Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2601
Views
20
Helpful
5
Replies

Prime Infrastructure 3.3.1 - API Access denied to data/InventoryDetails

Doug Byrd
Level 5
Level 5

‎08-13-2018 07:51 AM - edited ‎08-13-2018 07:53 AM

Good morning,

  We have recently updated to Prime Infrastructure 3.3.1 and I'm now having some issues getting to /webacs/api/v3/data/InventoryDetails .  

 

What I'm getting:

function windowTitle()
{
 var productName = 'Prime Infrastructure';
 if(productName=="Prime Infrastructure"){
 parent.document.title ="Access is denied to "+"Prime Infrastructure";
 }else if(productName=="Evolved Programmable Network Manager"){
 parent.document.title ="Access is denied to"+"EPN Manager";
 }
}

What I've tried:

 - We are using TACACS+ for authentication/authorization. After the Upgrade, in usual fashion, we updated all the TACACS+ tasks.  I have confirmed that my user group is being handed both NBIWritePrivilege and NBIReadPrivilege:
nbi.png

- I've tried v1 and v3 of this resource

- I am able to GET /data/Devices

- I've had other users try to GET data/InventoryDetails and they are all getting the same message. I have confirmed they are getting NBIReadPrivilege and NBIWritePrivilege.

 

Does anyone have anything I can try or have some insight on this error?

 

Thanks!

 

Labels:
0 Helpful
5 Replies 5

Bill Longman
Cisco Employee
Cisco Employee

‎08-13-2018 08:59 AM

I'm not aware of a v3 for the webacs API. There's a v1 and a v2, though. The v2 interface handles JSON arrays consistently no matter the entity counts.

 

Can you show any of the headers that your client is sending and any of the raw response, please? That would help. Your background info is very helpful, BTW.

 

I get a full response to this endpoint in my EPNM 2.2.1 server, but I suspect it should work the same with your PI 3.3.1. It always has before. Are you using any filters or such?

Doug Byrd
Level 5
Level 5
In response to Bill Longman

‎08-13-2018 09:28 AM

Of course!

Thanks for the quick response.

 

I'm using Postman for testing, and the only thing I'm sending is my Basic Auth header .

 

Here's a screenshot of the v3 documentation from the server.  It stated that no changes were made in v2.  Again, i've tried all three versions using the Resource URL from this documentation page

pi_inventorydetails.PNG

 

 

 

Headers:postman_auth.png

 

 

Raw Output:

Request URL: https://<prime>/webacs/api/v3/data/InventoryDetails

I'm also getting a 403 Forbidden with this.  








<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="/webacs/styles/wcs.css" type="text/css">
<script type="text/javascript">
function windowTitle()
{
 var productName = 'Prime Infrastructure';
 if(productName=="Prime Infrastructure"){
 parent.document.title ="Access is denied to "+"Prime Infrastructure";
 }else if(productName=="Evolved Programmable Network Manager"){
 parent.document.title ="Access is denied to"+"EPN Manager";
 }
}
</script>
</head>
<body onload="windowTitle();" class="popup" text="#000000" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">


<table width="100%" height="62" border="0" cellspacing="0" cellpadding="0">
 <tr>
 <td height="62" width="180">&nbsp;</td>
 <td valign="bottom" style="background-color:#ffffff;>
 <div class="mainMenu">
 <table width="100%" border="0" cellspacing="0" cellpadding="0">
 <tr>
 <td height="43" valign="bottom">
 </td>
 </tr>
 <tr>
 <td bgcolor="FFFFFF" height="19">&nbsp; </td>
 </tr>
 </table>
 </div>
 </td>
 </tr>
 <tr>
 <td valign="top">
 <div class="navBar"> &nbsp; </div>
 </td>
 <td valign="top">
 <div class="content">
 <table>
 <tr>
 <td class="pageTitleProp">
 
 Access is denied to 
 Prime Infrastructure.
 
 <br>Please contact the network administrator</br>
 </td>
 </tr>
 </table>
 </div>
 </td>
 </tr>
</table>
<div class="alarms"> &nbsp;</div>
</body>
</html>

 postman_bad_reso.png

 

Working response:

URL: https://<prime>/webacs/api/v3/data/Devices

postman_good_header.png

postman_good_reso.png

0 Helpful

Bill Longman
Cisco Employee
Cisco Employee
In response to Doug Byrd

‎08-13-2018 09:50 AM

You're getting a 403 on that URL for some reason. I would suggest you open a service request with TAC to investigate further. They might need the nbi logs to debug why that URL is troublesome. If you're able to GET from other URLs, even within the same session, then that makes me wonder why that URL is having trouble. All you need is NBIReadPermission and you obviously have that. Might wanna check your ACS messages (?), maybe? Dunno, but open a case for this and you'll probably get this solved most quickly that way.

Doug Byrd
Level 5
Level 5
In response to Bill Longman

‎08-13-2018 10:34 AM

Thanks for you help, Bill! 

 

I'll get one opened up.

0 Helpful

Doug Byrd
Level 5
Level 5

‎08-17-2018 12:48 PM

After working with TAC, figured out what the issue was.  In 3.2, there was a change to how TACACS was configured to fix some issues.  This change is pretty sparsely documented.

 

 

Instead of sending down down TACACS+ Tasks of NBI[Read|Write]Privilege, we also needed to pass down additional role attributes.  So our TACACS+ shell profile in ISE looks like:

domain=ROOT-DOMAIN

role0: Admin

role1: NBI Read

role2: NBI Write

task1: xxxx

....

Customers Also Viewed These Support Documents