-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
bc82eb3
commit 7378a46
Showing
1 changed file
with
3 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -1276,12 +1276,12 @@ In the body of the API call add the username and role as seen below. | |
| Superuser Role | ||
| =============== | ||
| F5OS-A 1.8.0 adds a new role called **superuser**. The new **superuser** role available at the F5OS-A system level provides **sudo** privileges and bash access to the system (if enabled). This role is intended for environments where appliance mode (prevent bash level access) is disabled. Some customers prefer to manage BIG-IP from the bash shell and leverage tmsh commands to pipe into various Unix utilities to parse output. A similar feature has been added to F5OS 1.8.0 where F5OS commmands can now be executed from the bash shell via the new f5sh utility. This new role provides a way for a user with "sudo" privileges to be able to be remotely authenticated into the F5OS bash shell, but also provides an audit trail of the users interactions with the bash shell and F5OS layers. | ||
| F5OS-A 1.8.0 adds a new role called **superuser**. The new **superuser** role available at the F5OS-A system level provides **sudo** privileges and bash access to the system (if enabled). This role is intended for environments where appliance mode (prevent bash level access) is disabled. Some customers prefer to manage BIG-IP from the bash shell and leverage tmsh commands to pipe into various Unix utilities to parse output. A similar feature has been added to F5OS 1.8.0 where F5OS commmands can now be executed from the bash shell via the new f5sh utility. This new role provides a way for a user with "sudo" privileges to be able to be remotely authenticated into the F5OS bash shell, but also provides an audit trail of the users interactions with the new f5sh utility in bash shell. | ||
| RBAC on F5OS has been implemented in a way where **Roles** provide slices of privileges that can be composed with each other. There are **Primary Roles** and **Secondary Roles** which can be combined together to give a particular user multiple privileges. | ||
| Users must be assigned to a single primary group/role, and can become members of further supplementary groups/roles by adding them to the users list for that group/role. | ||
| The roles can be combined together to give a particular user multiple privileges. The **superuser** role is intended to be assgined as a supplementary role in addtion to anothe rrole like **admin**, although it could be assinged as a primary role, but it would restrict access to services like the webUI. | ||
| The roles can be combined together to give a particular user multiple privileges. The **superuser** role is intended to be assigned as a supplementary role in addition to another role like **admin**, whether the role is primary or supplementary does not matter (order does not matter), if only the superuser role was applied it would restrict access to services like the webUI, granting the admin role as a supplemental role will provide normal webUI access. | ||
| As an example, assigning a Primary Role of **admin** to a user and then adding that same user to the **superuser** role will give the user access to the webUI via the admin privileges, and if the **system aaa authentication config superuser-bash-access true** command is set (to true) the default CLI login for this user will be the bash shell. The superuser role does not grant webUI access or Confd CLI access on its own. | ||
|
|
@@ -1316,7 +1316,7 @@ The admin will then need to enable the ldap-group filters for both the primary a | |
| system aaa authentication roles role admin config ldap-group <filter for remote admin group> | ||
| system aaa authentication roles role superuser config ldap-group <filter for remote superuser group> | ||
| The ldap-group mapping using group id is only necessary if the user/group records do not contain "posix/unix attributes" ('gidNumber') that identify the Linux GID of the group. If the records on the remote authentication server have Unix attributes, you can use 'system aaa authentication roles role <role> config remote-gid' to specify the remote group by GID, rather than mapping by name. | ||
| The ldap-group mapping using the group's LDAP distinguished name is only necessary if the user/group records do not contain "posix/unix attributes" ('gidNumber') that identify the Linux GID of the group. If the records on the remote authentication server have Unix attributes, you can use 'system aaa authentication roles role <role> config remote-gid' to specify the remote group by GID, rather than mapping by name. | ||
| Because this particular configuration is using named LDAP groups, you must disable the **unix_attributes** via the following CLI command. You cannot mix named LDAP groups with GID based unix groups, you must pick one or the other. In this example we are using the named LDAP groups. | ||
|
|
@@ -1359,18 +1359,7 @@ Next, you will need to assign a secondary role of superuser to the f5shuser1 acc | |
| .. code-block:: bash | ||
| login to the device using f5shuser1. | ||
| ssh [email protected] | ||
| ([email protected]) Password: | ||
| X11 forwarding request failed on channel 0 | ||
| Last login: Thu Apr 4 12:45:00 2024 from 172.18.236.213 | ||
| bash-4.2$ | ||
| verify audit logs and make sure that new user loggedinto audit.log | ||
| execute show and configuration commands with f5shutil from bash and verify audit logs. | ||
| audit logs should provide the user information of current user(f5shuser1). | ||
| You can view the current state of these parmeters via the following CLI show comands. | ||
|
|
||