Forum Discussion

0_169403's avatar
0_169403
Icon for Nimbostratus rankNimbostratus
Nov 19, 2014

Using iControl user with Manager role unable to create a pool

Hello,

 

I've created a user with Manager Roles and a separate partition on F5 LTM(11.5.1) and while trying to create a pool using an API as below. It fails.. Please look into it and guide me to get this working.

 

curl -k -u www01:abcd123 -H "Content-Type: application/json" -X POST -d '{"name":"testapi-pool","partition":"test-part","members":[ {"name":"192.168.25.32:80","description":"first member"} ]' https://192.168.0.1/mgmt/tm/ltm/pool

 

{"code":401,"message":"Authorization failed: user=www01 resource=/mgmt/tm/ltm/pool verb=POST Uri:"> Referer:null","originalRequestBody":"{\"name\":\"testapi-pool\",\"partition\":\"test-part\",\"members\":[ {\"name\":\"192.168.25.32:80\",\"description\":\"first member\"} ]","restOperationId":22177828,"errorStack":["java.lang.SecurityException: Authorization failed: user=www01 resource=/mgmt/tm/ltm/pool verb=POST Uri:"> Referer:null","at com.f5.rest.workers.ForwarderWorker.evaluatePermission(ForwarderWorker.java:370)","at com.f5.rest.workers.ForwarderPassThroughWorker.onForward(ForwarderPassThroughWorker.java:150)","at com.f5.rest.workers.ForwarderPassThroughWorker.onPost(ForwarderPassThroughWorker.java:300)","at com.f5.rest.common.RestWorker$4.run(RestWorker.java:638)","at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)","at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)","at java.lang.Thread.run(Unknown Source)\n"]}

 

Thanks, Raj

 

3 Replies

  • R_Marc's avatar
    R_Marc
    Icon for Nimbostratus rankNimbostratus
    There is no rbac on icontrol. (I gripe about that constantly to my f5 sales folk). No eta on when it'll get added.
  • 11.6 now use rbac for admins: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-11-6-0.pdf
  • R_Marc's avatar
    R_Marc
    Icon for Nimbostratus rankNimbostratus
    Sorry, I should have clarified. You are correct, an admin local role can now use iControl, as long as you manage all your users locally. If you manage your users via AD/Radius/etc, the only user that can use iControl is admin (even if you create local admin users). At least that's my experience. 11.6 HF1.