f5-ansible
f5-ansible copied to clipboard
F5Networks
BIG-IP Authentication using token
Ansible Version:
2.11.2
Python Version:
3.6.3
Issue type:
Feature idea
Issue:
I am able to authenticate to bigip using the API and credentials (local user) with the administrator role but when I use the API and credentials (non-local user, LDAP account) then it is failing to authenticate against the bigip and it is throwing 401 Authorization failed error. I am able to retrieve the auth token using the non-local user (LDAP) credentials using ansible Uri module and curl.
The basic auth is not supported by the f5 for LDAP accounts and API for us. It is said that the basic auth is only good for local users. The Token Authentication is an iControl REST authentication method and It allows access for not only local users but also remotes users (such as RADIUS or LDAP).
So, I am planning to use token authentication but I don't see any method to retrieve the token using bigip modules also how to use that auth token with BIG-IP modules. How do we retrieve the token using bigip modules and use it? Could you add token-based authentication to these modules?
https://devcentral.f5.com/s/articles/iControl-REST-Authentication-Token-Management
We won't be adding token authentication to modules this has been already answered and justified in #322
@wojtek0806 , I saw the previous #322. I see there is a method named connect_via_token_auth() in F5RestClient class. How do I make use of that? We use LDAP for communicating with F5 using iControl API. unfortunately, the only method for LDAP and the remote non-admin user is Token-based authentication.
I think what you look for is auth_provider provider parameter which allows you to specify external authentication provider, you are submitting the user/pass and authentication against external service, this will get BIG-IP to issue you a token which we then use to make device calls in modules:
https://github.com/F5Networks/f5-ansible/blob/devel/ansible_collections/f5networks/f5_modules/plugins/module_utils/bigip.py#L46 https://github.com/F5Networks/f5-ansible/blob/devel/ansible_collections/f5networks/f5_modules/plugins/module_utils/bigip.py#L68
It is very similar to what we do with BIG-IQ with external authentication service. https://github.com/F5Networks/f5-ansible/blob/devel/ansible_collections/f5networks/f5_modules/plugins/module_utils/bigiq.py#L40 https://github.com/F5Networks/f5-ansible/blob/devel/ansible_collections/f5networks/f5_modules/plugins/module_utils/bigiq.py#L68
@wojtek0806 , you are right. I started passing user/password along with auth_provider. I am providing the auth_provider value as ldap. So, that it will call connect_via_token_auth method in bigip.py (https://github.com/F5Networks/f5-ansible/blob/devel/ansible_collections/f5networks/f5_modules/plugins/module_utils/bigip.py#L46) and issues me a token which I can use to make the calls in modules.
Below is my playbook. I tried passing tmos and ldap to auth_provider and it is throwing error - ValueError: AbstractDigestAuthHandler does not support the following scheme: 'X-Auth-Token'
- name: auth with token
bigip_device_info:
gather_subset:
- devices
provider:
password: xxxxxx
user: xxxxxx
server: xxxxxx
validate_certs: no
auth_provider: ldap
delegate_to: localhost
How do I make use of auth_provider to provide ldap as my authentication service and get the token which I can then use it for futher calls in module ?
This needs investigating as the token is used internally. If you get this error something is wrong with the response sine we extract token from it
Hi @kalluri27 , try giving remote for auth_provider in your playbook.
- name: auth with token
bigip_device_info:
gather_subset:
- devices
provider:
password: xxxxxx
user: xxxxxx
server: xxxxxx
validate_certs: no
auth_provider: remote
delegate_to: localhost
Also, for configuring LDAP user credentials on BIGIP use a bind account instead of user template as it's mentioned here.
I still see the issue. I gave remote for auth_provider in my playbook and it is throwing error. The playbook is working fine with admin credentials on Bip0dcl0 but when I use the ldap credentials it is throwing the below error. I tried the same credentials on Bip0dcl0 UI and they are working fine.
Below is the playbook and error:
- name: Get expiring SSL certs from F5 devices
hosts: all
connection: local
gather_facts: no
collections:
- f5networks.f5_modules
tasks:
- name: Get Devices, SSL certificates, Client SSL Profiles and Server SSl profiles from Bip0dcl0
bigip_device_info:
gather_subset:
- devices
provider:
password: XXXXXXX
user: XXXXXX
server: bip0dcl0
validate_certs: no
auth_provider: remote
delegate_to: localhost
register: device_info
- name: print the device_info
debug:
var: device_info
Below is the error:
TASK [Get Devices, SSL certificates, Client SSL Profiles and Server SSl profiles from Bip0dcl0] *********************************************************************************************
fatal: [localhost -> localhost]: FAILED! => {"changed": false, "msg": "b'{\"code\":401,\"message\":\"Authorization failed: user=https://localhost/mgmt/shared/authn/providers/remote/2c18e486-683a-3db1-a645-ad8523223b72/users/2d27b0b3-dead-3e2b-bbbe-31028940216a resource=/mgmt/tm/sys/provision verb=GET uri:http://localhost:8100/mgmt/tm/sys/provision referrer:10.157.154.123 sender:10.157.154.123\",\"referer\":\"10.157.154.123\",\"restOperationId\":20262921,\"kind\":\":resterrorresponse\"}'"}
Are you using bind account or user template for configuring LDAP credentials on BIGIP?
@urohit011 , We did some work around and we are able to run the playbook successfully without the auth_provider but we had to do few modifications to the bigip_device_info.py module (Since I am using this module for my testing) to make it successful. Could you please research around this solution
We commented the below two lines in the bigip_device_info.py module as it’s trying to fetch iapp global installed packages and only admin access can do that.
rpm = packages_installed(client)
manager.installed_packages = rpm
below are the commented lines in the code:
https://github.com/F5Networks/f5-ansible/blob/devel/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_device_info.py#L18006 https://github.com/F5Networks/f5-ansible/blob/devel/ansible_collections/f5networks/f5_modules/plugins/modules/bigip_device_info.py#L18009
Below is my playbook:
- name: Get expiring SSL certs from F5 devices
hosts: all
connection: local
gather_facts: no
collections:
- f5networks.f5_modules
tasks:
- name: Get Devices, SSL certificates, Client SSL Profiles and Server SSl profiles from Bip0dcl0
bigip_device_info:
gather_subset:
- devices
provider:
password: XXXXX
user: f5-certs-stage-user
server: bip0dcl0
validate_certs: no
delegate_to: localhost
register: device_info
- name: print the device_info
debug:
var: device_info
Output:
"device_info": {
"ansible_facts": {
"ansible_net_devices": [
{
"active_modules": [
"Network Access",
......
......
......
Hi @kalluri27 , when running bigip_device_info, admin access is required. Please make sure that the user has admin access, uncomment those lines and don't omit auth_provider: remote from the playbook and let me know if that works.
Hi @kalluri27 , this issue is occurring because the user credentials with which you are running the playbook does not have 'Administrator' role. So, you may want to try a user that has admin access.
Hi @urohit011 , I am able to run the playbooks with the user that has administrator role but the point is we don't want to use administrator role for all the tasks. So we just want to use ldap credentials with F5-manager role. A user with administrator role is never an issue. I provided an alternative in the above comment. Could you please do your research on the above solution ?
Hi, please try upgrading to the latest version, it should work. If not, please reach out, thanks!
