Bug ID 477933: Access Profile Validation Improvement

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM, Install/Upgrade(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3

Fixed In:
12.0.0

Opened: Sep 04, 2014
Severity: 3-Major

Symptoms

Before the APM 12.0 release, BIG-IP allowed you to create incorrect APM configurations using tmsh scripts or by importing inconsistent configuration files.

Impact

Incorrect access policy definition lead to errors at run time or, in some cases, to APM daemon (APMD) crashes.

Conditions

It was possible to create isolated access policies or access policy items that are not referenced by other APM configuration objects. It was possible to define an access policy with incorrect definitions for default actions. In some cases, access policy items might use nonexistent agents.

Workaround

None

Fix Information

Now, full validation is performed when an access policy is created or modified. No single access policy or access policy item can exist without an explicit reference to it from an access profile or access policy. Improved validation necessitates that all operations to create or modify an access policy definition be performed in a single transaction. When using tmsh from the command line, this can be effected in a batch mode transaction. In Perl, Python, or Tcl scripts where the tmsh interface is used, explicit transaction commands must be added to begin and commit the transaction. Here is an example Tcl script. proc script::run {} { tmsh::begin_transaction tmsh::create apm profile access /Common/test { access-policy /Common/test } tmsh::create apm policy access-policy /Common/test { default-ending /Common/test_end_allow items add { /Common/test_end_allow { } /Common/test_ent { } } start-item /Common/test_ent } tmsh::create apm policy policy-item /Common/test_end_allow { agents add { /Common/test_end_allow_ag { type ending-allow } } caption Allow color 1 item-type ending } tmsh::create apm policy policy-item /Common/test_ent { caption Start color 1 rules { { caption fallback next-item /Common/test_end_allow } } } tmsh::create apm policy agent ending-allow /Common/test_end_allow_ag { } tmsh::commit_transaction } Without the commands tmsh::begin_transaction and tmsh::commit_transaction, validation would find unresolved references and the script would fail.

Behavior Change