Forum Discussion

thiezn_180250's avatar
thiezn_180250
Icon for Nimbostratus rankNimbostratus
Jun 07, 2016

iControl REST Access to specific partitions only

Hello,

We would like to create a user account for the iControl REST API that is only allowed to access/create resources in a specific partition. This would allow us to give specific application groups access to only their resources.

I've already managed to create a new role that only allows access to certain resources only by POSTing a new group to and tried to add the $filter parameter to the relevant resourceMasks like this:

{'name': 'restricted-api-access,
 'userReferences': [{'link': user_reference}],
  "resources":[
                {"resourceMask":"/mgmt/tm/ltm/*$filter=partition%20eq%20VPN*","restMethod":"GET"},
                {"resourceMask":"/mgmt/tm/ltm/*/*$filter=partition%20eq%20VPN*","restMethod":"GET"},
                {"resourceMask":"/mgmt/tm/ltm/*/*/*$filter=partition%20eq%20VPN*","restMethod":"GET"},
                {"resourceMask":"/mgmt/tm/ltm/*/*/*/*$filter=partition%20eq%20VPN*","restMethod":"GET"}
              ]
}

Unfortunately the resourceMask doesn't respect the $filter parameter, is there another way to restrict this?

edit: Im able to allow access to a specific resource on a partition using the following but this still won't allow me to create new items in a specific partition only: 

"resourceMask":"/mgmt/tm/ltm/pool/~VPN~testpool","restMethod":"GET"}

Cheers, Mathijs

application delivery
devops
iControlREST

6 Replies

Sort By
  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    Jun 07, 2016

    Hello,

     

    When you create the new user you can specify which partition he can see : create auth user user_partition1 partition-access add { partition1 { role manager }}

     

    this is documented in the rest user guide if you want the full example.

     

  • thiezn_180250's avatar
    thiezn_180250
    Icon for Nimbostratus rankNimbostratus
    Jun 07, 2016

    Hello Arnaud, thanks for the reply

    I tried this indeed but it seems the rights assigned to the user during user creation has no effect on the permissions on the iControl REST API. The user is created in partition VPN and only has manager permissions on the VPN partition.

    Then when I retrieve for instance /mgmt/tm/ltm/pool I am still getting back pool members in the Common partition:

    curl -k -u api-test:password -X GET https://f5apm01/mgmt/tm/ltm/pool

{"kind":"tm:ltm:pool:poolcollectionstate",
 "selfLink":"https://localhost/mgmt/tm/ltm/pool?ver=12.1.0",
  "items":[{"kind":"tm:ltm:pool:poolstate",
            "name":"test-pool-api-common",
            "partition":"Common"},
            {"kind":"tm:ltm:pool:poolstate",
             "name":"euremoteuat.rabobank.com-AD_Auth-pool",
             "partition":"VPN","fullPath":"/VPN/euremoteuat.rabobank.com-AD_Auth-pool", ...}]
   ...data trunkated...}
    • Arnaud_Lemaire's avatar
      Arnaud_Lemaire
      Icon for Employee rankEmployee
      Jun 07, 2016
      That is expected behavior Common partition is available to everyone. The user has access to common and VPN partition, the REST call will respond with everything like in the gui if you had selected partition VPN = common + VPN. Now i better understand, you are looking for a way that a partition user can accesses only the partition and not the Common, is that correct ?
    • thiezn_180250's avatar
      thiezn_180250
      Icon for Nimbostratus rankNimbostratus
      Jun 07, 2016
      Yes that's correct. We would like to prevent them from accessing, creating objects in the common partition. For instance we maintain the device sync, routing, logging, etc in the Common partition and want to avoid the users to make any changes to this.
    • Piotr_Bratkows3's avatar
      Piotr_Bratkows3
      Icon for Nimbostratus rankNimbostratus
      Nov 08, 2016

      @thiezn Did you managed to resolve this issue? I'm struggling with similiar problem, that I have user with Operator role and still is able to create objects on the Common partition.

       

      Regards, Piotr

       

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jan 30, 2017

    If you assign the Manager user role and limit their access to a specific partition, they can still see the common objects but cannot change them.

     

    >>> import requests
>>> requests.packages.urllib3.disable_warnings()
>>> from f5.bigip import ManagementRoot
>>> b = ManagementRoot('192.168.102.5', 'user_mgr', 'letmein00', token=True)
>>> pools = b.tm.ltm.pools.get_collection()
>>> for x in pools:
...     print '{0}/{1}'.format(x.partition, x.name)
...     
Common/checkityo
Common/myNewPool2
Common/myNewPool222
Common/mynewpool22
Common/priTest
Common/testpool

 Load existing pool
>>> p1 = b.tm.ltm.pools.pool.load(name='checkityo', partition='Common')
 Check existing LB method
>>> p1.loadBalancingMode
u'round-robin'
 Change it
>>> p1.loadBalancingMode = 'ratio-member'
 Try to update the 'Common' object; it will fail
>>> p1.update()
Traceback (most recent call last):
  File "", line 1, in 
  File "/Users/rahm/venv_bucketlist/lib/python2.7/site-packages/f5/bigip/resource.py", line 594, in update
    self._update(**kwargs)
  File "/Users/rahm/venv_bucketlist/lib/python2.7/site-packages/f5/bigip/resource.py", line 567, in _update
    **requests_params)
  File "/Users/rahm/venv_bucketlist/lib/python2.7/site-packages/icontrol/session.py", line 272, in wrapper
    raise iControlUnexpectedHTTPError(error_message, response=response)
iControlUnexpectedHTTPError: 400 Unexpected Error: Bad Request for uri: https://192.168.102.5:443/mgmt/tm/ltm/pool/~Common~checkityo/
Text: u'{"code":400,"message":"01070822:3: Access Denied:  User (user_mgr) may not modify objects in partition (Common)","errorStack":[],"apiError":3}'

 Create a pool in 'biz_crit' partition; it should work
>>> pool = b.tm.ltm.pools.pool.create(name='newpool', partition='biz_crit')

 Verify it now exists
>>> b.tm.ltm.pools.pool.exists(name='newpool', partition='biz_crit')
True

 Try to create a pool in 'Common'; it will fail
>>> pool = b.tm.ltm.pools.pool.create(name='anothernewpool', partition='Common')
Traceback (most recent call last):
  File "", line 1, in 
  File "/Users/rahm/venv_bucketlist/lib/python2.7/site-packages/f5/bigip/resource.py", line 933, in create
    return self._create(**kwargs)
  File "/Users/rahm/venv_bucketlist/lib/python2.7/site-packages/f5/bigip/resource.py", line 900, in _create
    response = session.post(_create_uri, json=kwargs, **requests_params)
  File "/Users/rahm/venv_bucketlist/lib/python2.7/site-packages/icontrol/session.py", line 272, in wrapper
    raise iControlUnexpectedHTTPError(error_message, response=response)
iControlUnexpectedHTTPError: 400 Unexpected Error: Bad Request for uri: https://192.168.102.5:443/mgmt/tm/ltm/pool/
Text: u'{"code":400,"message":"01070822:3: Access Denied:  User (user_mgr) may not modify objects in partition (Common)","errorStack":[],"apiError":3}'