Bug ID 718796: iControl REST token issue after upgrade

Last Modified: May 04, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5

Opened: May 07, 2018
Severity: 2-Critical

Symptoms

When upgrading to version 13.1.0.x, sometimes a user who previously had permissions to make calls to iControl REST loses the ability to make those calls.

Impact

A previously privileged user can no longer query iControl REST. Also, some remotely authenticated users may loose access to the Network Map and Analytics view after the upgrade.

Conditions

Upgrading to version 13.1.0.x.

Workaround

You can repair the current users permissions with the following process: 1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process: # restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator" # bigstart restart restjavad. 2) Update shared/authz/roles/iControl_REST_API_User userReference list to add repro user account using PUT: # restcurl shared/authz/roles/iControl_REST_API_User > role.json # vim role.json and add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User Now, when you create a new user, the permissions should start in a healthy state.

Fix Information

None

Behavior Change