topic Permission to create gateway object from API in API / CLI Discussion

Permission to create gateway object from API

Bryan_Lee — Wed, 26 Sep 2018 09:34:09 GMT

What is the permission required for API to create a gateway object?

I have created a role using custom mode so I can remove the excessive privilege later, and I have assigned all the possible privilege with write permission. I am still getting run time error when creating a simple gateway object from ansible. It works find if the role is given full write permission.

Error message below:

fatal: [127.0.0.1]: FAILED! => {"changed": false, "failed": true, "msg": "Command 'add-simple-gateway {u'one-time-password': u'aaa12345', u'interfaces': [{u'ipv4-network-mask': u'255.255.255.0', u'anti-spoofing': u'true', u'ipv4-address': u'10.0.1.88', u'name': u'eth0', u'topology': u'External'}, {u'anti-spoofing': u'true', u'name': u'eth1', u'topology-settings': {u'ip-address-behind-this-interface': u'network defined by the interface ip and net mask'}, u'ipv4-network-mask': u'255.255.255.0', u'ipv4-address': u'172.16.1.88', u'topology': u'Internal'}], u'name': u'demo_gateway', u'ip-address': u'192.0.1.88', u'comments': u'added by Ansible'}' failed with error message: Runtime error: Error reading XMLStreamReader: Unexpected EOF in prolog at javax.xml.stream.SerializableLocation@c1137a34. All changes are discarded and the session is invalidated."}

Re: Permission to create gateway object from API

PhoneBoy — Thu, 27 Sep 2018 13:33:48 GMT

Technically speaking, if you have access to do it from SmartConsole and you have API access, you should also be able to do it from the API.

Can you confirm that the user is able to create a gateway object via SmartConsole using the same permissions profile?

Re: Permission to create gateway object from API

Bryan_Lee — Mon, 01 Oct 2018 08:50:41 GMT

Strangely, I could create the gateway object on Smart Console using that API admin credential, whereas creating gateway object via API call failed.

Looks like a bug?

Re: Permission to create gateway object from API

PhoneBoy — Mon, 01 Oct 2018 14:41:43 GMT

Seems that way.

In which case, we probably need a TAC case.

Re: Permission to create gateway object from API

Ofir_Shikolski — Mon, 01 Oct 2018 17:05:06 GMT

I can create it without any issues

mgmt_cli login -u user1 -p user1 > id.txt
mgmt_cli -s id.txt add simple-gateway name "Second_Security_Gateway" ip-address "11.1.1.10" firewall "true" vpn "true" interfaces.1.name eth0 interfaces.1.ipv4-address "11.1.1.10" interfaces.1.ipv4-network-mask "255.255.255.0" interfaces.1.anti-spoofing false interfaces.1.topology EXTERNAL
mgmt_cli -s id.txt publish
mgmt_cli -s id.txt logout

Do you have "write" access to common objects? by default, it is read while creating a new profile, search for " Others"

Re: Permission to create gateway object from API

Bryan_Lee — Tue, 02 Oct 2018 03:15:57 GMT

Hi Ofir, I have tried to assign all the privilege, and everything was write access. That was why I find it strange here. See the screenshot below for what you had indicated, write privilege was assigned.

I am running R80.10 Build 435.

Re: Permission to create gateway object from API

Ofir_Shikolski — Sat, 06 Oct 2018 18:14:29 GMT

I’m using R80.20

Are you able to check it with R80.20 ?

I will try to check it with my R80.10 MDM and I will update - I hope to do it this week or week later