Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

APM: terminate active session via API

Nikolay_Matveev
Nimbostratus
Nimbostratus

Is it possible to obtain a list of active APM session and then terminate one of them using an API?

 

I assumed this could be done using iControl REST API but failed to find any relevant information in its user guide :(.

 

14 REPLIES 14

Hello,

 

You can show active sessions using the following script :

 

for i in $(sessiondump -list | cut -f1 -d\ ); do sessiondump -delete $i; done

 

You should have a look at the sessiondump command to see if you can kill an active session.

 

Thank you Yann. I understand you refer to CLI which is not exactly what I asked about. I need to be able to obtain list of current sessions and terminate one of them using an API call (ideally using a REST API) from an external application (not on the BigIP itself). Is this possible?

Unfortunately, I think this is currently not available out of the box. But you may launch bash scripts from the rest api instead

Hmm... that's not very good... If a script is invoked via the REST API can its console output be returned as a result of that API call?

Yann_Desmarest_
Nacreous
Nacreous

Hello,

 

You can show active sessions using the following script :

 

for i in $(sessiondump -list | cut -f1 -d\ ); do sessiondump -delete $i; done

 

You should have a look at the sessiondump command to see if you can kill an active session.

 

Thank you Yann. I understand you refer to CLI which is not exactly what I asked about. I need to be able to obtain list of current sessions and terminate one of them using an API call (ideally using a REST API) from an external application (not on the BigIP itself). Is this possible?

Unfortunately, I think this is currently not available out of the box. But you may launch bash scripts from the rest api instead

Hmm... that's not very good... If a script is invoked via the REST API can its console output be returned as a result of that API call?

You can run scripts via the REST API, but I would advise caution. Any commands that need input will fail, and if the command takes a long time to complete, it may not behave as expected. Same goes for commands that run a lot of output.

 

Arnaud_Lemaire
F5 Employee
F5 Employee

just release in 12.1 : REST APIs for managing user sessions in APM

 

New iControl REST requests make it easier to manage sessions within APM by letting you list all user sessions and retrieve session ID, user login, and IP address for each APM server. Additional APIs are available for retrieving session information based on username or client IP address and for deleting the session based on the session ID.

 

{ "kind": "tm:apm:access-info:access-infostats", "selfLink": "https://localhost/mgmt/tm/apm/access-info/example?ver=12.1.0", "propertyDescriptions": { "clientIp": "", "logonUser": "" }, "naturalKeyPropertyNames": [] }

Since 13.x you can do a REST call to delete a session : curl -X DELETE https://hostname/mgmt/tm/apm/session/12345678

 

12345678 to be replaced by your session_id

akhmarov
Altostratus
Altostratus

Hello all!

 

Recently deployed such a solution:

  1. Created iCall script with session termination logic (thanks Yann)
  2. Created iCall handler with type perpetual
  3. Used iControlREST to execute iCall handler

 

See Yann's article

 

Create your own iCall script and handler:

sys icall script ApmSessionPurge_script { ... } sys icall handler perpetual ApmSessionPurge_handler { script ApmSessionPurge_script }

 

In the end of "definition" section of your iCall script add below commands. This command must be used because once perpetual handler will be started someone must stop it.

# Stop iCall handler after execution catch {[exec -- /bin/tmsh stop sys icall handler perpetual ApmSessionPurge_handler]}

 

Shell example to use iControlREST:

BIGIP_ADDR='192.0.2.1' BIGIP_USER='admin' BIGIP_PSWD='admin123' BIGIP_HDLR='ApmSessionPurge_handler'   BIGIP_AUTH=$(curl -sk -H 'Content-Type: application/json' -X POST -d "{'username':'"$BIGIP_USER"', 'password':'"$BIGIP_PSWD"', 'loginProviderName':'tmos'}" https://${BIGIP_ADDR}/mgmt/shared/authn/login) # Use sed -nE below for regular Linux/MacOS BIGIP_TOKEN=$(echo $BIGIP_AUTH | sed -nr 's/.*\"token\":\"([A-Z0-9]+)\".*/\1/p') curl -sk -H 'Content-Type: application/json' -H "X-F5-Auth-Token: $BIGIP_TOKEN" -X POST -d "{\"command\":\"start\", \"name\":\"$BIGIP_HDLR\"}" https://${BIGIP_ADDR}/mgmt/tm/sys/icall/handler/perpetual

 

Kurt_Erickson
F5 Employee
F5 Employee

This may be an easier way.

 

To get a list of Active access sessions:

curl -sk -u admin:<password> -H "Content-Type: application/json" -X GET https://<apm ip address>/mgmt/tm/apm/access-info | jq -M .

{

 "kind": "tm:apm:access-info:access-infostats",

 "selfLink": "https://localhost/mgmt/tm/apm/access-info?ver=15.1.0",

 "entries": {

  "https://localhost/mgmt/tm/apm/access-info/9c0a5b2d": {

   "nestedStats": {

    "entries": {

     "clientIp": {

      "description": "192.168.1.72"

     },

     "logonUser": {

      "description": "user1"

     }

    }

   }

  },

  "https://localhost/mgmt/tm/apm/access-info/b7c5ede0": {

   "nestedStats": {

    "entries": {

     "clientIp": {

      "description": "192.168.1.72"

     },

     "logonUser": {

      "description": "user2"

     }

    }

   }

  }

 }

}

 

To delete a specific Access session:

Locate the logonUser name and the URL ending with the session id.

curl -sk -u admin:<password> -X DELETE https://<apm ip address>/mgmt/tm/apm/session/<session id>

Kurt_Erickson
F5 Employee
F5 Employee

Not very pretty but this will iterate through the current access sessions and delete them:

 

curl -sk -u admin:<password> -H "Content-Type: application/json" -X GET https://<apm ip address>/mgmt/tm/apm/access-info | jq -M . | grep https | grep -v selfLink | sed s'/\// /'g | sed s'/"/ /'g | awk '{system("curl -sk -u admin:<password> -X DELETE https://<apm ip address>/mgmt/tm/apm/session/"$7)}'