Bug ID 718796: IControl REST token issue after upgrade

Last Modified: Sep 23, 2021

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 13.1.3.5, 13.1.3.6, 13.1.4, 13.1.4.1, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4, 15.1.0.5, 15.1.1, 15.1.2, 15.1.2.1, 15.1.3, 15.1.3.1, 15.1.4

Opened: May 07, 2018
Severity: 2-Critical

Symptoms

When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST lose the ability to make those calls.

Impact

A previously privileged user can no longer query iControl REST. In addition, some remotely authenticated users may lose access to the Network Map and Analytics view after the upgrade.

Conditions

You will notice this issue when you use iControl REST and are upgrading to version 13.1.0.x or later. You can also detect if the user is impacted by this issue with the following steps 1. Run below API to for impacted user account XYZ. # curl -ik -u username:XYZ -XPOST https://localhost/mgmt/shared/authn/login --data-binary '{"username":"XYZ", "password":"XYZpass", "loginProviderName":"tmos"}' -H "Content-Type: application/json" 2. Find user XYZ's 'link' path under 'token' in previous output There are two formats possible for 'link' a. Path will have a UUID For example "token"->"link"->"https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>" b. Path will have a username (not UUID) For example "token"->"link"->"https://localhost/mgmt/shared/authz/users/<username>" 3. Run below API to get list of user roles. # restcurl -u "admin:<admin-user-pass>" /shared/authz/roles | tee /var/tmp/rest_shared_authz_roles.json 4. Check user XYZ's link path from step 2 in above output. Check under the "userReferences" section for group "iControl_REST_API_User" . You will see the link path in one of the two formats listed in 2a/2b. If you do not see the user link path then you are impacted by this bug

Workaround

You can repair the current users permissions with the following process: 1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process: # restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator" 2) Restart services # bigstart restart restjavad *or* tmsh restart /sys service restjavad 3) Now, when you create a new user, the permissions should start in a healthy state 4) If this still does not resolve the issue you could update shared/authz/roles/iControl_REST_API_User userReference list to add all affected users' accounts using PUT. Here you may need to use the UUID path as described under 'Conditions' # restcurl shared/authz/roles/iControl_REST_API_User > role.json # vim role.json a. add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list OR b. add { "link": "https://localhost/mgmt/cm/system/authn/providers/tmos/1f44a60e-11a7-3c51-a49f-82983026b41b/users/<UUID>" } object to userReferences list # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User

Fix Information

None

Behavior Change