Authorization
URI access method (PUT, POST, DELETE, GET).
URI (URI string along with the JSON attributes).
Considerations
If the URI authorization is not configured for local, radius, tacacs user but URI authorization is enabled, then access to any URI execution is denied. This is the same behavior as command authorization.
The URI-Access, URI-String and URI-JSON attributes are mandatory. The default value for the URI Exception is permit. Only one attribute is allowed for URI-Access and URI-String .The URI-JSON can have single or multiple attributes with comma as separator.
If the authentication and authorization methods are different for a user, the authorization URI does not have any impact. This is the same behavior as command authorization.
The
cli_batch
URI has encoded attributes that are denied or allowed in the authorized list of URIs. The encoded data is not authorized. Aruba recommends to permit this only on need basis.URI authorization is disabled by default like command authorization and must be enabled through
aaa authorization
command.With permit option, all the JSON attributes must match for successful URI execution.
With deny option, at least one JSON attribute match will result in the denying of URI execution.
The match is performed only on the JSON attributes and not on the JSON values.
Local authorization
URI
JSON attribute
URI access method
permit or deny
Example URI Executed:
curl -X PUT http://10.100.106.244/rest/v2/vlans
{"collection_result":{"total_elements_count":1,"filtered_elements_count":1},
"vlan_element":[{"uri":"/vlans/1","vlan_id":1,"name":"DEFAULT_VLAN","status":
"VS_PORT_BASED","type":"VT_STATIC","is_voice_enabled":false,"is_jumbo_enabled":false,
"is_dsnoop_enabled":false,"is_dhcp_server_enabled":false}]}
The match-uri, match-json and uri-access in the following table are the parameters of
aaa authorization group
command:
match-uri | match-json | uri-access | Exception | Behavior |
.* | .* | .* | permit | All URIs will be allowed to execute.The above URI will be successful. |
v2 | .* | .* | permit | All URI options with v2 will be allowed. The URIs with other versions will not be allowed. The above URI execution will be successful. |
v2/vlans | is_jumbo_enabled | PUT | permit | The URI with the Json parameter is_jumbo_enabled will be executed for PUT method. The above URI execution will not be successful since all JSON parameters in the URI being executed do not match. |
.* | is_jumbo_enabled | PUT | permit | Error is returned during configuration. |
v2/vlans | .* | .* | permit | The execution of all URIs that belongs to v2/vlans will be allowed for all access methods. The execution of the above URI will be successful. |
v2 | is_jumbo_enabled | .* | permit | Any URIs that belong to v2 having the JSON attribute as is_jumbo_enabled will be allowed for execution. If there are any other JSON attributes, they will have the response as FAIL. |
.* | is_jumbo_enabled | .* | permit | Error is returned during configuration. |
.* | .* | GET | permit | All URIs with GET access method will be allowed for execution. The execution of the above URI will fail. |
v2/vlans | .* | PUT | permit | All URI options with v2/vlans will be allowed for PUT. The execution of the above URI will be successful. |
.* | .* | .* | deny | All URIs will be rejected. |
v2 | .* | .* | deny | All URI options with v2 (version v2) will not be allowed for execution. The URIs with other versions will be allowed. |
v2/vlans | is_jumbo_enabled | PUT | deny | The URI with v2/vlans and JSON attribute is_jumbo_enabled and access_method as PUT will be denied and any other URI execution will be permitted. |
.* | is_jumbo_enabled | PUT | deny | Error is returned during configuration. |
v2/vlans | .* | .* | deny | The execution of URIs that belong to v2/vlans will not be allowed for all access methods. |
v2 | is_jumbo_enabled | .* | deny | Any URIs that belong to v2 having the JSON parameter is_jumbo_enabled will not be allowed. |
.* | is_jumbo_enabled | .* | deny | Error is returned during configuration. |
.* | .* | GET | deny | All GET URIs will not be allowed. Any URIs with other URI access methods will be successful. |
v2/vlans | .* | PUT | deny | All URI options with v2/vlans will not be allowed for PUT. Any other URIs or with any other URI access method will be allowed. |
RADIUS
Attribute | Value | String/Integer |
HP-URI-String (mandatory) | 80 | String |
HP-URI-Json-String (mandatory) | 81 | String |
HP-URI-Access (mandatory) | 82 | String |
HP-URI-Exception | 83 | Integer |
The value for HP-URI-Exception is 0 (permit) and 1 (deny). By default, HP-URI-Exception is permit and is optional.
The value for HP-URI-Access must be "GET", "POST", "PUT", "DELETE" and ".*"only (".*" refers to all access methods).
If HP-URI-String is configured with ".*", HP-URI-Json-String must be configured with ".*" only.
The attributes HP-URI-String, HP-URI-Access, and HP-URI-Exception must be configured with single value and the HP-URI-Json-String can be configured with single or multiple values with comma separator.
If any of the mandatory VSAs are not configured or if the HP-URI-Json-String is not the last attribute, authentication fails.
Both command and REST URI authorization parameters can be configured for a user in RADIUS configuration file.
user Cleartext-Password:="user123"
Service-Type = Administrative-User, reply-Message = "Hello",
HP-URI-String = ".*",
HP-URI-Access = "PUT",
HP-URI-Exception = 1,
HP-URI-Json-String = ".*",
HP-URI-String += ".*",
HP-URI-Access += "GET",
HP-URI-Json-String += ".*"
TACACS+
group = admin {
default service = permit service = shell {
priv-lvl = 15
}
deny "/rest/v3/vlans vlan_id name POST" permit .*
}
user = user1 { member = admin
login = cleartext testing service = exec {
priv-lvl = 15
}
All the attributes must match to permit or deny.