I’ve been using the BIG-IP rest API to read the configuration of LTM, and I wanted to reduce the risk of accidental changes. During my investigation I can across the post: https://devcentral.f5.com/questions/read-only-access-to-icontrol-rest-api, which showed the way to configure role based access control for the Rest API.
I wanted to create a new rule for a read only account (‘monitor’), the account is configured as Guest within BIG-IP. In order to do this I created a new access rule you need the POST method:
curl -k -u admin:adminpass -X POST https://1.1.1.1/mgmt/shared/authz/roles -d @addRule.json
where addRule.json is:
{"name": "iControl_REST_API_monitor","userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/monitor"}],"resources":[{"resourceMask":"/mgmt/tm/ltm","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*/*/*","restMethod":"GET"}]}
This worked fine until I discovered I did not have enough depth in rules to cover the data I wanted to retrieve. To update the rule you need the PUT method:
curl -k -u admin:adminpass -X PUT https://1.1.1.1/mgmt/shared/authz/roles/iControl_REST_API_monitor -d @updateRule.json
where updateRule.json is:
{"userReferences":[{"link":"https://localhost/mgmt/shared/authz/users/monitor"}],"resources":[{"resourceMask":"/mgmt/tm/ltm","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*/*/*/*","restMethod":"GET"},{"resourceMask":"/mgmt/tm/ltm/*/*/*/*/*/*","restMethod":"GET"}]}