Reply
Highlighted

Read-Only WAPI access?

JSmith2
Techie
Posts: 4
3726     0

I'm looking to create a local user in Infoblox with Read-Only access to WAPI (specifically to Cloud/Grid->Amazon->Amazon Route53 Sync Groups, but doesn't have to be that granular).

 

I've tested creating an admin group, and individually adding every global permissions listed out there, and my WAPI/Get continues to bring back empty results.

 

The only way I've been able to successfully run WAPI get commands I'm using is making the local user a superuser.  Which I don't want to do.  Is there no other option between giving full access/all or nothing? 

 

 

Examples without superuser(but all RO permissions possible), and then second command with superuser below:

$ curl -k --user test -XGET https://test.infoblox.com/wapi/v2.5/awsrte53taskgroup?_return_fields=task_list
[]

$ curl -k --user test -XGET https://test.infoblox.com/wapi/v2.5/awsrte53taskgroup?_return_fields=task_list
[
    {
        "_ref": "awsrte53taskgroup/blah12345-test",
        "task_list": [
            {
                "aws_user": "awsuser/b12345z",
                "credentials_type": "DIRECT",
                "disabled": false,
                "filter": "test.zone.com",
                "last_run": 1234,
                "name": "sync-test",
                "schedule_interval": 2,
                "schedule_units": "MINS",
                "state": "COMPLETED",
                "state_msg": "Sync completed successfully",
                "status_timestamp": 1234,
                "sync_private_zones": true,
                "sync_public_zones": false,
                "zone_count": 1
            }
        ]
    }
]

Re: Read-Only WAPI access?

[ Edited ]
TTiscareno Community Manager
Community Manager
Posts: 361
3727     0

For the API access, there is a setting that is separate from the regular permissions. To verify this, navigate to Administration -> Administrators -> Groups and edit the properties for the group that the administrators in question are authenticating under. At the bottom in the Roles tab, you will find the section "Allowed Interfaces". If you are only using the RESTful API, then set this to Cloud API (No PAPI). Otherwise, the API (WAPI/PAPI only) setting should work fine.

 

I suspect that this setting is not enabled for your group(s) since setting a group as a superusers enables both GUI and API access.

 

Regards,

Tony

Re: Read-Only WAPI access?

[ Edited ]
JSmith2
Techie
Posts: 4
3727     0

Thanks for the response.  Unfortunately have tested using both just 'Cloud API' and API (WAPI/PAPI only), and neither seems to work.

 

I still get an empty response unless promote local user to a superuser.  I suspect some of the Cloud API/Route 53 pieces are maybe still too new to have permission controls around them?  Which is unfortunate, only option appears to be all or nothing.

 

$ curl -k --user test -XGET https://test.infoblox.com/wapi/v2.5/awsrte53taskgroup?_return_fields=task_list
[]

 

Screen Shot 2018-05-11 at 2.39.27 PM.png

Re: Read-Only WAPI access?

TTiscareno Community Manager
Community Manager
Posts: 361
3727     0

I double checked and yes, you are correct. Some permissions are limited to superusers and in looking at this particular call, I do not see any permissions that control Route 53 access.

 

To resolve this, I would recommend opening a request through Infoblox Support asking for this capability (permissions controls for Route 53 tasks). They will open a feature request on your behalf and this will enable your account team to work with project management and see if this is something that can be done.

 

Regards,

Tony

Showing results for 
Search instead for 
Do you mean 

Recommended for You

Demo Video: Infoblox Cloud Automation