This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

What are the least permissions settings to allow an account to set KVM values?

Posted on 09-03-2015 11:36 AM
Not applicable
Reply posted on --/--/---- --:-- AM

What are the least permissions settings to allow an account to set KVM values?

So we would like to add KVM values (and modify them) using the management API interface. We are a private cloud org - so this is the only way to do this at the time (there is no UI interface for this)

I am trying to figure out what the LEAST permissions an account would need to be able to do this. I know it can be done by an org admin - but that isnt the LEAST permissions.

Solved Solved
1 15 668
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

This worked for me. 

## create a user role 
curl -i -n -H accept:application/xml \
 -H content-type:application/xml \
 -X POST \
 "http://api.edgemgmt/v1/o/org1/userroles" \
 -d '<Roles><Role name="kvmuser"/></Roles>'  




## add permissions on keyvaluemaps to the existing role
curl -i -n -X POST \
  -H content-type:application/xml \
  -H accept:application/xml \
  'http://api.edgemgmt/v1/o/org1/userroles/kvmuser/permissions' \
  -d '
<ResourcePermission path="/keyvaluemaps">
  <Permissions>
    <Permission>get</Permission>
    <Permission>put</Permission>
    <Permission>delete</Permission>
  </Permissions>
</ResourcePermission>'




## Add a user 
curl -n -i -X POST \
  -H content-Type:application/xml \
  'http://api.edgemgmt/v1/users' \
  -d '<User>
  <FirstName>Barak</FirstName>
  <LastName>Obama</LastName>
  <Password>Secret123</Password>
  <EmailId>B@obama.com</EmailId>
</User>'




## Attach the userrole to that user
curl -n -i -X POST \
  -H content-type:application/x-www-form-urlencoded \
  "http://api.edgemgmt/v1/o/org1/userroles/kvmuser/users?id=B@obama.com"



## Authenticating as the new user, create a KVM
curl -u "B@obama.com:Secret123" \
-i -X POST \
  -H content-type:application/json \
  "http://api.edgemgmt/v1/o/org1/keyvaluemaps" \
  -d '{   
 "name" : "kvm1",
 "entry" : [ 
  {
   "name" : "Key1",
   "value" : "value_one"
  },
  {
   "name" : "Key2",
   "value" : "value_two"
  } 
 ]
}'


## Succeeds


## Authenticating as the new user, Try to read apis
curl -u "B@obama.com:Secret123" \
  -i -X GET \
  "http://api.edgemgmt/v1/o/org1/apis"


## 403 Forbidden

All the curl commands that use -n assume that there are "orgadmin" credentials in your .netrc file. If that's not the case, just replace -n with -u "orgadminuser:orgadminpassword"

View solution in original post

Jump to Solution
15 REPLIES 15

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

Can you elaborate a little on what you're asking? Do you refer specifically to modifying KVMs via the Edge Administrative interface (either UI or API) ?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to DChiesa
Reply posted on --/--/---- --:-- AM

updated - should be more clear now.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sarthak
New Member
Reply posted on --/--/---- --:-- AM

I do not think KVMs are part of the RBAC. So I do not think permissions work for KVMS

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to sarthak
Reply posted on --/--/---- --:-- AM

I know they may not be exposed in the UI directly - but that does not mean that there isnt a least permission setting to allow access to them for an account.

Jump to Solution

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to sarthak
Reply posted on --/--/---- --:-- AM

Sarthak, I think that is not correct!

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
birute
Staff
In response to DChiesa
Reply posted on --/--/---- --:-- AM

@Dino do you know the correct answer?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to birute
Reply posted on --/--/---- --:-- AM

Hahahaha! Yes I do! See the answer I added below. You are toooo fast, Birute!

Jump to Solution

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

This worked for me. 

## create a user role 
curl -i -n -H accept:application/xml \
 -H content-type:application/xml \
 -X POST \
 "http://api.edgemgmt/v1/o/org1/userroles" \
 -d '<Roles><Role name="kvmuser"/></Roles>'  




## add permissions on keyvaluemaps to the existing role
curl -i -n -X POST \
  -H content-type:application/xml \
  -H accept:application/xml \
  'http://api.edgemgmt/v1/o/org1/userroles/kvmuser/permissions' \
  -d '
<ResourcePermission path="/keyvaluemaps">
  <Permissions>
    <Permission>get</Permission>
    <Permission>put</Permission>
    <Permission>delete</Permission>
  </Permissions>
</ResourcePermission>'




