remoteAuthRole does not allow to add an existing partition as userPartition

[afreudenreich]

Problem: we create virtual servers or services using AS3, which usually results in a new tenant/partition being created. We'd like to use DO to automatically create a remoteAuthRole with the new tenant/partition as value for the userPartition field. The current schema does not seem to allow this. Only a variable retrieving the value from our AAA system is allowed: userPartition (string | string) - values “all”, “Common”, regex: ^%.+

In the WebUI an existing partition can be chosen as setting for userPartition in the remoteAuthRole.

The solution I'd like: To be able to create a config like following: "Common": { "class": "Tenant", "Operator_Tenant1": { "class": "RemoteAuthRole", "attribute": "CN=MyCN,ldap-path", "lineOrder": 925, "role": "operator", "remoteAccess": true, "userPartition": "Tenant1" } }

I couldn't think of any good alternative solution.

Thanks!

[21buckets]

+1 for this.

[21buckets]

If it helps, here is an example declaration using a userPartition other than Common or All. Note that as soon as the partition is changed to Common, the declaration works.

{
    "schemaVersion": "1.0.0",
    "class": "Device",
    "async": true,
    "Common": {
        "class": "Tenant",
        "role_guest_homelab": {
            "class": "RemoteAuthRole",
            "attribute": "memberOF=CN=f5_guest,OU=Groups,OU=People,DC=homelab,DC=local",
            "console": "tmsh",
            "lineOrder": 1002,
            "role": "guest",
            "remoteAccess": true,
            "userPartition": "homelab"
        }
    }
}

The error (truncated for readability) looks like this:

{
    "id": "4b5fd6a5-12f9-4f3d-9fc1-86d4ded2a6b3",
    "selfLink": "https://localhost/mgmt/shared/declarative-onboarding/task/4b5fd6a5-12f9-4f3d-9fc1-86d4ded2a6b3",
    "code": 400,
    "status": "ERROR",
    "message": "bad declaration",
    "errors": [
        {
            "keyword": "enum",
            "dataPath": ".declaration.Common['role_guest_homelab'].userPartition",
            "schemaPath": "#/properties/userPartition/oneOf/0/enum",
            "params": {
                "allowedValues": [
                    "all",
                    "Common"
                ]
            },
            "message": "should be equal to one of the allowed values"
        },
        {
            "keyword": "pattern",
            "dataPath": ".declaration.Common['role_guest_homelab'].userPartition",
            "schemaPath": "#/definitions/variableString/pattern",
            "params": {
                "pattern": "^%.+"
            },
            "message": "should match pattern \"^%.+\""
        },
        {
            "keyword": "oneOf",
            "dataPath": ".declaration.Common['role_guest_homelab'].userPartition",
            "schemaPath": "#/properties/userPartition/oneOf",
            "params": {
                "passingSchemas": null
            },
            "message": "should match exactly one schema in oneOf"
        },
        {
            "keyword": "oneOf",
            "dataPath": ".declaration.Common['role_guest_homelab']",
            "schemaPath": "#/allOf/0/then/oneOf",
            "params": {
                "passingSchemas": null
            },
            "message": "should match exactly one schema in oneOf"
        },
        {
            "keyword": "if",
            "dataPath": "",
            "schemaPath": "#/allOf/1/if",
            "params": {
                "failingKeyword": "then"
            },
            "message": "should match \"then\" schema"
        }
    ]
}

The enumerated alowedValues are Common and all. There is also a string pattern match of \"^%.+\. If I change my userPartition value to %homelab (starting with a percentage) the declaration works fine, but obviously my partition name does not start with a % so it doesn't do me any good as it just results in the role being created like so:

I'd be interested to know what the intent of the regex pattern match is, given it requires a % symbol..

[seattlevine]

The % format was done to satisfy this issue and is for variable substitution as defined in the 'About variable substitution' section on this page. Does that work for your needs?

[21buckets]

Thanks for the info on the meaning of the % symbol. I don't think this will work for me though, as I don't have any external auth system (RADIUS) passing through attributes. To clarify though, I don't suppose these variables can be recognised as LDAP or AD attributes?

F5-LTM-User-Role = 400 (variable). F5-LTM-User-Partition = App_C (variable). F5-LTM-User-Console = 1 (variable)

[equalsabhi]

We have the same requirement and are using AD for authentication. The variable substitution did not work with AD (LDAP) and even if it did, having to use one attribute per partition is too limiting and wouldn't scale for us. We really need a way to set the partition directly in DO, just as how it's possible to do via GUI, tmsh, API etc. It makes no sense for it to not be available as an option in DO and is really limiting deployment options in large environments

[trinaths]

Created [AUTOTOOL-4018] for internal PM tracking.

[DahlPatric]

Hi When do you think we have support for using existing Partitions as described by afreudenreich? In world of automation this kind of tickets should be resolved quick as it have huge benefits as also mention.

Please but some effort to resolve it.

BR Patric