Forum Discussion

prole92_221949's avatar
Jul 13, 2016

BIG-IP 11.6.1 iControl REST API access issues

Hi guys,

 

I'm having issues with BIG-IP version 11.6.1 and iControl REST API. On previous versions I was able to create an administrator account on the BIG-IP and use it to access the iControl REST API. On version 11.6.1 it seems that this is not possible. The only account that I can use is the builtin admin account.

 

Did any of you experience this issue and do you have any suggestions on how to solve this?

 

Thanks in advance

 

  • The behavior changed as part of an enhancement to allow role based access to REST resources. You can create different users as follows:

     

    1. Create new user in GUI or TMSH. Make sure to assign that user the appropriate role (e.g. Manager, etc)
    2. GET to /mgmt/shared/authz/users to verify that the user shows up in the users
    3. GET /mgmt/shared/authz/roles/iControl_REST_API_User and save contents
    4. Update userReferences property from the role resource you got in step 3 "userReferences": [ { "link": "https://localhost/mgmt/shared/authz/users/" }
    5. Do a PUT (or PATCH) to /mgmt/shared/authz/roles/iControl_REST_API_User with the modified userReferences array property
    6. Verify that the role is updated with the user reference: GET /mgmt/shared/authz/roles/iControl_REST_API_User
    7. Perform an icontrol command with that user to verify

    Note: if the role that you assigned in step 1 does not have access to a resource then you still won’t be able to read/write it

     

6 Replies

  • I had the same exactly issue when I upgraded from 11.5.3 HF2 to 11.6.1 Final. I had to change all my scripts to use the admin account, I'm hoping to upgrade to 12.1.0 HF1 to get rid of this issue.

     

  • Tikka_Nagi_1315's avatar
    Tikka_Nagi_1315
    Historic F5 Account

    The behavior changed as part of an enhancement to allow role based access to REST resources. You can create different users as follows:

     

    1. Create new user in GUI or TMSH. Make sure to assign that user the appropriate role (e.g. Manager, etc)
    2. GET to /mgmt/shared/authz/users to verify that the user shows up in the users
    3. GET /mgmt/shared/authz/roles/iControl_REST_API_User and save contents
    4. Update userReferences property from the role resource you got in step 3 "userReferences": [ { "link": "https://localhost/mgmt/shared/authz/users/" }
    5. Do a PUT (or PATCH) to /mgmt/shared/authz/roles/iControl_REST_API_User with the modified userReferences array property
    6. Verify that the role is updated with the user reference: GET /mgmt/shared/authz/roles/iControl_REST_API_User
    7. Perform an icontrol command with that user to verify

    Note: if the role that you assigned in step 1 does not have access to a resource then you still won’t be able to read/write it

     

  • There is a known issue in v11.6.1 (only) for RBAC. If you need to install this version try adding another step in upgrading process:

     

    old version --> v11.6.0 --> v11.6.1

     

    Or install a newer version (12.x)

     

  • Hi,

     

    Sorry for re-opening an old thread but I'm wondering if the RBAC setup to REST services have changed in 12.1.2?

     

    I can confirm Basic Auth works okay if the user has an admin role but fails with a 401 authentication error when I try to retrieve a login token when sending a POST to /mgmt/shared/authn/login with username, password and login provider in the JSON body.

     

    The same user can login without issues via the web UI so I suspected the issue is most likely an RBAC issue for REST.

     

    Thanks in advance,

     

    Bobby

     

  • sara_125232's avatar
    sara_125232
    Historic F5 Account

    -> 11.6.1-HF1 : you are not able to view/access "/mgmt/shared/authz/users" with a non-default admin account even though you PATCH that user to iControl_REST_API_User group with default admin credentials.

     

    [root@BIGIP1:Active:Standalone] config curl -k -u admin:admin -X PATCH -d '{ "userReferences":[{"link":";}] }'

     

    [root@BIGIP1:Active:Standalone] config curl -k -u sara:sara -X GET {"code":401,"message":"Authorization failed: user= resource=/mgmt/shared/authz/users verb=GET uri: referrer:127.0.0.1...}

     

    HOWEVER, the user will be able to access other locations for instance, /mgmt/tm/sys/global-settings.

     

    [root@BIGIP1:Active:Standalone] config curl -k -u sara:sara -X GET {"kind":"tm:sys:global-settings:global-settingsstate","selfLink":";{/shared/} {/tmp/}","guiSecurityBanner":"enabled","guiSecurityBannerText":"Welcome to the BIG-IP Configuration Utility...}

     

    -> 11.6.1-HF2 && 11.6.2: You won't need to PATCH the user, it just works fine.

     

    [root@BIGIP1:Active:Standalone] tmp curl -k -u sara1:sara1 -X GET {"items":[{"name":"admin","displayName":"Admin User","encryptedPassword":"$6$DntkOc/...{"name":"sara1","displayName":"sara1","encryptedPassword":"$6$...Jk15h1D21","generation":1,"lastUpdateMicros":1516111211817525,"kind":"shared:authz:users:usersworkerstate","selfLink":";}],"generation":5,"kind":"shared:authz:users:userscollectionstate","lastUpdateMicros":1516111211824400,"selfLink":";}

     

    Hope it helps!