iControl REST Permissions to enable/disable pool member
I've gone through numerous articles here and cannot find the answer. I'm basing my latest attempts on the iControl REST Fine-Grained Role Based Access Control article.
I have created a custom role and added the test user (admyapp) to it:
{
"description": "Custom REST API Proxy role, added via iControl",
"generation": 18,
"kind": "shared:authz:roles:rolesworkerstate",
"lastUpdateMicros": 1539617772546334,
"name": "iControl_myapp_operator",
"resources": [
{
"resourceMask": "/mgmt/tm/ltm/pool/~myapp~pool-temp-myapp-fxii/members/~Common~node-temp-myapp-My_node:80",
"restMethod": "PATCH"
},
{
"resourceMask": "/mgmt/tm/ltm/pool/~myapp~pool-temp-myapp-fxii/members/*",
"restMethod": "PATCH"
}
],
"selfLink": "https://localhost/mgmt/shared/authz/roles/iControl_myapp_operator",
"userReferences": [
{
"link": "https://localhost/mgmt/shared/authz/users/admyapp"
}
]
}
Note that I have also tried this with PUT as the "restMethod" with the same results.
I want the user to be able to control the pool member enabled/disabled state in the /myapp partition. When I run my (perl) code using the admin ID, it works:
{
'partition' => 'Common',
'fqdn' => {
'autopopulate' => 'disabled'
},
'session' => 'user-disabled',
'inheritProfile' => 'enabled',
'ratio' => 1,
'logging' => 'disabled',
'connectionLimit' => 0,
'dynamicRatio' => 1,
'rateLimit' => 'disabled',
'address' => '192.168.110.55',
'state' => 'user-down',
'ephemeral' => 'false',
'kind' => 'tm:ltm:pool:members:membersstate',
'generation' => 9884,
'priorityGroup' => 0,
'fullPath' => '/Common/node-temp-myapp-My_node:80',
'monitor' => 'default',
'name' => 'node-temp-myapp-My_node:80',
'selfLink' => 'https://localhost/mgmt/tm/ltm/pool/~myapp~pool-temp-myapp-fxii/members/~Common~node-temp-myapp-My_node:80?ver=12.1.2'
}
But when I run it (exact same code) under the admyapp ID it fails:
{
'code' => 400,
'apiError' => 3,
'message' => '01070822:3: Access Denied: user (admyapp) does not have modify access to attribute (pool_member_description) of object (pool_member)',
'errorStack' => []
}
I'm running BIGIP 12.1.2 and am using Token authentication. In the GUI, this ID also has the Operator role for both the /Common and /myapp partitions. The nodes were created in the /Common partition but the pool is in the /myapp partition.
Before anyone asks, here's the section of perl code I use to disable the pool member; since it works as an admin user, I'm sure the problem isn't there.
my $URI = "/mgmt/tm/ltm/pool/~myapp~pool-temp-myapp-fxii/members/~Common~node-temp-myapp-My_node:80";
my $json = "{\"state\":\"user-down\", \"session\":\"user-disabled\"}";
$LTMClient->PUT( $URI, $json, {"X-F5-Auth-Token"=>$LTMToken, "Content-Type"=>"application/json"} );
my $disableDecoded = decode_json( $LTMClient->responseContent() );
I'm sure I'm missing something obvious here - help?