f5-declarative-onboarding icon indicating copy to clipboard operation
f5-declarative-onboarding copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

Unable to use remote auth user on BIG-IQ to deploy DO declaration

Open IkueMoto opened this issue 4 years ago • 2 comments

Environment

BIG-IQ v7.1.0 (DO 1.16), BIG-IQ v8.1.0.1 (DO 1.23)

Summary

When connecting to the BIG-IQ using a remote provider such as AD, I see the follow error logged in /var/log/restnoded/restnoded.log:

Fri, 10 Sep 2021 15:42:16 GMT - info: [f5-declarative-onboarding: doUtil.js] Platform: BIG-IQ
Fri, 10 Sep 2021 15:42:16 GMT - finest: [f5-declarative-onboarding: restWorker.js] done w/ initial account setup
Fri, 10 Sep 2021 15:42:16 GMT - finest: [f5-declarative-onboarding: restWorker.js] Passing to TCW
Fri, 10 Sep 2021 15:42:16 GMT - info: [f5-declarative-onboarding: restWorker.js] TCW task failed: [RestOperationNetWorkerHandler]: bad response received: 400 - Get document for key: shared/authz/users/remoteuser returned nothing
Fri, 10 Sep 2021 15:42:16 GMT - severe: [f5-declarative-onboarding: configManager.js] Error getting current config: Cannot read property 'list' of undefined

Remote user is indeed missing from shared/authz/users/ however it's defined in the BIG-IQ with admin role GUI: System Tab -> USER MANAGEMENT -> Users (not local)

When connecting to BIG-IQ using a local admin user DO is working as expected. Only remote users are impacted.

Remote auth users should be able to deploy DO declarations via BIG-IQ (in the same way as AS3) as part of an automation workflow and this issue is blocking this effort.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Submit the following declaration to BIG-IQ, replacing <BIG-IP_targetHost> with actual IP address of BIG-IP:
{
    "$schema": "https://raw.githubusercontent.com/F5Networks/f5-declarative-onboarding/master/src/schema/latest/remote.schema.json",
    "class": "DO",
    "declaration": {
        "schemaVersion": "1.16.0",
        "class": "Device",
        "async": true,
        "Common": {
            "class": "Tenant",
            "myDbVariables": {
                "class": "DbVariables",
                "ui.advisory.enabled": "true",
                "ui.advisory.color": "red",
                "ui.advisory.text": "Configuration deployed with AS3. Do not make any change directly on the BIG-IP or those changes may be lost."
            }
        }
    },
    "targetUsername": "admin",
    "targetHost": "<BIG-IP_targetHost>",
    "targetPassphrase": "admin",
    "bigIqSettings": {
        "failImportOnConflict": false,
        "conflictPolicy": "USE_BIGIQ",
        "deviceConflictPolicy": "USE_BIGIP",
        "versionedConflictPolicy": "KEEP_VERSION"
    }
}
  1. Observe the following error response:

The BIG-IQ returns the following response:

{
"id": "59068816-c3a5-41ce-9de1-709c1062c4d0",
    "selfLink": "https://localhost/mgmt/shared/declarative-onboarding/task/59068816-c3a5-41ce-9de1-709c1062c4d0",
    "result": {
        "class": "Result",
        "code": 202,
        "status": "RUNNING",
        "message": "processing"
    },
    "declaration": {
        "schemaVersion": "1.16.0",
        "class": "Device",
        "async": true,
        "Common": {
            "class": "Tenant",
            "myDbVariables": {
                "class": "DbVariables",
                "ui.advisory.enabled": "true",
                "ui.advisory.color": "red",
                "ui.advisory.text": "Configuration deployed with AS3 and DO. Do not make any change directly on the BIG-IP or those changes may be lost"
            }
        }
    }
}

Expected Behavior

DO Declaration to be processed by BIG-IQ when POST by remote auth users to configure BIG-IP targetHost. This is currently working with AS3

Actual Behavior

The DO operation hangs and does not complete.

Seeing the follow error logged in /var/log/restnoded/restnoded.log:

Fri, 10 Sep 2021 15:42:16 GMT - info: [f5-declarative-onboarding: doUtil.js] Platform: BIG-IQ Fri, 10 Sep 2021 15:42:16 GMT - finest: [f5-declarative-onboarding: restWorker.js] done w/ initial account setup Fri, 10 Sep 2021 15:42:16 GMT - finest: [f5-declarative-onboarding: restWorker.js] Passing to TCW Fri, 10 Sep 2021 15:42:16 GMT - info: [f5-declarative-onboarding: restWorker.js] TCW task failed: [RestOperationNetWorkerHandler]: bad response received: 400 - Get document for key: shared/authz/users/remoteuser returned nothing Fri, 10 Sep 2021 15:42:16 GMT - severe: [f5-declarative-onboarding: configManager.js] Error getting current config: Cannot read property 'list' of undefined

IkueMoto avatar Sep 17 '21 08:09 IkueMoto

Managed to workaround the issue by modifying the function passToTcw in restWorker.js, changed .setIsSetBasicAuthHeader(true) to .setIsSetBasicAuthHeader(false).

BIG-IQ: /var/config/rest/iapps/f5-declarative-onboarding/nodejs/restWorker.js

function passToTcw(wrapper, taskId, incomingRestOp) { // Rest framework complains about 'this' because of 'strict', but we use call(this) /* jshint validthis: true */

const restOperation = this.restOperationFactory.createRestOperationInstance()
    .setUri(this.restHelper.makeRestjavadUri('/cm/global/tasks/declarative-onboarding'))
    .setIsSetBasicAuthHeader(true)  <------------!! Modify to .setIsSetBasicAuthHeader(false)
    .setReferer(incomingRestOp.getUri().href)
    .setContentType('application/json')
    .setBody({
        id: taskId,
        declaration: wrapper
    });
return this.restRequestSender.sendPost(restOperation)
    .then(response => response.getBody().id);

}

Restart the services for the changes to take effect:

tmsh restart /sys service restjavad restnoded

IkueMoto avatar Sep 20 '21 13:09 IkueMoto

Thank you for reporting this issue. I have added it to our internal product backlog as AUTOTOOL-2766.

dstokesf5 avatar Sep 20 '21 19:09 dstokesf5