cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
471
Views
10
Helpful
5
Replies
Contributor

Prime Infrastructure 3.3.1 - API Access denied to data/InventoryDetails

Good morning,

  We have recently updated to Prime Infrastructure 3.3.1 and I'm now having some issues getting to /webacs/api/v3/data/InventoryDetails .  

 

What I'm getting:

function windowTitle()
{
var productName = 'Prime Infrastructure';
if(productName=="Prime Infrastructure"){
parent.document.title ="Access is denied to "+"Prime Infrastructure";
}else if(productName=="Evolved Programmable Network Manager"){
parent.document.title ="Access is denied to"+"EPN Manager";
}
}

What I've tried:

 - We are using TACACS+ for authentication/authorization. After the Upgrade, in usual fashion, we updated all the TACACS+ tasks.  I have confirmed that my user group is being handed both NBIWritePrivilege and NBIReadPrivilege:
nbi.png

- I've tried v1 and v3 of this resource

- I am able to GET /data/Devices

- I've had other users try to GET data/InventoryDetails and they are all getting the same message. I have confirmed they are getting NBIReadPrivilege and NBIWritePrivilege.

 

Does anyone have anything I can try or have some insight on this error?

 

Thanks!

 

5 REPLIES 5
Cisco Employee

Re: Prime Infrastructure 3.3.1 - API Access denied to data/InventoryDetails

I'm not aware of a v3 for the webacs API. There's a v1 and a v2, though. The v2 interface handles JSON arrays consistently no matter the entity counts.

 

Can you show any of the headers that your client is sending and any of the raw response, please? That would help. Your background info is very helpful, BTW.

 

I get a full response to this endpoint in my EPNM 2.2.1 server, but I suspect it should work the same with your PI 3.3.1. It always has before. Are you using any filters or such?

Contributor

Re: Prime Infrastructure 3.3.1 - API Access denied to data/InventoryDetails

Of course!

Thanks for the quick response.

 

I'm using Postman for testing, and the only thing I'm sending is my Basic Auth header .

 

Here's a screenshot of the v3 documentation from the server.  It stated that no changes were made in v2.  Again, i've tried all three versions using the Resource URL from this documentation page

pi_inventorydetails.PNG

 

 

 

Headers:postman_auth.png

 

 

Raw Output:

Request URL: https://<prime>/webacs/api/v3/data/InventoryDetails

I'm also getting a 403 Forbidden with this.  








<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="/webacs/styles/wcs.css" type="text/css">
<script type="text/javascript">
function windowTitle()
{
var productName = 'Prime Infrastructure';
if(productName=="Prime Infrastructure"){
parent.document.title ="Access is denied to "+"Prime Infrastructure";
}else if(productName=="Evolved Programmable Network Manager"){
parent.document.title ="Access is denied to"+"EPN Manager";
}
}
</script>
</head>
<body onload="windowTitle();" class="popup" text="#000000" leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">


<table width="100%" height="62" border="0" cellspacing="0" cellpadding="0">
<tr>
<td height="62" width="180">&nbsp;</td>
<td valign="bottom" style="background-color:#ffffff;>
<div class="mainMenu">
<table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr>
<td height="43" valign="bottom">
</td>
</tr>
<tr>
<td bgcolor="FFFFFF" height="19">&nbsp; </td>
</tr>
</table>
</div>
</td>
</tr>
<tr>
<td valign="top">
<div class="navBar"> &nbsp; </div>
</td>
<td valign="top">
<div class="content">
<table>
<tr>
<td class="pageTitleProp">

Access is denied to
Prime Infrastructure.

<br>Please contact the network administrator</br>
</td>
</tr>
</table>
</div>
</td>
</tr>
</table>
<div class="alarms"> &nbsp;</div>
</body>
</html>

 postman_bad_reso.png

 


Working response:

URL: https://<prime>/webacs/api/v3/data/Devices

postman_good_header.png

postman_good_reso.png

Highlighted
Cisco Employee

Re: Prime Infrastructure 3.3.1 - API Access denied to data/InventoryDetails

You're getting a 403 on that URL for some reason. I would suggest you open a service request with TAC to investigate further. They might need the nbi logs to debug why that URL is troublesome. If you're able to GET from other URLs, even within the same session, then that makes me wonder why that URL is having trouble. All you need is NBIReadPermission and you obviously have that. Might wanna check your ACS messages (?), maybe? Dunno, but open a case for this and you'll probably get this solved most quickly that way.

Contributor

Re: Prime Infrastructure 3.3.1 - API Access denied to data/InventoryDetails

Thanks for you help, Bill! 

 

I'll get one opened up.

Contributor

Re: Prime Infrastructure 3.3.1 - API Access denied to data/InventoryDetails

After working with TAC, figured out what the issue was.  In 3.2, there was a change to how TACACS was configured to fix some issues.  This change is pretty sparsely documented.

 

 

Instead of sending down down TACACS+ Tasks of NBI[Read|Write]Privilege, we also needed to pass down additional role attributes.  So our TACACS+ shell profile in ISE looks like:

domain=ROOT-DOMAIN

role0: Admin

role1: NBI Read

role2: NBI Write

task1: xxxx

....

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards