Solved: Re: Cisco ACI - Read access to REST APIs using non-admin user

NeeharAthalye · ‎02-24-2020

Hi,

I am trying to understand if its possible for a non-admin user configured in APIC to have read-only access to REST APIs ?

We sent a REST request as a non-admin user and it returned empty response. Check this API:

Class mgmt:ConnectivityPrefs (CONCRETE)

Class ID:9423
Class Label: mgmt connectivity preference
Encrypted: false - Exportable: true - Persistent: true - Configurable: true - Subject to Quota: Disabled - Abstraction Layer: Ambiguous Placement in the Model - APIC NX Processing: Disabled
Write Access: [admin]
Read Access: [admin]
Creatable/Deletable: no (see Container Mos for details)
Semantic Scope: Fabric
Semantic Scope Evaluation Rule: Parent
Monitoring Policy Source: Parent
Monitoring Flags : [ IsObservable: false, HasStats: false, HasFaults: false, HasHealth: false, HasEventRules: false ]

The response was -:

-----------GET DATA ---------------------
PATH : /api/node/mo/uni/fabric/connectivityPrefs.json
QueryString : null
Response : {"totalCount":"0","imdata":[]}
-----------END GET DATA ---------------------

Or the user must have admin level privileges ?

NeeharAthalye · ‎02-27-2020

Gabriel,

Thanks a bunch. That worked. The difference in my setup was I was not creating user with role as admin, I only created it with read-all as role. But APIs need admin role privilege to get any response.

Thanks

neehar

View solution in original post

Francesco Molino · ‎02-24-2020

Hi

Have you tried, for testing purpose to put read-all as rope name with read privilege?
Also make sure your selected the correct security domain.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

NeeharAthalye · ‎02-24-2020

Thanks Francesco for your response.

I created a read-only user 'readonly' which is part of all security domains - all, common and mgmt. Role assigned is read-all and access is readPriv for all security domains. What do you mean by "to put read-all as rope name" ? Is that something I have missed ?

Francesco Molino · ‎02-25-2020

No sorry typing with my smartphone. It's a typo i was meaning role name.
I use api all the time and it works just fine with this role.
Do you have any radius authentication setup on your aci?
If so, to use local authentication, you need to add apic:fallback\\ before the username.
What api call are you trying to execute?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

NeeharAthalye · ‎02-25-2020

Not using any RADIUS authentication. We tried on 2 different APIs - epmMacEp and mgmt:ConnectivityPrefs. For both it failed on 4.2.2f.

Am i missing something here ?

Francesco Molino · ‎02-26-2020

For these api calls, you'll need the admin role with read privilege as mentioned @gmonroy.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

gmonroy · ‎02-26-2020

NeeharAthalye,

There is some info missing in how you're creating and sending the request, as well as what roles/privileges you have assigned to the user you're testing with.

With that said, the information you sent below from the API documentation is indeed stating that in order to query this concrete MO, your user must have "read" privileges of role "admin".

For reference, I've defined the following user "ro" that has:

Security Domain - all

Role - admin

Access - Read

Domain "all" having role "admin" with "read" privileges

And with this user, I can do a moquery against the mgmtConnectivityPrefs class:

apic1# whoami
ro

apic1# moquery -c  mgmtConnectivityPrefs
Total Objects shown: 1

# mgmt.ConnectivityPrefs
annotation     :
childAction    :
descr          :
dn             : uni/fabric/connectivityPrefs
extMngdBy      :
interfacePref  : inband
lcOwn          : local
modTs          : 2019-07-15T18:23:00.407-08:00
name           : default
nameAlias      :
ownerKey       :
ownerTag       :
rn             : connectivityPrefs
status         :
uid            : 0

Doing the same type of query from POSTman after logging in as user "ro":

GET https://a.p.i.c/api/node/class/mgmtConnectivityPrefs.json

Response:
{
    "totalCount": "1",
    "imdata": [
        {
            "mgmtConnectivityPrefs": {
                "attributes": {
                    "annotation": "",
                    "childAction": "",
                    "descr": "",
                    "dn": "uni/fabric/connectivityPrefs",
                    "extMngdBy": "",
                    "interfacePref": "inband",
                    "lcOwn": "local",
                    "modTs": "2019-07-15T18:23:00.407-08:00",
                    "name": "default",
                    "nameAlias": "",
                    "ownerKey": "",
                    "ownerTag": "",
                    "status": "",
                    "uid": "0"
                }
            }
        }
    ]
}

Along these lines, I removed "read" privileges of "admin" role and tried the same query. This resulted in an empty response since user "ro" no longer had read access to that class (which appears to be similar behavior to what you're facing):

apic1# whoami
ro

apic1# moquery -c  mgmtConnectivityPrefs
No Mos found

Regards,

Gabriel

NeeharAthalye · ‎02-27-2020

Gabriel,

Thanks a bunch. That worked. The difference in my setup was I was not creating user with role as admin, I only created it with read-all as role. But APIs need admin role privilege to get any response.

Thanks

neehar

Francesco Molino · ‎02-27-2020

Some API calls are accessible with the read-all role like tenant data (l3out,...)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question