API

Welcome to the Nutanix NEXT community. To get started please read our short welcome post. Thanks!

cancel
Showing results for 
Search instead for 
Did you mean: 

REST API add role mappings

SOLVED Go to solution
Trailblazer

REST API add role mappings

Hi all,

I can setup directory authentication but I do not see a way to add role mappings searching through authconfig on the restapi exporer.

 

I am converting my cluster build script from a locally run python script to using rest

 

The last part of this is the role mapping which I used ncli

ncli authconfig add-role-mapping name

 

Thanks in advance

J

1 ACCEPTED SOLUTION

Accepted Solutions
Nutanix Employee

Re: REST API add role mappings

Hi Jason,

 

It is entirely possible to do exactly what you are looking to do.  You will need to use an undocumented REST API v1 call:

https://cluster:9440/PrismGateway/services/rest/v1/authconfig/directories/{directoryName}/role_mappings

 

Here's some python3 psuedo-code:  

CIP = "clusterIPorDNSname"
dirname = "YourDirectoryName" # Name as you defined it in authconfig setup
uri = https://" + CIP + ":9440/PrismGateway/services/rest/v1/authconfig/directories/" + dirname + "/role_mappings

# 2 possible types
type = "USER"
type = "GROUP'
# Possible rolevalues are users or groups depending on type rolevalues = ["user1","user2"] # username, no @dirname needed rolevalues = ["group1","group2"]
# Possible roletypes roletype = "ROLE_USER_ADMIN" roletype = "ROLE_CLUSTER_ADMIN"
roletype = "ROLE_CLUSTER_VIEWER"

# With the above variables, here is your payload. payload = {"directoryName":dirname,"role":roletype,"entityType":type,"entityValues":rolevalues}

 

 

Using the building blocks above, there can never be more than 6 payload types:

  1. User Admin as Users
  2. User Admin as Groups
  3. Cluster Admin as Users
  4. Cluster Admin as Groups
  5. Viewer Only as Users
  6. Viewer Only as Groups

 

If the Role Mapping you are trying to create does not yet exist you will use a POST.  If the Role Mapping you are trying to create exists you will use a PUT. Using PUT will overwrite anything that is there, so if you are trying to add a user or group to an existing Role Mapping rather than brute force replace it then you will need to GET what's there, add to the entityValues, then PUT it.

 

Hope that helps.  Let me know either way!

4 REPLIES
Nutanix Employee

Re: REST API add role mappings

Hi Jason,

 

It is entirely possible to do exactly what you are looking to do.  You will need to use an undocumented REST API v1 call:

https://cluster:9440/PrismGateway/services/rest/v1/authconfig/directories/{directoryName}/role_mappings

 

Here's some python3 psuedo-code:  

CIP = "clusterIPorDNSname"
dirname = "YourDirectoryName" # Name as you defined it in authconfig setup
uri = https://" + CIP + ":9440/PrismGateway/services/rest/v1/authconfig/directories/" + dirname + "/role_mappings

# 2 possible types
type = "USER"
type = "GROUP'
# Possible rolevalues are users or groups depending on type rolevalues = ["user1","user2"] # username, no @dirname needed rolevalues = ["group1","group2"]
# Possible roletypes roletype = "ROLE_USER_ADMIN" roletype = "ROLE_CLUSTER_ADMIN"
roletype = "ROLE_CLUSTER_VIEWER"

# With the above variables, here is your payload. payload = {"directoryName":dirname,"role":roletype,"entityType":type,"entityValues":rolevalues}

 

 

Using the building blocks above, there can never be more than 6 payload types:

  1. User Admin as Users
  2. User Admin as Groups
  3. Cluster Admin as Users
  4. Cluster Admin as Groups
  5. Viewer Only as Users
  6. Viewer Only as Groups

 

If the Role Mapping you are trying to create does not yet exist you will use a POST.  If the Role Mapping you are trying to create exists you will use a PUT. Using PUT will overwrite anything that is there, so if you are trying to add a user or group to an existing Role Mapping rather than brute force replace it then you will need to GET what's there, add to the entityValues, then PUT it.

 

Hope that helps.  Let me know either way!

Highlighted
Trailblazer

Re: REST API add role mappings

Thanks for the reply Shawn,

 

This is exactly what I need and the code example is very helpful

 

Many thanks

 

Jason

Trailblazer

Re: REST API add role mappings

I am getting a 400 response

 

  def setGRP(self):
      GRPURL = self.base_url + "v1/authconfig/directories/DOMAIN/role_mappings"
      payload = {"directoryName": "DOMAIN",
                 "role": "ROLE_CLUSTER_VIEWER",
                 "entityType": "GROUP",
                 "entityValues": "RG-OURGROUP-Readonly"
                 }
      r = self.session.post(GRPURL, data=json.dumps(payload))
      print "Response code: %s" % r.status_code
      print GRPURL

Trying to add a new group to the viewer role, directory is already created

 

Thanks

Trailblazer

Re: REST API add role mappings

Ignore me, I missed the entity value needs to be provides as an array 

 

Its working, many thanks