## Add a user 
curl -n -i -X POST \
  -H content-Type:application/xml \
  'http://api.edgemgmt/v1/users' \
  -d '<User>
  <FirstName>Barak</FirstName>
  <LastName>Obama</LastName>
  <Password>Secret123</Password>
  <EmailId>B@obama.com</EmailId>
</User>'




## Attach the userrole to that user
curl -n -i -X POST \
  -H content-type:application/x-www-form-urlencoded \
  "http://api.edgemgmt/v1/o/org1/userroles/kvmuser/users?id=B@obama.com"



## Authenticating as the new user, create a KVM
curl -u "B@obama.com:Secret123" \
-i -X POST \
  -H content-type:application/json \
  "http://api.edgemgmt/v1/o/org1/keyvaluemaps" \
  -d '{   
 "name" : "kvm1",
 "entry" : [ 
  {
   "name" : "Key1",
   "value" : "value_one"
  },
  {
   "name" : "Key2",
   "value" : "value_two"
  } 
 ]
}'


## Succeeds


## Authenticating as the new user, Try to read apis
curl -u "B@obama.com:Secret123" \
  -i -X GET \
  "http://api.edgemgmt/v1/o/org1/apis"


## 403 Forbidden

All the curl commands that use -n assume that there are "orgadmin" credentials in your .netrc file. If that's not the case, just replace -n with -u "orgadminuser:orgadminpassword"

Jump to Solution

Posted on --/--/---- --:-- AM
birute
Staff
In response to DChiesa
Reply posted on --/--/---- --:-- AM

@Benjamin Goldman does this resolve your issue? Thanks @Dino for sharing 🙂

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to DChiesa
Reply posted on --/--/---- --:-- AM

I'm having A LOT of trouble getting the text to NOT hyperlink my curl URLs. Hang on while I try to convince this forum site to accept my input as typed.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to DChiesa
Reply posted on --/--/---- --:-- AM

this is missing one part that i need (the part i need!)

you have this:

## add permissions for keyvaluemaps to the existing role
curl -i -n -X POST \
  -H content-type:application/xml \
  -H accept:application/xml \
  'http://api.edgemgmt/v1/o/org1/userroles/kvmuser/permissions' \
  -d '<User>
  <FirstName>Barak</FirstName>
  <LastName>Obama</LastName>
  <Password>Secret123</Password>
  <EmailId>B@obama.com</EmailId>
</User>'

but the payload is not the kvm permission path (which is what i was trying to figure out) but actually a user account being created (poor Obama..)

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to
Reply posted on --/--/---- --:-- AM

No, that's not right. sorry! Transcription error! I pasted in EXACTLY the code I used, and it came out hyperlinked and mangled. And in my edits I've messed it up. That's not right. Please see the updated answer. The relevant code is like this; 

## add permissions on keyvaluemaps to the existing role
curl -i -n -X POST \
  -H content-type:application/xml \
  -H accept:application/xml \
  'http://api.edgemgmt/v1/o/org1/userroles/kvmuser/permissions' \
  -d '
<ResourcePermission path="/keyvaluemaps">
  <Permissions>
    <Permission>get</Permission>
    <Permission>put</Permission>
    <Permission>delete</Permission>
  </Permissions>
</ResourcePermission>'



## Add a user 
curl -n -i -X POST \
  -H content-Type:application/xml \
  'http://api.edgemgmt/v1/users' \
  -d '<User>
  <FirstName>Barak</FirstName>
  <LastName>Obama</LastName>
  <Password>Secret123</Password>
  <EmailId>B@obama.com</EmailId>
</User>'
Jump to Solution

Posted on --/--/---- --:-- AM
Not applicable
In response to DChiesa
Reply posted on --/--/---- --:-- AM

Thanks man.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to DChiesa
Reply posted on --/--/---- --:-- AM

the permission should look something like this (in json)

    {
      "organization": "myorg",
      "path": "/environments/*/virtualhosts",
      "permissions": [
        "get"
      ]
    },

i just dont know what the kVM part is...

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
brentstains
New Member
Reply posted on --/--/---- --:-- AM

Can someone update @Dino example now that it appears there are KVMs at ORG, ENV and PROXY levels now?

I would expect the step labeled as "## add permissions on keyvaluemaps to the existing role" would include something to indicate which KVM is being added, correct?

Jump to Solution
0 Likes