Solved: Re: How to execute BULK DELETE operation using Cisco ISE API?

Tymofii Dmytrenko · ‎07-13-2019

Hi

I am trying to implement a bulk delete of Endpoints via Cisco ISE API (v2.4). I have to admit, it's a challenging task because API documentation is really poor when it comes to Bulk operations. In particular, all examples provided relate to BULK CREATE

I tried to re-use the same XML templates, but only gone as far as this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns4:endpointBulkRequest operationType="delete" resourceMediaType="vnd.com.cisco.ise.identity.endpoint.1.0+xml" xmlns:ns6="sxp.ers.ise.cisco.com" xmlns:ns5="trustsec.ers.ise.cisco.com" xmlns:ns8="network.ers.ise.cisco.com" xmlns:ns7="anc.ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="identity.ers.ise.cisco.com">
  <ns4:resourcesList>
    <ns4:endpoint id="9e2edb00-6903-11e9-9573-46a7fd05b425">
      <mac></mac>
      <mdmAttributes></mdmAttributes>
      <portalUser></portalUser>
      <profileId></profileId>
      <staticGroupAssignment>false</staticGroupAssignment>
      <staticProfileAssignment>false</staticProfileAssignment>
    </ns4:endpoint>
    <ns4:endpoint id="63e2e5e0-6908-11e9-9573-46a7fd05b425">
      <mac></mac>
      <mdmAttributes></mdmAttributes>
      <portalUser></portalUser>
      <profileId></profileId>
      <staticGroupAssignment>false</staticGroupAssignment>
      <staticProfileAssignment>false</staticProfileAssignment>
    </ns4:endpoint>
  </ns4:resourcesList>
</ns4:endpointBulkRequest

However, when I try this snippet in the Postman, I get the following error:

{
  "ERSResponse": {
    "operation": "PUT-executeBulk-endpoint",
    "messages": [
      {
        "title": "invalid bulk request - resources list is not allowed for delete operation",
        "type": "ERROR",
        "code": "Application resource validation exception"
      }
    ],
    "link": {
      "rel": "related",
      "href": "https://lab-ise-2x-1.w1.lab:9060/ers/config/endpoint/bulk/submit",
      "type": "application/xml"
    }
  }
}

When I've read API docs, I found this confusing text:

Two types of bulk request available: 1) operation that requires the resource XML itself like creating or updating a resource. 2) Operation that requires the only resource id like delete, register endpoint, email guestuser etc... The bulk request supports 500 resources of the first type or 5000 of the second per a single request. Bulk Operation in ISE 1.3 release is supported for Endpoint and GuestUser. Please Check The API Documentation section for more details about each specific request.

What does it mean? Doea it mean I have to create a BULK request somehow separately and then execute it with SINGLE resource ID of that request? Or does it mean I have to provide a list of resource IDs only for the request to be successful? My understanding of BULK operations is that I have to provide a list of resource IDs and operation type.

How do I do this via XML? What is the template for DELETE operation?

Thanks

hslai · ‎07-13-2019

See Solved: Re: How to BULK DeleteById GuestUsers o... - Cisco Community

Try sending the following as the body of the the PUT request to https://<isePPAN>:9060/config/endpoint/bulk with the usual HTTP headers.

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<ns4:endpointBulkRequest operationType="Delete" resourceMediaType="vnd.com.cisco.ise.identity.endpoint.1.0+xml" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="identity.ers.ise.cisco.com">
      <idList>
        <id>c7c05220-a682-11e9-92cd-024294667a96</id>
        <id>c7c50d10-a682-11e9-92cd-024294667a96</id>
      </idList>
</ns4:endpointBulkRequest>

View solution in original post

hslai · ‎07-13-2019

See Solved: Re: How to BULK DeleteById GuestUsers o... - Cisco Community

Try sending the following as the body of the the PUT request to https://<isePPAN>:9060/config/endpoint/bulk with the usual HTTP headers.

