourses you will simply add them to the collection in the context of "resources" by using a PATCH method (a POST would overwrite the collection).
Below you will find some examples.
virtuals
GET ./mgmt/tm/ltm/virtual List all virtual servers (cannot list a specific one)
GET ./mgmt/tm/ltm/virtual/* List specified virtual server (cannot list all)
GET ./mgmt/tm/ltm/virtual/~~ List properties of specified virtual servers
GET ./mgmt/tm/ltm/virtual/~~/* List properties (profiles, policies, ?) of specified virtual servers
GET ./mgmt/tm/ltm/virtual/~~/profiles List profiles of specified virtual servers
GET ./mgmt/tm/ltm/virtual/~~/policies List policies of specified virtual servers
POST ./mgmt/tm/ltm/virtual/*/* Add properties (profiles, policies, ?) all virtual servers
POST ./mgmt/tm/ltm/virtual/~~/* Add properties (profiles, policies, ?) of specified virtual servers
POST ./mgmt/tm/ltm/virtual/~~/profiles Add profiles of specified virtual servers
POST ./mgmt/tm/ltm/virtual/~~/policies Add policies of specified virtual servers
PATCH ./mgmt/tm/ltm/virtual/* Modify properties all virtual servers
PATCH ./mgmt/tm/ltm/virtual/~~ Modify properties of specified virtual servers
DELETE ./mgmt/tm/ltm/virtual/*/*/* Delete properties (profiles, policies, ?) all virtual servers
DELETE ./mgmt/tm/ltm/virtual/~~/*/* Delete properties (profiles, policies, ?) of specified virtual servers
DELETE ./mgmt/tm/ltm/virtual/~~/profiles/* Delete profiles of specified virtual servers
DELETE ./mgmt/tm/ltm/virtual/~~/policies/* Delete policies of specified virtual servers
pools
GET ./mgmt/tm/ltm/pool List all pools (cannot list a specific one)
GET ./mgmt/tm/ltm/pool/* List specified pools (cannot list all)
GET ./mgmt/tm/ltm/pool/~~ List properties of specified pools
GET ./mgmt/tm/ltm/pool/~~/* List properties (members, ?) of specified pools
GET ./mgmt/tm/ltm/pool/~~/members List Members of specified pools
POST ./mgmt/tm/ltm/pool/*/* Add properties (members, ?) all pools
POST ./mgmt/tm/ltm/pool/~~/* Add properties in specified pool
POST ./mgmt/tm/ltm/pool/~~/members Add Members of specified pools
DELETE ./mgmt/tm/ltm/pool/*/*/* Delete properties (members, ?) all pools
DELETE ./mgmt/tm/ltm/pool/~~/*/* Delete properties in specified pool
DELETE ./mgmt/tm/ltm/pool/~~/members/* Delete Members of specified pools
PATCH ./mgmt/tm/ltm/pool/* Modify properties all pools
PATCH ./mgmt/tm/ltm/pool/~~ Modify properties in specified pool
PATCH ./mgmt/tm/ltm/pool/*/*/* Modify properties (members) all pools (administrative state)
PATCH ./mgmt/tm/ltm/pool/~~/*/* Modify properties (members, ?) in specified pool (administrative state)
PATCH ./mgmt/tm/ltm/pool/~~/members/* Modify Members of specified pools (administrative state)
PATCH ./mgmt/tm/ltm/pool/~~/members/~~ Modify specified members of specified pools (administrative state)
Hi Peter, no, it´s not.
It seems to be reboot-proof.
But it had to be restored after a software update.
No idea, where the information is stored.
We kept it in a script (stored in /config/) directory and executed it conditionally via /config/startup.
Thanks, Stephan
Hi Stephen,
We are using Big-IP 13.1.0.3 Build 0.0.5 Point Release 3.
It seems to work only when we leave the user "foo" in the iControl_REST_API_User reference group...
When we delete its reference we get an 401 Authorization error...
