Send and run TMSH commands

Overview

A network administrator can use BIG-IQ as a proxy to send a script of TMSH commands to run on a BIG-IP. For example, a BIG-IQ admin might use this to disable shell access for a specified non-admin user on the BIG-IP. The admin user of this BIG-IP is required to have advanced shell access enabled. See the documentation at K12029: Accessing the TMOS Shell for information about how to enable the Advanced Shell for an admin user of the BIG-IP. See the documentation at F5 TMSH Reference for information about TMSH commands.

REST Endpoint: /mgmt/shared/user-scripts

Requests

Send a POST request to the /mgmt/shared/user-scripts endpoint on the BIG-IQ to add a custom user script of TMSH commands.

POST /mgmt/shared/user-scripts

The JSON in the body of the POST request can contain the following parameters.

Request Parameters

The request parameters in a POST request.

Name Type Required Description
description string False Description of the custom user script
name string True Name of the custom user script
script string True Custom user script

Query Parameters

None

Response

HTTP/1.1 200 OK

The JSON in the response to the POST request can contain the following fields.

Name Type Description
id string The UUID of the user custom script
name string Name of the custom user script
description string Description of the custom user script
script string Custom user script
selfLink string URL of custom user script

Permissions

Role Allow
admin Yes

REST Endpoint: /mgmt/shared/user-script-execution

Requests

POST /mgmt/shared/user-script-execution

Send a POST request to the /mgmt/shared/user-script-execution endpoint on the BIG-IQ to run the script of TMSH commands. The JSON in the body of the POST request can contain the following parameters.

Request Parameters

The JSON in the POST request can include the following parameters.

Name Type Required Description
deviceReferences object True The reference to the BIG-IP which can run the custom script. This is the URL which identifies the BIG-IP.
     link string Required URL value of the BIG-IP
name string True Name of the custom user script
scriptReference object True The reference to the custom user script. This is the URL returned as the value of selfLink, which identifies the custom user script.
     link string Required URL value of the custom user script
timeoutInSeconds number True Timeout in seconds

Query Parameters

None

Response

HTTP/1.1 200 OK

On success, the JSON in the response can contain fields which are similar to the body of the request.

Permissions

Role Allow
admin Yes

GET /mgmt/shared/user-script-execution/<script-id>

To check the status of the execution of a specific script, send a GET request to the endpoint and specify the id of the script.

Request Parameters

None

Query Parameters

None

Response

HTTP/1.1 200 OK

On success, the JSON in the response can contain fields which indicate the status of the TMSH commands.

Permissions

Role Allow
admin Yes

Examples

The following example can add and run a script of TMSH commands which disables a specified user’s access to the shell. The user being disabled must not be an admin user.

1. Add the user script of TMSH commands

Send a POST to the /mgmt/shared/user-scripts endpoint of the BIG-IQ to add a script of TMSH commands named “disableShellAccess”. The body of the POST can contain the TMSH commands as the value of script. In the following example, the placeholder <not admin user name> represents the user name of a non-admin user.

POST https://<BIG-IQ>/mgmt/shared/user-scripts
{
    "name": "disableShellAccess",
    "description": "Disables a non-admin user access to shell",
    "script": “tmsh modify /auth user <not admin user name> shell none”
}

On success, the response to the POST can look similar to the following. The JSON in the body can include the values of id and selfLink, which are the UUID and URL that identifies the user script.

{
    "id": "8c091843-b80e-4f4a-91a7-5aaa12501ed8",
    "name": "disableShellAccess",
    "description": "Disables a non-admin user access to shell",
    "script": "tmsh modify /auth user <not admin user name> shell none",
    "generation": 1,
    "lastUpdateMicros": 1606940723803181,
    "kind": "shared:user-scripts:userscriptstate",
    "selfLink": "https://localhost/mgmt/shared/user-scripts/8c091843-b80e-4f4a-91a7-5aaa12501ed8"
}

2. Run the TMSH commands on the BIG-IP

Send a POST to the /mgmt/shared/user-script-execution endpoint of the BIG-IQ to start the execution of the script on the BIG-IP. In the following, the value of deviceReferences is the URL for the BIG-IP. The value of scriptReference is the URL of the selfLink of the script obtained in the previous step.

POST https://<BIG-IQ>/mgmt/shared/user-script-execution
{
    "name": "disableShellAccess",
    "deviceReferences": [{
            "link": "https://localhost/mgmt/shared/resolver/device-groups/cm-bigip-allBigIpDevices/devices/e0c5d64c-9cba-45af-93ed-6e45da63a6e3"
    }],
    "timeoutInSeconds": 600,
    "scriptReference": {
            "link": "https://localhost/mgmt/shared/user-scripts/8c091843-b80e-4f4a-91a7-5aaa12501ed8"
    }
}

3. Check the status of a specified user script

To check for the status and completion of the script, send a GET request to the /mgmt/shared/user-script-execution endpoint and specify the id of the the script.

GET https://<BIG-IQ>/mgmt/shared/user-script-execution/ef16e813-0c62-499e-913c-c11ec757c826