Forum Discussion

AlanMoen's avatar
AlanMoen
Icon for Cirrus rankCirrus
Oct 15, 2018

iControl REST Permissions to enable/disable pool member

I've gone through numerous articles here and cannot find the answer. I'm basing my latest attempts on the iControl REST Fine-Grained Role Based Access Control article.

 

I have created a custom role and added the test user (admyapp) to it:

 

{
    "description": "Custom REST API Proxy role, added via iControl",
    "generation": 18,
    "kind": "shared:authz:roles:rolesworkerstate",
    "lastUpdateMicros": 1539617772546334,
    "name": "iControl_myapp_operator",
    "resources": [
        {
            "resourceMask": "/mgmt/tm/ltm/pool/~myapp~pool-temp-myapp-fxii/members/~Common~node-temp-myapp-My_node:80",
            "restMethod": "PATCH"
        },
        {
            "resourceMask": "/mgmt/tm/ltm/pool/~myapp~pool-temp-myapp-fxii/members/*",
            "restMethod": "PATCH"
        }
    ],
    "selfLink": "https://localhost/mgmt/shared/authz/roles/iControl_myapp_operator",
    "userReferences": [
        {
            "link": "https://localhost/mgmt/shared/authz/users/admyapp"
        }
    ]
}

Note that I have also tried this with PUT as the "restMethod" with the same results.

 

I want the user to be able to control the pool member enabled/disabled state in the /myapp partition. When I run my (perl) code using the admin ID, it works:

 

{
  'partition' => 'Common',
  'fqdn' => {
              'autopopulate' => 'disabled'
            },
  'session' => 'user-disabled',
  'inheritProfile' => 'enabled',
  'ratio' => 1,
  'logging' => 'disabled',
  'connectionLimit' => 0,
  'dynamicRatio' => 1,
  'rateLimit' => 'disabled',
  'address' => '192.168.110.55',
  'state' => 'user-down',
  'ephemeral' => 'false',
  'kind' => 'tm:ltm:pool:members:membersstate',
  'generation' => 9884,
  'priorityGroup' => 0,
  'fullPath' => '/Common/node-temp-myapp-My_node:80',
  'monitor' => 'default',
  'name' => 'node-temp-myapp-My_node:80',
  'selfLink' => 'https://localhost/mgmt/tm/ltm/pool/~myapp~pool-temp-myapp-fxii/members/~Common~node-temp-myapp-My_node:80?ver=12.1.2'
}

But when I run it (exact same code) under the admyapp ID it fails:

 

{
  'code' => 400,
  'apiError' => 3,
  'message' => '01070822:3: Access Denied: user (admyapp) does not have modify access to attribute (pool_member_description) of object (pool_member)',
  'errorStack' => []
}

I'm running BIGIP 12.1.2 and am using Token authentication. In the GUI, this ID also has the Operator role for both the /Common and /myapp partitions. The nodes were created in the /Common partition but the pool is in the /myapp partition.

 

Before anyone asks, here's the section of perl code I use to disable the pool member; since it works as an admin user, I'm sure the problem isn't there.

 

my $URI = "/mgmt/tm/ltm/pool/~myapp~pool-temp-myapp-fxii/members/~Common~node-temp-myapp-My_node:80";
my $json = "{\"state\":\"user-down\", \"session\":\"user-disabled\"}";

$LTMClient->PUT( $URI, $json, {"X-F5-Auth-Token"=>$LTMToken, "Content-Type"=>"application/json"} );
my $disableDecoded = decode_json( $LTMClient->responseContent() );

I'm sure I'm missing something obvious here - help?

 

application delivery
iControlREST
LTM
permissions

2 Replies

Sort By
  • AlanMoen's avatar
    AlanMoen
    Icon for Cirrus rankCirrus
    Oct 15, 2018

    Note also that the ID is a local ID - no external authentication.

     

  • AlanMoen's avatar
    AlanMoen
    Icon for Cirrus rankCirrus
    Oct 15, 2018

    I have found the answer. Turns out that when I used the PATCH command when calling the API, the calls work. Apparently admin access is such that it doesn't matter if it's a PUT or a PATCH but non-admin access is different. Note that I did have PUT in the "restMethod" and in the API call but that didn't work. Having PATCH in the role and using PATCH for the API did it. That lightbulb didn't come on for me until I made the above post and thought about it some more.

     

    I hope this helps someone else.