f5-declarative-onboarding icon indicating copy to clipboard operation
f5-declarative-onboarding copied to clipboard

Published 20 hours ago verified publisher icon F5Networks

DO does not accept "console disable" for RemoteAuthRole class

Open f5u opened this issue 3 years ago • 1 comments

Environment

  • Declarative Onboarding Version: 1.30.0
  • BIG-IP Version: 15.x/16.x

Summary

When attempting to disable terminal access for remote user groups using DO, DO returns with a 400 server error "bad declaration".

Steps To Reproduce

Steps to reproduce the behavior:

  1. check the current value for "console"
# curl -sku 'admin:admin' -H "Content-Type: application/json" https://localhost/mgmt/tm/auth/remote-role?expandSubcollections=true | jq . | grep console

        "console": "tmsh",
  1. Submit the following declaration to set "disable":
{
  "schemaVersion": "1.30.0",
  "class": "Device",
  "async": true,
  "label": "BIG-IP Onboarding",
  "Common": {
      "class": "Tenant",
      "guest_no_tmsh": {
        "class": "RemoteAuthRole",
        "attribute": "F5-LTM-User-Info-1=guest_no_tmsh",
        "console": "disable",
        "lineOrder": 4000,
        "role": "guest",
        "remoteAccess": false,
        "userPartition": "all"
    }
  }
}
  1. Observe the following error response:
{
  "id": "610b6362-0d0e-4976-a57f-46f524d1cefd",
  "selfLink": "https://localhost/mgmt/shared/declarative-onboarding/task/610b6362-0d0e-4976-a57f-46f524d1cefd",
  "code": 400,
  "status": "ERROR",
  "message": "bad declaration",
  "errors": [
    {
      "keyword": "enum",
      "dataPath": ".declaration.Common['guest_no_tmsh'].console",
      "schemaPath": "#/properties/console/oneOf/0/enum",
      "params": {
        "allowedValues": [
          "disabled",
          "tmsh"
        ]
      },
      "message": "should be equal to one of the allowed values"
    },
  1. confirm that value for "console" was not changed.
# curl -sku 'admin:admin' -H "Content-Type: application/json" https://localhost/mgmt/tm/auth/remote-role?expandSubcollections=true | jq . | grep console

        "console": "tmsh",
  1. Submit the following declaration to set "disabled":
{
  "schemaVersion": "1.30.0",
  "class": "Device",
  "async": true,
  "label": "BIG-IP Onboarding",
  "Common": {
      "class": "Tenant",
      "guest_no_tmsh": {
        "class": "RemoteAuthRole",
        "attribute": "F5-LTM-User-Info-1=guest_no_tmsh",
        "console": "disabled",
        "lineOrder": 4000,
        "role": "guest",
        "remoteAccess": false,
        "userPartition": "all"
    }
  }
}
  1. confirm that value for "console" was changed.
# curl -sku 'admin:admin' -H "Content-Type: application/json" https://localhost/mgmt/tm/auth/remote-role?expandSubcollections=true | jq . | grep console

        "console": "disabled",
  1. confirm in GUI that current value is shown as "Terminal Access: Other: disabled" instead of "Terminal Access: Disabled".

Expected Behavior

Setting "console": "disabled" is allowed and it is shown as "Terminal Access: Disabled" in GUI. 2022-06-15_17h22_16

Actual Behavior

Setting "console": "disable" is not allowed. Setting "console": "disabled" is allowed but it is shown as "Terminal Access: Other: disabled" in GUI. 2022-06-15_17h23_39

Cannot set the value via DO equivalent to "Terminal Access: Disabled" in GUI.

f5u avatar Jun 15 '22 08:06 f5u

Thank you for your feedback. I have added this to our internal product backlog as AUTOTOOL-3346. It looks like we need to be mapping the value of "disabled" to "disable".

dstokesf5 avatar Jun 22 '22 19:06 dstokesf5