search

F5Networks / f5-declarative-onboarding

F5 BIG-IP Declarative Onboarding
Apache License 2.0
58 stars 22 forks source link

DO does not accept "console disable" for RemoteAuthRole class #314

Open f5u opened 2 years ago

f5u commented 2 years ago

Environment

Summary

When attempting to disable terminal access for remote user groups using DO, DO returns with a 400 server error "bad declaration".

Steps To Reproduce

Steps to reproduce the behavior:

  1. check the current value for "console"

    # curl -sku 'admin:admin' -H "Content-Type: application/json" https://localhost/mgmt/tm/auth/remote-role?expandSubcollections=true | jq . | grep console

    "console": "tmsh",

  2. Submit the following declaration to set "disable":

    {
"schemaVersion": "1.30.0",
"class": "Device",
"async": true,
"label": "BIG-IP Onboarding",
"Common": {
  "class": "Tenant",
  "guest_no_tmsh": {
    "class": "RemoteAuthRole",
    "attribute": "F5-LTM-User-Info-1=guest_no_tmsh",
    "console": "disable",
    "lineOrder": 4000,
    "role": "guest",
    "remoteAccess": false,
    "userPartition": "all"
}
}
}

  3. Observe the following error response:

    {
"id": "610b6362-0d0e-4976-a57f-46f524d1cefd",
"selfLink": "https://localhost/mgmt/shared/declarative-onboarding/task/610b6362-0d0e-4976-a57f-46f524d1cefd",
"code": 400,
"status": "ERROR",
"message": "bad declaration",
"errors": [
{
  "keyword": "enum",
  "dataPath": ".declaration.Common['guest_no_tmsh'].console",
  "schemaPath": "#/properties/console/oneOf/0/enum",
  "params": {
    "allowedValues": [
      "disabled",
      "tmsh"
    ]
  },
  "message": "should be equal to one of the allowed values"
},

  4. confirm that value for "console" was not changed.

    # curl -sku 'admin:admin' -H "Content-Type: application/json" https://localhost/mgmt/tm/auth/remote-role?expandSubcollections=true | jq . | grep console

    "console": "tmsh",

  5. Submit the following declaration to set "disabled":

    {
"schemaVersion": "1.30.0",
"class": "Device",
"async": true,
"label": "BIG-IP Onboarding",
"Common": {
  "class": "Tenant",
  "guest_no_tmsh": {
    "class": "RemoteAuthRole",
    "attribute": "F5-LTM-User-Info-1=guest_no_tmsh",
    "console": "disabled",
    "lineOrder": 4000,
    "role": "guest",
    "remoteAccess": false,
    "userPartition": "all"
}
}
}

  6. confirm that value for "console" was changed.

    # curl -sku 'admin:admin' -H "Content-Type: application/json" https://localhost/mgmt/tm/auth/remote-role?expandSubcollections=true | jq . | grep console

    "console": "disabled",

  7. confirm in GUI that current value is shown as "Terminal Access: Other: disabled" instead of "Terminal Access: Disabled".

Expected Behavior

Setting "console": "disabled" is allowed and it is shown as "Terminal Access: Disabled" in GUI. 2022-06-15_17h22_16

Actual Behavior

Setting "console": "disable" is not allowed. Setting "console": "disabled" is allowed but it is shown as "Terminal Access: Other: disabled" in GUI. 2022-06-15_17h23_39

Cannot set the value via DO equivalent to "Terminal Access: Disabled" in GUI.

dstokesf5 commented 2 years ago

Thank you for your feedback. I have added this to our internal product backlog as AUTOTOOL-3346. It looks like we need to be mapping the value of "disabled" to "disable".