1

I'm trying to interact with an F5 load balancer using the REST api. I have verified that iControl is enabled, however when I try and run a command, I am told that I am unauthorized. 

curl -k -u someone -H "Content-Type: application/json" -X GET https://f5.example.com/mgmt/
Enter host password for user 'someone':
{"code":404,"message":"http://localhost:8100/mgmt/","restOperationId":202459,"errorStack":["com.f5.rest.common.RestWorkerUriNotFoundException: http://localhost:8100/mgmt/","at com.f5.rest.common.RestServer.trySendInProcess(RestServer.java:231)","at com.f5.rest.common.RestRequestReceiver.dispatchToService(RestRequestReceiver.java:93)","at com.f5.rest.common.RestRequestReceiver.processNext(RestRequestReceiver.java:57)","at com.f5.rest.common.RestHelper$2.run(RestHelper.java:1910)","at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)","at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)","at java.lang.Thread.run(Thread.java:722)\n"]}

My user is authenticated against Active Directory.

Do I need to explicitly grant user access to use the REST api?
Do I need to have a local account?

Update

Here is another example

The user 'someone' does in fact exist since that is how I login to the web portal. 

curl -k -u someone -H "Content-Type: application/json" -X GET https://f5.example.com/mgmt/tm/sys
Enter host password for user 'someone':
{"code":401,"message":"Authorization failed: no user named someone found. Uri:http://localhost:8100/mgmt/tm/sys Referer:null","restOperationId":869853,"errorStack":["java.lang.SecurityException: Authorization failed: no user named someone found. Uri:http://localhost:8100/mgmt/tm/sys Referer:null","at com.f5.rest.workers.ForwarderWorker.evaluatePermission(ForwarderWorker.java:411)","at com.f5.rest.workers.ForwarderPassThroughWorker.onForward(ForwarderPassThroughWorker.java:191)","at com.f5.rest.workers.ForwarderPassThroughWorker.onGet(ForwarderPassThroughWorker.java:321)","at com.f5.rest.common.RestWorker.callDerivedRestMethod(RestWorker.java:735)","at com.f5.rest.common.RestWorker.callRestMethodHandler(RestWorker.java:702)","at com.f5.rest.common.RestServer.processQueuedRequests(RestServer.java:1092)","at com.f5.rest.common.RestServer.access$000(RestServer.java:45)","at com.f5.rest.common.RestServer$1.run(RestServer.java:136)","at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)","at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)","at java.lang.Thread.run(Thread.java:722)\n"]}
spuder
  • 1,695
  • 2
  • 25
  • 42

2 Answers2

1

The rest interface does not authenticate using the normal F5 methods you have configured. If you want to do this, you have to create a virtual server with the F5 as the pool member, then right some irules to strip out the rest user, pass that to your authentication...lots of code later.. success.

Rest uses a user and role local to its processes on the f5. You create the user via tmos, then associate it to the iControl_REST_API_User role via PATCH.

Chad
  • 11
  • 1
  • Thanks, is this documented anywhere? This sounds really hacky for an officially supported feature. – spuder May 13 '15 at 21:34
0

For iControl REST remote authentication support, please see this article on F5's DevCentral.

Jason Rahm
  • 396
  • 1
  • 6