User with subresource access does not have permission to create/modify the following fields:(enabled)
Article ID: 405427
Updated On:
Products
Issue/Introduction
- User with subresource access does not have permission to create/modify the following fields:(enabled)
- User on the Avi controller needs the SUBRESOURCE_POOL_ENABLED subresource enabled to allow the user to disable/enable the pool.
Cause
1) The user has been assigned a role that has permission to edit pools.
2) Additionally, the user is allowed to use a subresource through CLI ( SUBRESOURCE_POOL_SERVER_ENABLED ) to disable/enable the pool members.
3) This configuration will restrict users from disabling/enabling the pool, which he was able to do before the above subresource was added.
4) A subresource SUBRESOURCE_POOL_ENABLED using CLI needs to be added in such a scenario for the user to allow disabling/enabling the pool.
Resolution
- Modify the role assigned to the user as below.
- Below is the role having write permission to edit the pool and pool members, but does not have permission to disable/enable the pool.
- Make a note of the privileges[2] which allow write access to the pool member and privilege to disable/enable pool member via the subresource SUBRESOURCE_POOL_SERVER_ENABLED , but the subresource SUBRESOURCE_POOL_SERVER is not added to disable/enable pool.
Role View from UI and CLI.
+--------------------------+-------------------------------------------+
| Field | Value |
+--------------------------+-------------------------------------------+
| uuid | role-################## |
| name | role-name-############# |
| privileges[1] | |
| type | WRITE_ACCESS |
| resource | PERMISSION_VIRTUALSERVICE |
| subresource | |
| exclude_subresources | False |
| subresources[1] | SUBRESOURCE_VIRTUALSERVICE_ENABLED |
| privileges[2] | |
| type | WRITE_ACCESS |
| resource | PERMISSION_POOL |
| subresource | |
| exclude_subresources | False |
| subresources[1] | SUBRESOURCE_POOL_SERVER_ENABLED |
4. Check for the role assigned to the user from the CLI
Log in to the controller.
shell
show user <username> | grep -i role
5. Check if the role exists.
Log in to the controller.
shell
show role <role_name>
6. Follow the steps below to allow the user to disable/enable the entire pool.
Note: Use the privilege index already available for the pool. The index, as per the role here, is 2.
configure role <role_name>
privileges index 2
subresource
subresources subresource_pool_enabled
save
save
save
7. Post update, the role should look as below.
+--------------------------+-------------------------------------------+
| Field | Value |
+--------------------------+-------------------------------------------+
| uuid | role-################## |
| name | role-name-############# |
| privileges[1] | |
| type | WRITE_ACCESS |
| resource | PERMISSION_VIRTUALSERVICE |
| subresource | |
| exclude_subresources | False |
| subresources[1] | SUBRESOURCE_VIRTUALSERVICE_ENABLED |
| privileges[2] | |
| type | WRITE_ACCESS |
| resource | PERMISSION_POOL |
| subresource | |
| exclude_subresources | False |
| subresources[1] | SUBRESOURCE_POOL_SERVER_ENABLED |
| subresources[2] | SUBRESOURCE_POOL_ENABLED
Feedback
