Re: Permission to create gateway object from API

Bryan_Lee · ‎2018-09-26

What is the permission required for API to create a gateway object?

I have created a role using custom mode so I can remove the excessive privilege later, and I have assigned all the possible privilege with write permission. I am still getting run time error when creating a simple gateway object from ansible. It works find if the role is given full write permission.

Error message below:

fatal: [127.0.0.1]: FAILED! => {"changed": false, "failed": true, "msg": "Command 'add-simple-gateway {u'one-time-password': u'aaa12345', u'interfaces': [{u'ipv4-network-mask': u'255.255.255.0', u'anti-spoofing': u'true', u'ipv4-address': u'10.0.1.88', u'name': u'eth0', u'topology': u'External'}, {u'anti-spoofing': u'true', u'name': u'eth1', u'topology-settings': {u'ip-address-behind-this-interface': u'network defined by the interface ip and net mask'}, u'ipv4-network-mask': u'255.255.255.0', u'ipv4-address': u'172.16.1.88', u'topology': u'Internal'}], u'name': u'demo_gateway', u'ip-address': u'192.0.1.88', u'comments': u'added by Ansible'}' failed with error message: Runtime error: Error reading XMLStreamReader: Unexpected EOF in prolog at javax.xml.stream.SerializableLocation@c1137a34. All changes are discarded and the session is invalidated."}

PhoneBoy · ‎2018-09-27

Technically speaking, if you have access to do it from SmartConsole and you have API access, you should also be able to do it from the API.

Can you confirm that the user is able to create a gateway object via SmartConsole using the same permissions profile?

Bryan_Lee · ‎2018-10-01

Strangely, I could create the gateway object on Smart Console using that API admin credential, whereas creating gateway object via API call failed.

Looks like a bug?

PhoneBoy · ‎2018-10-01

Seems that way.

In which case, we probably need a TAC case.

Ofir_Shikolski · ‎2018-10-01

I can create it without any issues

mgmt_cli login -u user1 -p user1 > id.txt
mgmt_cli -s id.txt add simple-gateway name "Second_Security_Gateway" ip-address "11.1.1.10" firewall "true" vpn "true" interfaces.1.name eth0 interfaces.1.ipv4-address "11.1.1.10" interfaces.1.ipv4-network-mask "255.255.255.0" interfaces.1.anti-spoofing false interfaces.1.topology EXTERNAL
mgmt_cli -s id.txt publish
mgmt_cli -s id.txt logout

Do you have "write" access to common objects? by default, it is read while creating a new profile, search for " Others"

Bryan_Lee · ‎2018-10-01

Hi Ofir, I have tried to assign all the privilege, and everything was write access. That was why I find it strange here. See the screenshot below for what you had indicated, write privilege was assigned.

I am running R80.10 Build 435.

Ofir_Shikolski · ‎2018-10-06

I’m using R80.20

Are you able to check it with R80.20 ?

I will try to check it with my R80.10 MDM and I will update - I hope to do it this week or week later

Are you a member of CheckMates?

Permission to create gateway object from API