Forum Discussion

wuench_99164's avatar
wuench_99164
Icon for Altocumulus rankAltocumulus
Aug 04, 2016

iWorkflow 2.0 - Allowed REST URI Mask in User Roles

What are the rules to enter the "Allowed REST URI Mask" under User Roles in iWorkflow? Can we put asterisks anywhere? Does it allow reg-ex?

 

It looks like even the example URI in the dialog doesn't work, when you get to the dash in device-groups a red square pops up marking the entry as invalid.

 

  • When I've tested this out I also see the red square, but I'm still able to save the URI Mask. Here's an example for limiting access to only allow to add/remove pool members. Replace UUID / Partition / Pool name with your own value.

     

    GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/sys 
    GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool
    GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool
    GET, POST   /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool/members/
    GET, DELETE /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool/members/*
    

     

    Another example with asterisks (will replace the entire path segment, does not appear to allow you to do partial paths)

     

    GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/sys 
    GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool
    GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*
    GET, POST   /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*/members/
    GET, DELETE /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*/members/*       
    

     

  • Eric_Chen_12394's avatar
    Eric_Chen_12394
    Historic F5 Account

    When I've tested this out I also see the red square, but I'm still able to save the URI Mask. Here's an example for limiting access to only allow to add/remove pool members. Replace UUID / Partition / Pool name with your own value.

     

    GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/sys 
    GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool
    GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool
    GET, POST   /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool/members/
    GET, DELETE /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool/members/*
    

     

    Another example with asterisks (will replace the entire path segment, does not appear to allow you to do partial paths)

     

    GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/sys 
    GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool
    GET         /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*
    GET, POST   /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*/members/
    GET, DELETE /mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/[UUID]/rest-proxy/mgmt/tm/ltm/pool/*/members/*       
    

     

    • wuench_99164's avatar
      wuench_99164
      Icon for Altocumulus rankAltocumulus

      Thanks Eric. I need to up/down pool members right now so those more specific calls will work for my use case.

       

    • Eric_Chen_12394's avatar
      Eric_Chen_12394
      Historic F5 Account

      Likely the only change from my example is that you will need to remove POST and add PUT/PATCH instead of DELETE. For the example above I started with using the F5 Python SDK to generate the commands that I wanted as admin first, then changed to a role user and kept on adding the URI that threw an exception.

       

      Text: u'{"code":401,"message":"Authorization failed: user=https://localhost/mgmt/shared/authz/users/docker resource=/mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/891a87fb-b592-4fea-ae0f-f1590836027c/rest-proxy/mgmt/tm/ltm/pool/~Docker~www_pool/members/~Docker~10.1.10.10:32801 verb=GET uri:http://localhost:8100/mgmt/shared/resolver/device-groups/cm-cloud-managed-devices/devices/.../rest-proxy/mgmt/tm/ltm/pool/~Docker~www_...

       

      At the time that I did this I had to also patch the F5 Python SDK to support iWorkflow rest-proxy: https://github.com/F5Networks/f5-common-python/issues/549