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<ns4:endpointBulkRequest operationType="Delete" resourceMediaType="vnd.com.cisco.ise.identity.endpoint.1.0+xml" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="identity.ers.ise.cisco.com">
      <idList>
        <id>c7c05220-a682-11e9-92cd-024294667a96</id>
        <id>c7c50d10-a682-11e9-92cd-024294667a96</id>
      </idList>
</ns4:endpointBulkRequest>

Tymofii Dmytrenko · ‎07-13-2019

Awesome! It worked!

Thanks a lot. Why can't this be added to official ERS manual? I wasn't able to find anything apart from BULK CREATE

Think I've just noticed a bug. According to ERS docs, when BULK request is successfully accepted, it return 202 Accepted response, with Location header set to URL to check status of this BULK request

I've got 202, but Location was set to https://lab-ise-2x-1.w1.lab:9060/ers/config/endpoint/bulk/submit/1563059868842

/bulk/submit/<id>

If I use this URL I get 404 not found. Apparently, /submit/ is not required. If I remove it and leave it like

https://lab-ise-2x-1.w1.lab:9060/ers/config/endpoint/bulk/1563059868842

Then it returns 200 with result

Anyway, thanks for your help!

hslai · ‎07-13-2019

It might be specific to the release and patch level of your ISE. In my test against a standalone running ISE 2.4 FCS, the Location header in the response is simply https://<ise>:9060/ers/config/endpoint/bulk/<bulkID> but has no /submit in it.

Tymofii Dmytrenko · ‎07-14-2019

Possibly just a bug, but I tried few times and every times Location returns invalid URL. It's not a big deal, as I extract Bulk Operation Id using regexp and then build correct URL for status request.

Jason Kunst · ‎07-14-2019

Please edit and separate appropriate

Tymofii Dmytrenko · ‎07-14-2019

Done

Appreciate if you guys can help with it: https://community.cisco.com/t5/identity-services-engine-ise/add-multiple-endpoints-to-a-specific-cisco-ise-identity-group/m-p/3889913

hslai · ‎07-15-2019

Think I've just noticed a bug. According to ERS docs, when BULK request is successfully accepted, it return 202 Accepted response, with Location header set to URL to check status of this BULK request
I've got 202, but Location was set to https://lab-ise-2x-1.w1.lab:9060/ers/config/endpoint/bulk/submit/1563059868842

/bulk/submit/<id>

If I use this URL I get 404 not found. Apparently, /submit/ is not required. If I remove it and leave it like

https://lab-ise-2x-1.w1.lab:9060/ers/config/endpoint/bulk/1563059868842

Then it returns 200 with result

CSCvq53373 opened to track this issue and it might take a day or two before you able to see it.

I am able to recreate it when the bulk requests made to /ers/config/endpoint/bulk/submit (with /submit at the end). My earlier tests were all made to /ers/config/endpoint/bulk (without /submit at the end). Thanks for reporting it.

Tymofii Dmytrenko · ‎07-21-2019

@hslaino problems. The only reason I used that URL is because API documentation specifically says to use /submit at the end.

Regards

noc0000041 · ‎03-10-2020

Hello,

can you give an example of the python code?

I try this:

payload = {
    "GuestUserBulkRequest": {
        "operationType": "delete",
        "resourceMediaType": "vnd.com.cisco.ise.identity.guestuser.2.0+xml",
        "idList": [{
            "id": "37ca5620-597e-11ea-a01a-c684e6795d45"}]}}
url = f'https://{host}:9060/ers/config/guestuser/bulk/submit'
response = requests.get(url, auth=auth, data=json.dumps(payload), headers=headers, verify=False)

And got error:

{'ERSResponse': {'link': {'href': 'https://x.x.x.x:9060/ers/config/guestuser/bulk/submit',
'rel': 'related',
'type': 'application/xml'},
'messages': [{'code': 'Resource not found exception',
'title': "Illegal bulkid 'submit'",
'type': 'ERROR'}],
'operation': 'GET-getBulkStatus-guestuser'}}

Tymofii Dmytrenko · ‎03-10-2020

Hi. AFAIK Bulk operations do not support JSON. You have to compile and send XML payload for bulk operations. At least, this is what I do (use XML) and it works fine.

noc0000041 · ‎03-10-2020

Timofii,

according to API DOCs, bulk request support JSON (strange, but for some reason the section 'resourceList' is not specified):