Do you know what might be the problem?
Thank you,
Steve
Hi Stephan,
Thank you very much for the quick response!
The problem is that if we don`t delete the user from the iControl_REST_API_User reference group, it gets administrative permissions so that the RBAC model becomes irrelevant.
So the Rest API RBAC model does not work on Big-IP v13...?
Hi Steve,
tests above were actually made vs. TMOS v13.1.0.6.
The open question was about the ability to restore the config or to roll forward.
Results look promising.
In TMOS v13.1.0.6 I saved a .ucs, performed a
tmsh load sys config default
and restored from the .ucs. User and role was available after the procedure.
Same result after installing TMOS v13.1.0.7 to HD1.2 followed by
cpcfg HD1.2; switchboot -b HD1.2; reboot
.
The new step for v13.1+ was indeed required because the new user got all privileges. There seemed to be no limitations ...
After removing the user according to the procedure provided above it worked the same way as in previous versions.
Cheers, Stephan
Hi Steve,
for testing under v12 it should not be necessary to remove the newly created user from the "iControl_REST_API_User" role.
Please keep us posted on your results.
Cheers, Stephan
Hi Steve,
it worked as usual under v12.1.3.4. No need to touch the iControl_REST_API_User.
It worked as well under v13.1.0.3 in my environment after modifying the iControl_REST_API_User role.
After creating the new user via REST initially it looked as follows:
It was changed into the following (no need to worry about "kind", "generation" and "lastUpdateMicros" as they will be restored; make sure to create a proper JSON body; no trailing comma ...):
It was imported in the way described above and the RBAC worked properly (limited priviledges).
One more thing to note (which I cannot explain). After modifying the role, a lot of new entries like the following showed up in the context of the "userReferences" collection:
Hi Steve,
what TMOS version are you testing on now?
There are syntax errors in your user reference and in the resource section.
The trailing semicolon after the link in "userReference" will probably result in a malformed JSON body error message.
There is another trailing semicolon behind the selfLink in the resources of your role which should cause errors as well.
When testing versus your defined role please make sure to use the exact same path syntax.
Your role will allow to send a
GET
request for
/mgmt/tm/ltm/virtual/DVWA-master-vip
only.
It´s confusing me, that your role contains both references for
localhost
and a specific IP host of
192.168.203.11
.
My list of steps as described above can be executed remotely (including the setup for the user) completely and so I did.
You are using local authentication?
Cheers, Stephan
Hi Stephan,
The output is from my lab environment .
1. The TMOS version is :
Main Package
Product BIG-IP
Version 13.1.0.3
Build 0.0.5
Edition Point Release 3
Date Mon Feb 12 19:22:50 PST 2018
I think the semicolon was added by mistake in this post because on the Big-IP itself it ok. I will add the syntax again :
{
"name": "testRole",
"userReferences": [
{
"link": ";
}
],
"resources": [
{
"resourceMask": "/mgmt/tm/ltm/virtual/DVWA-master-vip",
"restMethod": "GET"
}
],
"generation": 23,
"lastUpdateMicros": 1531298163050205,
"kind": "shared:authz:roles:rolesworkerstate",
"selfLink": ";
}
I tried various ways to make this work that is why you see an IP address once and a "localhost" in an another reference. I have tried to do everything with an IP address and it didn`t work... Myabe I should try configuring everything with "localhost"?
Yes, I am using local authentication. I also use "Postman" for the API calls and not "curl"
I have opened a support case with F5, I will update with the results.
If you have anymore ideas I would gladly listen and implement.
Hi Stephan,
Good news, It WORKS!
When you wrote : "It´s confusing me, that your role contains both references for localhost and a specific IP host of 192.168.203.11." it got me thinking..
I changed everything to "localhost with no IP address and it worked!!!!
Thank you so much again!
Steve
Hi ! As I understand this article, I can't give to a api user the permissions to POST or PATCH without give him the admin permissions. I try to give the rights to a user with the operator rôle to modify with iControl the gtm configuration (and only this part).
