Bug ID 718796: IControl REST token issue after upgrade

Last Modified: Jul 07, 2020

Bug Tracker

Affected Product:  See more info
BIG-IP Install/Upgrade(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 13.1.3, 13.1.3.1, 13.1.3.2, 13.1.3.3, 13.1.3.4, 14.0.0, 14.0.0.1, 14.0.0.2, 14.0.0.3, 14.0.0.4, 14.0.0.5, 14.0.1, 14.0.1.1, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.5, 14.1.0.6, 14.1.2, 14.1.2.1, 14.1.2.2, 14.1.2.3, 14.1.2.4, 14.1.2.5, 14.1.2.6, 15.0.0, 15.0.1, 15.0.1.1, 15.0.1.2, 15.0.1.3, 15.1.0, 15.1.0.1, 15.1.0.2, 15.1.0.3, 15.1.0.4

Opened: May 07, 2018
Severity: 2-Critical

Symptoms

When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST lose the ability to make those calls.

Impact

A previously privileged user can no longer query iControl REST. In addition, some remotely authenticated users may lose access to the Network Map and Analytics view after the upgrade.

Conditions

-- Upgrading to version 13.1.0.x or later. -- Using iControl REST.

Workaround

You can repair the current users permissions with the following process: 1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process: # restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator" # bigstart restart restjavad. 2) Update shared/authz/roles/iControl_REST_API_User userReference list to add all affected users' accounts using PUT: # restcurl shared/authz/roles/iControl_REST_API_User > role.json # vim role.json and add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User Now, when you create a new user, the permissions should start in a healthy state.

Fix Information

None

Behavior Change