Solved

REST API add role mappings


Userlevel 2
Badge +12
  • Trailblazer
  • 27 replies
Hi all,
I can setup directory authentication but I do not see a way to add role mappings searching through authconfig on the restapi exporer.

I am converting my cluster build script from a locally run python script to using rest

The last part of this is the role mapping which I used ncli
ncli authconfig add-role-mapping name

Thanks in advance
J
icon

Best answer by ShawnT 18 October 2017, 05:49

Hi Jason,

It is entirely possible to do exactly what you are looking to do. You will need to use an undocumented REST API v1 call:
https://cluster:9440/PrismGateway/services/rest/v1/authconfig/directories/{directoryName}/role_mappings

Here's some python3 psuedo-code:
CIP = "clusterIPorDNSname"dirname = "YourDirectoryName" # Name as you defined it in authconfig setupuri = https://" + CIP + ":9440/PrismGateway/services/rest/v1/authconfig/directories/" + dirname + "/role_mappings# 2 possible typestype = "USER"type = "GROUP'# Possible rolevalues are users or groups depending on typerolevalues = ["user1","user2"] # username, no@dirname neededrolevalues = ["group1","group2"]# Possible roletypesroletype = "ROLE_USER_ADMIN"roletype = "ROLE_CLUSTER_ADMIN"roletype = "ROLE_CLUSTER_VIEWER"# With the above variables, here is your payload. payload = {"directoryName":dirname,"role":roletype,"entityType":type,"entityValues":rolevalues}

Using the building blocks above, there can never be more than 6 payload types:

  1. User Admin as Users
  2. User Admin as Groups
  3. Cluster Admin as Users
  4. Cluster Admin as Groups
  5. Viewer Only as Users
  6. Viewer Only as Groups

If the Role Mapping you are trying to create does not yet exist you will use a POST. If the Role Mapping you are trying to create exists you will use a PUT. Using PUT will overwrite anything that is there, so if you are trying to add a user or group to an existing Role Mapping rather than brute force replace it then you will need to GET what's there, add to the entityValues, then PUT it.

Hope that helps. Let me know either way!

View original

4 replies

Badge +2
Hi Jason,

It is entirely possible to do exactly what you are looking to do. You will need to use an undocumented REST API v1 call:
https://cluster:9440/PrismGateway/services/rest/v1/authconfig/directories/{directoryName}/role_mappings

Here's some python3 psuedo-code:
CIP = "clusterIPorDNSname"dirname = "YourDirectoryName" # Name as you defined it in authconfig setupuri = https://" + CIP + ":9440/PrismGateway/services/rest/v1/authconfig/directories/" + dirname + "/role_mappings# 2 possible typestype = "USER"type = "GROUP'# Possible rolevalues are users or groups depending on typerolevalues = ["user1","user2"] # username, no@dirname neededrolevalues = ["group1","group2"]# Possible roletypesroletype = "ROLE_USER_ADMIN"roletype = "ROLE_CLUSTER_ADMIN"roletype = "ROLE_CLUSTER_VIEWER"# With the above variables, here is your payload. payload = {"directoryName":dirname,"role":roletype,"entityType":type,"entityValues":rolevalues}

Using the building blocks above, there can never be more than 6 payload types:
  1. User Admin as Users
  2. User Admin as Groups
  3. Cluster Admin as Users
  4. Cluster Admin as Groups
  5. Viewer Only as Users
  6. Viewer Only as Groups

If the Role Mapping you are trying to create does not yet exist you will use a POST. If the Role Mapping you are trying to create exists you will use a PUT. Using PUT will overwrite anything that is there, so if you are trying to add a user or group to an existing Role Mapping rather than brute force replace it then you will need to GET what's there, add to the entityValues, then PUT it.

Hope that helps. Let me know either way!
Userlevel 2
Badge +12
Thanks for the reply Shawn,

This is exactly what I need and the code example is very helpful

Many thanks

Jason
Userlevel 2
Badge +12
I am getting a 400 response

def setGRP(self): GRPURL = self.base_url + "v1/authconfig/directories/DOMAIN/role_mappings" payload = {"directoryName": "DOMAIN", "role": "ROLE_CLUSTER_VIEWER", "entityType": "GROUP", "entityValues": "RG-OURGROUP-Readonly" } r = self.session.post(GRPURL, data=json.dumps(payload)) print "Response code: %s" % r.status_code print GRPURLTrying to add a new group to the viewer role, directory is already created

Thanks
Userlevel 2
Badge +12
Ignore me, I missed the entity value needs to be provides as an array

Its working, many thanks

Reply