cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2646
Views
0
Helpful
8
Replies

Cisco ACI - Read access to REST APIs using non-admin user

NeeharAthalye
Level 1
Level 1

Hi,

 

I am trying to understand if its possible for a non-admin user configured in APIC to have read-only access to REST APIs ?

We sent a REST request as a non-admin user and it returned empty response. Check this API:

Class mgmt:ConnectivityPrefs (CONCRETE)

Class ID:9423
Class Label: mgmt connectivity preference
Encrypted: false - Exportable: true - Persistent: true - Configurable: true - Subject to Quota: Disabled - Abstraction Layer: Ambiguous Placement in the Model - APIC NX Processing: Disabled
Write Access: [admin]
Read Access: [admin]
Creatable/Deletable: no (see Container Mos for details)
Semantic Scope: Fabric
Semantic Scope Evaluation Rule: Parent
Monitoring Policy Source: Parent
Monitoring Flags : [ IsObservable: false, HasStats: false, HasFaults: false, HasHealth: false, HasEventRules: false ]

 

The response was -:

 

-----------GET DATA ---------------------
PATH : /api/node/mo/uni/fabric/connectivityPrefs.json
QueryString : null
Response : {"totalCount":"0","imdata":[]}
-----------END GET DATA ---------------------

 

Or the user must have admin level privileges ?

1 Accepted Solution

Accepted Solutions

Gabriel,

 

Thanks a bunch. That worked. The difference in my setup was I was not creating user with role as admin, I only created it with read-all as role. But APIs need admin role privilege to get any response.

 

Thanks

 

neehar 

View solution in original post

8 Replies 8

Francesco Molino
VIP Alumni
VIP Alumni
Hi

Have you tried, for testing purpose to put read-all as rope name with read privilege?
Also make sure your selected the correct security domain.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks Francesco for your response.

I created a read-only user 'readonly' which is part of all security domains - all, common and mgmt. Role assigned is read-all and access is readPriv for all security domains. What do you mean by "to put read-all as rope name" ? Is that something I have missed ?

No sorry typing with my smartphone. It's a typo i was meaning role name.
I use api all the time and it works just fine with this role.
Do you have any radius authentication setup on your aci?
If so, to use local authentication, you need to add apic:fallback\\ before the username.
What api call are you trying to execute?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Not using any RADIUS authentication. We tried on 2 different APIs - epmMacEp and mgmt:ConnectivityPrefs. For both it failed on 4.2.2f.

Am i missing something here ?

For these api calls, you'll need the admin role with read privilege as mentioned @gmonroy.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

gmonroy
Cisco Employee
Cisco Employee

NeeharAthalye,

    There is some info missing in how you're creating and sending the request, as well as what roles/privileges you have assigned to the user you're testing with.

   With that said, the information you sent below from the API documentation is indeed stating that in order to query this concrete MO, your user must have "read" privileges of role "admin".

 

For reference, I've defined the following user "ro" that has:

Security Domain - all

Role - admin

Access - Read

 

Domain "all" having role "admin" with "read" privilegesDomain "all" having role "admin" with "read" privileges

And with this user, I can do a moquery against the mgmtConnectivityPrefs class:

 

apic1# whoami
ro

apic1# moquery -c  mgmtConnectivityPrefs
Total Objects shown: 1

# mgmt.ConnectivityPrefs
annotation     :
childAction    :
descr          :
dn             : uni/fabric/connectivityPrefs
extMngdBy      :
interfacePref  : inband
lcOwn          : local
modTs          : 2019-07-15T18:23:00.407-08:00
name           : default
nameAlias      :
ownerKey       :
ownerTag       :
rn             : connectivityPrefs
status         :
uid            : 0

Doing the same type of query from POSTman after logging in as user "ro":

GET https://a.p.i.c/api/node/class/mgmtConnectivityPrefs.json

Response:
{
    "totalCount": "1",
    "imdata": [
        {
            "mgmtConnectivityPrefs": {
                "attributes": {
                    "annotation": "",
                    "childAction": "",
                    "descr": "",
                    "dn": "uni/fabric/connectivityPrefs",
                    "extMngdBy": "",
                    "interfacePref": "inband",
                    "lcOwn": "local",
                    "modTs": "2019-07-15T18:23:00.407-08:00",
                    "name": "default",
                    "nameAlias": "",
                    "ownerKey": "",
                    "ownerTag": "",
                    "status": "",
                    "uid": "0"
                }
            }
        }
    ]
}

 

Along these lines, I removed "read" privileges of "admin" role and tried the same query. This resulted in an empty response since user "ro" no longer had read access to that class (which appears to be similar behavior to what you're facing):


apic1# whoami
ro

apic1# moquery -c  mgmtConnectivityPrefs
No Mos found

Regards,

Gabriel

Gabriel,

 

Thanks a bunch. That worked. The difference in my setup was I was not creating user with role as admin, I only created it with read-all as role. But APIs need admin role privilege to get any response.

 

Thanks

 

neehar 

Some API calls are accessible with the read-all role like tenant data (l3out,...)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License