I also tried with XML (test.xml):

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<ns4:guestUserBulkRequest operationType="delete" resourceMediaType="vnd.com.cisco.ise.identity.guestuser.2.0+xml" xmlns:ns6="sxp.ers.ise.cisco.com" xmlns:ns5="trustsec.ers.ise.cisco.com" xmlns:ns8="network.ers.ise.cisco.com" xmlns:ns7="anc.ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="identity.ers.ise.cisco.com">
    <idList>
        <id>37ca5620-597e-11ea-a01a-c684e6795d45</id>
    </idList>
</ns4:guestUserBulkRequest>

Python:

xml = open('test.xml')
    xml2 = xml.read()
    xml3 = ET.fromstring(xml2)
    payload = ET.tostring(xml3, encoding='utf-8', method='xml')
     url = f'https://{host}:9060/ers/config/guestuser/bulk/submit'
    response = requests.get(url, auth=auth, data=payload, headers=headers, verify=False)

But the same error..

Tymofii Dmytrenko · ‎03-10-2020

I am not using xml module. Here's my code, which works fine

def bulk_delete(self, uuid_list):
    '''
    Send bulk request to delete multiple endpoints at once
    Max IDs in one request is 5000 (Cisco ISE limitation)

    :param uuid_list: List of strings (Cisco ISE Resource IDs)
    :type uuid_list: List
    '''

    #: XML BODY Template
    xml_tpl_body = """
        <?xml version="1.0" encoding="utf-8" standalone="yes"?>
        <ns4:endpointBulkRequest operationType="delete" resourceMediaType="vnd.com.cisco.ise.identity.endpoint.1.0+xml" xmlns:ns6="sxp.ers.ise.cisco.com" xmlns:ns5="trustsec.ers.ise.cisco.com" xmlns:ns8="network.ers.ise.cisco.com" xmlns:ns7="anc.ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="identity.ers.ise.cisco.com">
        <idList>{uuid_list}</idList>
        </ns4:endpointBulkRequest>
    """

    #: XML Item Template
    xml_tpl_item = "<id>{item}</id>"

    #: Compile XML Templates
    xml_list = [xml_tpl_item.format(item=uuid) for uuid in uuid_list]
    xml_body = xml_tpl_body.format(uuid_list="".join(xml_list)).strip()

    #: Send API Request
    response = self._request(
        'PUT',
        self.calls['bulk'],
        content_type='application/xml',
        data=xml_body
    )

    #: Return False if API Request has failed
    if not response:
        return False

    #: Extract and Return Bulk Operation ID
    op_id = re.search(
        "/([0-9]+)$",
        response.headers['Location']
    )

    return op_id.group(1)

I hope it will help you

Tymofii Dmytrenko · ‎03-10-2020

I've just noticed that you're using GET and not PUT. That's probably why it's not working.

noc0000041 · ‎03-10-2020

Thanks,

yes, I didn’t notice that GETis used instead of PUT.

And also I removed the quotes <"> from <id>. And now my script also worked!

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ns4:guestUserBulkRequest operationType="delete" resourceMediaType="vnd.com.cisco.ise.identity.guestuser.2.0+xml" xmlns:ns6="sxp.ers.ise.cisco.com" xmlns:ns5="trustsec.ers.ise.cisco.com" xmlns:ns8="network.ers.ise.cisco.com" xmlns:ns7="anc.ers.ise.cisco.com" xmlns:ers="ers.ise.cisco.com" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ns4="identity.ers.ise.cisco.com">
    <idList>
        <id>84195042-2a16-11ea-abe2-da3b65da2c0a</id>
    </idList>
</ns4:guestUserBulkRequest>

headers = {
        'content-type': 'application/xml',
        'accept': 'application/json' }

    xml = open('test.xml')
    xml2 = xml.read()
    xml3 = ET.fromstring(xml2)
    payload = ET.tostring(xml3, encoding='utf-8', method='xml')

    url = f'https://{host}:9060/ers/config/guestuser/bulk/submit'
    response = requests.put(url, auth=auth, data=payload, headers=headers, verify=False)
    print(response.content)