Re-import Device-specific configuration for Access groups¶
Overview¶
An Access group helps synchronize Access policies across multiple devices. The devices that need a common set of Access policies must be added to the Access group in order to have a synchronized configuration. After deploying an Access group configuration to devices in an Access group, some additional changes can be done by BIG-IP devices to the deployed configuration. These device-specific changes must be re-imported back into an Access group configuration for the devices.
This document describes the necessary APIs and steps to re-import device-specific configuration back from devices into an Access group.
Prerequisites¶
To re-import a device-specific configuration for devices in an Access group, the following pre-requisites must be met.
- The BIG-IQ system is operational, has completed the setup, and has all the system level configurations in place.
- An Access group is created with zero or more devices.
- Devices from which the configuration must be re-imported already belongs to an Access group.
- Users have necessary RBAC permissions “Trust Discovery and Import” role to re-import device-specific configuration back into an Access group.
Required Information¶
In addition to the prerequisites, users must provide the following to re-import device-specific configuration for devices in an Access group.
- An Access group Name
- BIG-IP Device Reference for devices in BIG-IQ.
Actions¶
Using the BIG-IQ API, users can complete the following actions to collect necessary information and re-import a device-specific configuration for one or more devices in an Access group.
- List existing BIG-IP devices.
- Initiate, and monitor “Discovery and Import Controller” task to re-import device-specific configuration for one or more devices in an Access group.
List existing BIG-IP devices¶
To list existing BIG-IP devices discovered in the BIG-IQ system, users
must use the “MachineID Resolver” API. This API lists all the BIG-IP
devices discovered in the system. Any device that has
"properties/cm-access-allBigIpDevices/cm:access:access-group-name” :
“<access_group_name>”
belongs to the <access_group_name>
Access
group.
GET https://<management_ip>/mgmt/cm/system/machineid-resolver
Response
{
"items": [
{
"uuid": "77dab84d-4fab-498a-83d2-7c839b095229",
"deviceUri": "https://<device_ip_address>:<device_https_port>",
"machineId": "77dab84d-4fab-498a-83d2-7c839b095229",
"state": "ACTIVE",
"address": “<device_ip_address>",
"httpsPort": <device_https_port>,
"hostname": “<device_host_name>",
"version": "13.1.0",
"product": "BIG-IP",
"edition": "Final",
"build": "0.0.1843",
"restFrameworkVersion": "13.1.0-0.0.1843",
"managementAddress": “<device_ip_address>",
"mcpDeviceName": "/Common/<device_name>",
"trustDomainGuid": "ca44652e-43c4-4f46-8b97005056b0a86c",
"properties": {
"cm:gui:module": [
"BigIPDevice"
],
"modules": [],
"cm-access-allDevices": {
"cm:gui:module": [
"Access"
],
"modules": [
"All Access managed BIG-IP devices"
]
},
"cm-access-allBigIpDevices": {
"discovered": true,
"imported": true,
"clusterName": "cluster_1",
"supportsIncrementalDiscovery": true,
"lastDiscoveredDateTime": "2018-02-08T12:30:21.363Z",
"discoveryStatus": "FINISHED",
"lastUserDiscoveredDateTime": "2018-02-08T12:30:21.363Z",
"cm:access:access-group-name": “<access_group_name",
"cm:access:swg-provisioned": true,
"cm:access:access-group-device-link": "https://localhost/mgmt/shared/resolver/device-groups/TEST/devices/3b556a3e-0ef8-4805-9c9c-b403e673dff2",
"cm:access:import-version": "13.1.0",
"cm:access:access-group-link": "https://localhost/mgmt/shared/resolver/device-groups/TEST",
"importedDateTime": "2018-02-08T12:31:06.540Z",
"importStatus": "FINISHED",
"cm:gui:module": [
"Access"
],
"modules": [
"All Access managed BIG-IP devices"
]
},
"cm-adccore-allbigipDevices": {
"discovered": true,
"imported": true,
"clusterName": "cluster_1",
"supportsIncrementalDiscovery": true,
"lastDiscoveredDateTime": "2018-02-08T12:29:48.021Z",
"discoveryStatus": "FINISHED",
"lastUserDiscoveredDateTime": "2018-02-08T12:29:48.021Z",
"importedDateTime": "2018-02-08T12:30:38.836Z",
"importStatus": "FINISHED",
"cm:gui:module": [
"adc"
],
"modules": []
},
"cm-bigip-allBigIpDevices": {
"cm:gui:module": [
"BigIPDevice"
],
"shared:resolver:device-groups:discoverer": "30f43266-b545-4ac8-b64e-d524d2e13730",
"modules": []
},
"cm-bigip-allDevices": {
"shared:resolver:device-groups:discoverer": "30f43266-b545-4ac8-b64e-d524d2e13730",
"cm:gui:module": [],
"modules": []
}
},
"isClustered": false,
"isVirtual": true,
"isLicenseExpired": false,
"slots": [],
"kind": "shared:resolver:device-groups:restdeviceresolverdevicestate",
"selfLink": "https://localhost/mgmt/cm/system/machineid-resolver/77dab84d-4fab-498a-83d2-7c839b095229"
}
],
"selfLink": "http://localhost:8100/cm/system/machineid-resolver"
}
Initiate and Monitor the “Device Discovery and Import Controller” task to add new devices to an Access group¶
To add one or more new devices to an Access group, users must use the “Device Discovery and Import Controller” task. An Access group name and one or more devices’ selfLink obtained from “List existing BIG-IP Devices” is used to complete this step.
