Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 

REST API access right


Hi all,

We're running F5 LTM (version 14.1.4.x) and sorry for any newbie question.

We're trying to perform some tasks through REST API to the LTM:

1. Check system status, e.g.

curl -ks -H "Content-Type: application/json" -u admin:admin "" -d "{\"command\":\"show\", \"utilCmdArgs\":\"-c 'cm failover-status'\"}"

2. Perform failover, e.g.

curl -ks -H "Content-Type: application/json" -u admin:admin "" -d "{\"command\":\"run\", \"utilCmdArgs\":\"-c 'sys failover standby'\"}"

We don't want to expose admin password in any script, while authentication token seems only valid for 10 hours at most and not suitable to be used in cronjobs.   We create user for this specific purpose with user role Resource Administrator who can perform the task through ssh or GUI.

However, both commands can run as that specific user (testuser1) in tmsh interactively, but fail when running through curl with error:

{"code":401,"message":"Authorization failed: user=https://localhost/mgmt/shared/authz/users/testuser1 resource=/mgmt/tm verb=POST uri:http://localhost:8100/mgmt/tm referrer: sender:","referer":"","restOperationId":2225072,"kind":":resterrorresponse"}

I'm afraid we've something missed or setting up based on wrong concept...   

Would anyone please help?  

Thanks and Rgds

/st wong



@sysAdm Is this user a local user? Is your F5 configured for remote authentication for user login? Typically if you have an F5 using remote authentication the only local users that work are root and admin.

@PauliusYes, the user is a local user.  We didn't configure our F5 for remote authentication while we only played and learn using REST with admin user only.     Would you advise how to configure F5 to enable remote user authentication and thus to use REST api ?

Thanks  a  lot.

@sysAdm You do not need to enable remote authentication in order to use REST api. I was just making sure it wasn't enabled because if it was and you were using a local user, the local users are disabled when remote authentication is enabled. The exception to disabled local users with remote authentication is the root and admin user that come default on the F5.

@Paulius   Got it and thanks.   For the authorization issue we hit, since the user can issue the tmsh commands in SSH session but failed in REST api, I think the user has sufficient privilege in tmsh's perspective.  Will it be due to some other authorization control for using REST api ?   Thanks.

@sysAdm Based on the following article your user should have the ability to perform commands through REST api as long as they have the appropriate permissions for the command that they are attempting to execute. I would make sure that they role you associated to that user has appropriate permissions for the commands in question.

@PauliusThe role granted to the user has sufficient right and verified in tmsh command line.

Seems the issue is the user doesn't have access to particular REST API endpoints like that mentioned here