Indeed, the api user can bypass the fine grained permission of icontrol with the Configuration Utility and perform the actions manualy.
Maybe it's me misunderstanding something. A token is given to an user(*) and if the user don't have the admin role, he can't do any POST or PATCH API request. How you can create a user with admin role without give it the access to the configuration utility with the same role ?
I am inclined to agree with Olivier here. Unfortunately I don't have a unit to run tests on, but if I have understood the above article correctly, the fine-grained security control put in place here only applies to API requests.
As an example, Satoshi mentions giving access to the stats for a particular virtual server - which happens to be the exact use-case I have. To view stats normally, a user needs a role with administrative level privileges (which I can't make sense of, but that's another story!). Based on the example in the article, I am therefore concluding the role assigned to my user in the first step would need to be an administrative role. I would then create a new custom role as described above, attach the user to the custom role and apply the required restrictions (ie. GET only) via the custom resource-group mapped to the custom role.
I understand this works for API requests. However, my confusion is over how (or if) this new role has any effect on the new users' ability to login to the Configuration Utility? If the custom role has no bearing on login to the config utility, then I've just given a user GUI admin privileges when all I wanted was to let them see stats.
Very happy to be corrected if I've misunderstood something here.
I managed to get this to work. As a non-admin user you need to have token and RBAC policy for example to modify pool member can be written in sucha a way:
Hi, thanks for the well written article. I've tested on versions 12.1.2 and 13.0.0 and I don't get any 401 responses. Foo is able to successfully make each call with a 200 response. I'm guessing this only works for 13.1.0 and above (like step 2), is that correct? If so is there any other way to restrict API calls in lower versions?
I know there is the statement "It does not work for remote authentication mechanisms such as RADIUS or Active Directory." But could this work if I added a local user with the same username and gave it a role? I have tried but if I get a token I can pretty much do anything on the API with my AD user.
I came across the auth issue yesterday after a client called me when getting a 401 for RADIUS authenticated REST API users.
The problem was observed an reproducable in TMOS v12.1.4.1 and v12.1.5.2.
I followed the steps described in K01293626 and the disabling/enabling of remote auth after creating a local account seemed to fix the issue.
After reenabling the remote auth the user was added to the remote role user reference as described in the solution.
Both token based and basic auth based access worked from now.
The solution mentioned above has minor mistakes and little room for optimization as described below (left as comment as well in the solution; got no feedback):
# 6.
# - does not require basic auth w/ "-u user:password", because credentials are posted with the payload)
# - requires the -H parameter declaration for the content type
# - use jq to pipe the output for human readable format
curl -sk -H "Content-Type: application/json" -X POST https://<BIGIP address>/mgmt/shared/authn/login -d '{"username": <user>,"password": <password>,"loginProviderName": "tmos"}' | jq
# 7.
# - does not require the content type declaration, because no data is provided to the service
curl -sk -H "X-F5-Auth-Token: <TOKEN>" https://<BIGIP address>/mgmt/tm/ltm/virtual/ | jq
To check the user was assigned to the remote role you might want to use the following:
Is there a way to automate step 2 : delete the user entry added in iControl_REST_API_User
role using a curl request ?
Addind a user in a role needs to send a PATCH request to /mgmt/shared/authz/roles/<ROLE_NAME>
with json payload '{ "userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/<USER_NAME>"}] }'
But how to delete, with a curl request, an entry in the userReferences array/subcollection (not using your manual method even if the suppression can be done with sed or ...)?
I try to find infos in icontrol user guide pdf but no way (https://cdn.f5.com/websites/devcentral.f5.com/downloads/icontrol-rest-api-user-guide-14-1-0.pdf).
Good day, Does this method still work in 15.1.2? I have been trying to get it and a similar method (https://support.f5.com/csp/article/K55510624) to work that last couple days. I cannot get either to restrict to only a single VIP or pool.
