Forum Discussion

Philip_Street_2's avatar
Philip_Street_2
Icon for Nimbostratus rankNimbostratus
Feb 10, 2016

Read-only access to iControl REST API

We would like to have a scheduled background process to "scrape" configuration detail for all pools, nodes, monitors, virtual servers and iRules, into a structured format to be made available to our applications support / operations teams. We do not want to use an administrative account for this, i.e. one that can actually change configuration on the devices.

 

So, is it possible to have a user account with the necessary role / permissions configured such that the only thing they can do is perform read-only requests for object configuration?

 

Thanks,

 

Phil

 

9 Replies

  • Hi Phil,

    this is the PUT request I've just used to grant the guest-user "Test" read-only access to my pool related APIs...

    PUT https://1.1.1.1/mgmt/shared/authz/roles/iControl_REST_API_User
    
    {"userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/Test"}],"resources":[{"resourceMask":"/mgmt/tm/ltm/pool","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/pool/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/pool/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/pool/*/*/*","restMethod":"GET"}]}
    

    Cheers, Kai

  • Jon_Calalang_26's avatar
    Jon_Calalang_26
    Historic F5 Account

    Not sure if you got this fully answered.

     

    The roles you are setting for users on the BIGIP follow the GUI/Rest interface. First you need to create a user, since your doing Guest Roles, giving them Guest access makes sense already =).

     

    After you have the account created you need to have to get the self link to patch the group. once the user is patched into the group roles and rights should follow.

     

    Since this is your first account into the rest group you will have to use admin to start.

     

    Finding the Selflink: GET https://{{big_iq_mgmt}}/mgmt/shared/authz/users

     

    Editing the Group: PATCH https://{{big_iq_mgmt}}/mgmt/shared/authz/roles/iControl_REST_API_User Body:

     

    { "userReferences": [ { "link": "; } ] }

     

    Verify your user is added. GET https://{{big_iq_mgmt}}/mgmt/shared/authz/users

     

    Try some rest calls =D

     

    I've also added these to a postman collection here, with a few other things, remember to change your mgmt address https://github.com/jmcalalang/BIG-IQ-Postman-Collections

     

  • Do things change or get any better with version 12.x? Is it really that nearly impossible to setup a read-only user for the iControl REST API? Our users, other than the main admin account, are not local accounts. They are authenticated on a remote (ACS) server.

     

    We need to provide API access for some groups who would like to check the status of resources. I know this will grow to providing users update access to certain objects, but starting with read-only would help a lot.

     

    I defined a user as 'guest' role. I look at the structures and it appears to be defined like other accounts-- which seem to be full access.. But perhaps it is no access as that is how it seems to behave.

     

    I would want to generate a token for this read-only user that could then be used.

     

  • Hoping that there is a guide to setup a read-only service account to use this iControl REST API. There seems to be an assumption that anyone using this needs to have all rights to do anything they wish.. Contrary-- we can't allow this to be free reign and need to be able to establish users with rights to access specific resources / modules.

     

    For those of us with very limited background with REST API, any resource would be much appreciated.

     

    Thanks..

     

    • Gym's avatar
      Gym
      Icon for Cirrus rankCirrus

      I heartily agree with Brad. "REST-API Reader" should just be another role in the drop-down list when creating a new user. The need for various GUI and CLI roles is already recognised, and it applies to API as well.