POST https://<management_ip>/mgmt/cm/global/tasks/device-discovery-import-controller
{
"name" : "reimport_device_specific_config_in_access_group",
"operationalMode": "EXISTING_DEVICE",
"deviceDetails": [{
"deviceReference" : {"link":"https://localhost/mgmt/cm/system/machineid-resolver/77dab84d-4fab-498a-83d2-7c839b095229"}
}],
"conflictPolicy": "USE_BIGIP",
"deviceConflictPolicy": "USE_BIGIP",
"snapshotWorkingConfig": true,
"accessGroupName": “<access_group_name>"
}
Poll for the status of the task until the task status changes to FINISHED or FAILED state. When the task completes, the device import status can be obtained from the deviceStatus field for each device.
GET https://<management_ip>/mgmt/cm/global/tasks/device-discovery-import-controller/<task_id>
Response
{
"accessGroupName": “<access_group_name",
"conflictPolicy": "USE_BIGIP",
"currentStep": "DISCOVER_DEVICES",
"deviceConflictPolicy": "USE_BIGIP",
"deviceDetails": [
{
"deviceReference": {
"link": "https://localhost/mgmt/cm/system/machineid-resolver/77dab84d-4fab-498a-83d2-7c839b095229"
},
"moduleList": [
{
"module": "adc_core"
},
{
"module": "access",
"properties": {
"cm:access:conflict-resolution": "accept",
"cm:access:access-group-name": “<access_group_name>",
"cm:access:import-shared": false
}
}
],
"deviceStatus": "DISCOVERY_STAGE"
}
],
"identityReferences": [
{
"link": "https://localhost/mgmt/shared/authz/users/admin"
}
],
"kind": "cm:global:tasks:device-discovery-import-controller:discoveryandimportcontrollertaskitemstate",
"name": "reimport_device_specific_config_in_access_group",
"operationalMode": "EXISTING_DEVICE",
"ownerMachineId": "30f43266-b545-4ac8-b64e-d524d2e13730",
"selfLink": "https://localhost/mgmt/cm/global/tasks/device-discovery-import-controller/19426d42-2b9b-48ad-aa61-e83460982933",
"snapshotWorkingConfig": true,
"startDateTime": "2018-02-08T05:34:08.952-0800",
"status": "STARTED",
"userReference": {
"link": "https://localhost/mgmt/shared/authz/users/admin"
},
"username": "admin"
}
GET https://<management_ip>/mgmt/cm/global/tasks/device-discovery-import-controller/<task_id>
Response
{
"accessGroupName": “<access_group_name>",
"conflictPolicy": "USE_BIGIP",
"currentStep": "DONE",
"deviceConflictPolicy": "USE_BIGIP",
"deviceDetails": [
{
"deviceReference": {
"link": "https://localhost/mgmt/cm/system/machineid-resolver/77dab84d-4fab-498a-83d2-7c839b095229"
},
"moduleList": [
{
"module": "adc_core"
},
{
"module": "access",
"properties": {
"cm:access:conflict-resolution": "accept",
"cm:access:access-group-name": “<access_group_name>",
"cm:access:import-shared": false
}
}
],
"deviceStatus": "FINISHED",
"superDiscoveryTaskReference": {
"link": "https://localhost/mgmt/cm/global/tasks/device-discovery/549d8858-56e8-4fd6-874b-414543201061"
},
"superImportTaskReference": {
"link": "https://localhost/mgmt/cm/global/tasks/device-import/2835042a-c75a-4ce1-9939-d4bfd365622e"
}
}
],
"endDateTime": "2018-02-08T05:35:07.102-0800",
"identityReferences": [
{
"link": "https://localhost/mgmt/shared/authz/users/admin"
}
],
"kind": "cm:global:tasks:device-discovery-import-controller:discoveryandimportcontrollertaskitemstate",
"name": "reimport_device_specific_config_in_access_group",
"operationalMode": "EXISTING_DEVICE",
"ownerMachineId": "30f43266-b545-4ac8-b64e-d524d2e13730",
"selfLink": "https://localhost/mgmt/cm/global/tasks/device-discovery-import-controller/19426d42-2b9b-48ad-aa61-e83460982933",
"snapshotWorkingConfig": true,
"startDateTime": "2018-02-08T05:34:08.952-0800",
"status": "FINISHED",
"userReference": {
"link": "https://localhost/mgmt/shared/authz/users/admin"
},
"username": "admin"
}
Result¶
By using the BIG-IQ API to perform the above tasks, users can write a script for re-importing a device-specific configuration for devices in an Access group.