Merge pull request #6 from tlkrinke/master

Add perl example for how to create an Enhanced Auditing admin

Author: shreyas-agnihotri

README.md

@@ -23,3 +23,9 @@ Pre-requisites:
 Use the following commands to run the python samples.
 - `python -W ignore get_nb_images.py -nbmaster <masterServer> -username <username> -password <password>`
 - `python -W ignore get_nb_jobs.py -nbmaster <masterServer> -username <username> -password <password>`
+
+#### Executing the snippets in Perl
+Pre-requisites:
+- NetBackup 8.1.1 or higher
+- See script README for perl requirements and usage
+

snippets/perl/README_makeEAadmin.txt

@@ -0,0 +1,71 @@
+Create API user for NetBackup 8.1.1 using Enhanced Auditing
+
+Compatibility
+———————————————————————————————————————————————————
+NetBackup 8.1.1 Linux/Unix master server
+NetBackup REST API version 1.0 
+(content type is application/vnd.netbackup+json;version=1.0)
+
+
+Who is this for?
+---------------------------------------------------
+NetBackup Administrators
+IT Operations Teams
+
+
+What is This?
+---------------------------------------------------
+This script is provided as a demonstration of how to create a non-root admin account to be used for the 
+purpose of invoking the NetBackup REST APIs.
+
+This deomonstration is written as a perl script and uses the perl module “UserAgent” to invoke https 
+requests to the NetBackup REST APIs.
+
+
+Setup:
+---------------------------------------------------
+Perl 5.20.2 or later
+
+PERl modules required
+++ LWP::UserAgent
+++ JSON
+++ HTTP
+
+This utility is written in perl, and is meant to be run directly on the NetBackup master server.  The caller of this utility must have sufficient priveleges to execute a NetBackup command line on the Master.  Although 
+it has been developed and tested on RedHat Linux, it should be compatible with any non-windows NetBackup 
+master server.  
+
+This utility can be easily modified to work with NetBackup master servers running on Windows platforms 
+as well, simply change the path to the necessary command lines and pay attention to the domain types of 
+the user account you are authenticating which will likely be the windows local host or an Active Directory 
+account.
+
+
+Overview:
+---------------------------------------------------
+This script provides an example of how to login to the NetBackup Rest APIs and get a "token" to be used in 
+subsequent REST API calls.  In this demonstration, the utility creates a new "fictional user" in NetBackup
+using the mechanisms described by the "Enhanced Auditing" mechanism in NetBackup. At the time of this writing, 
+NetBackup 8.1.1 will accept root, local/administrator and any Enhanced Auditing user as a fully-priveleged 
+REST API user.
+
+Once an administrator is created, the script demonstrates how to "login" to the REST API services and get 
+a token with 24 hour validity (this is NOT configurable), and then use this token to call other REST APIs. 
+
+
+Outline:
+---------------------------------------------------
+Setup: First a fictional user is added to "vx domain" using standard NetBackup command lines (bpnbat) for
+the purposes of testing.  Next, this new fictional user is added to the list of non-root administrators 
+in the Enhanced Auditing configuration, making this account pseudo root priveleged for the purposes of 
+NetBackup administration.
+
+APIs: The new administrator user is logged into the REST APIs and recieves a session token.  This token is
+captured and included in each subsequent API call as the contents of the standard http "Authorization" 
+header. The Front End Data report is run as an example of this. Finally the user is logged out of 
+NetBackup REST which ends the session associated with that toekn.
+
+Cleanup: Remove our fictional user from the Enhanced Auditing users list and remove the user account 
+from the vx domain.
+
+  

snippets/perl/makeEAadmin.pl

@@ -0,0 +1,158 @@
+#!/usr/bin/env perl
+
+use LWP::UserAgent;
+use LWP::Protocol::https;
+print "LWP::UserAgent: ".LWP::UserAgent->VERSION,"\n";
+print "LWP::Protocol::https: ".LWP::Protocol::https->VERSION,"\n";
+use JSON;
+
+$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;
+
+#
+# The token is the key to the NetBackup AuthN/AuthZ scheme.  You must login and get a token
+# and use this token in your Authorization header for all subsequent requests.  Token validity
+# is fixed at 24 hours
+#
+my $token;
+
+#change this as per your host name
+$fqdn_hostname = "localhost";
+
+#
+# This script will use the "Enhanced Auditing" feature in NetBackup to create a non-root admin
+# account in NetBackup.  This admin account can then be used to invoke REST API requests.
+#
+
+print "\n\n Adding the user\n\n";
+system q["/usr/openv/netbackup/bin/bpnbat" -addUser testuser Test1234 vx];
+
+print "Enabling enhanced auditing...\n\n";
+system q[echo y|"/usr/openv/netbackup/bin/admincmd/bpnbaz" -SetupExAudit];
+
+print "Granting VxSS user administrator privileges...\n\n";
+system q["/usr/openv/netbackup/bin/admincmd/bpnbaz" -AddUser vx:vx:testuser];
+
+print "Add the new user to the EA user list...\n\n";
+my $auth_file = '/usr/openv/java/auth.conf';
+open(my $fh, '>>', $auth_file) or die "Could not open auth.conf";
+	say $fh "testuser ADMIN=All JBP=ALL";
+close $fh;
+
+print "Restarting services...";
+system q["/usr/openv/netbackup/bin/bp.kill_all"];
+system q["/usr/openv/netbackup/bin/bp.start_all"];
+
+#
+# for the sake of this test, ignore ssl certificate
+#
+my $ua = LWP::UserAgent->new(
+	timeout => 500,
+	ssl_opts => { verify_hostname => 0, SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE },
+);
+		 
+my $token_url = "https://$fqdn_hostname:1556/netbackup/login";
+
+my $req = HTTP::Request->new(POST => $token_url);
+$req->header('content-type' => 'application/json');
+ 
+my $post_data = '{ "domainType": "vx", "domainName": "vx", "userName": "testuser", "password": "Test1234" }';
+$req->content($post_data);
+ 
+print "**************************************************************";
+print "\n\n Making Post Request to login to get token \n\n";
+my $resp = $ua->request($req);
+if ($resp->is_success) {
+	my $message = decode_json($resp->content);
+	$token = $message->{"token"};
+    	print "Received token: $token\n";
+}
+else {
+    	print "HTTP POST error code: ", $resp->code, "\n";
+    	print "HTTP POST error message: ", $resp->message, "\n";
+	#die;  let this fall through to cleanup code
+}
+
+#
+# Here we use the Front End Data report as an example of how to use the token to invoke a
+# REST API request
+#
+my $url = "https://$fqdn_hostname:1556/netbackup/catalog/frontenddata";
+my $catalog_req = HTTP::Request->new(GET => $url);
+$catalog_req->header('Authorization' => $token);
+
+my $response = $ua->request($catalog_req);
+
+print "**************************************************************";
+print "\n\n Making Get Request to Catalog/FrontendData with token \n\n";
+if ($response->is_success) {
+    	print "/Catalog/frontenddata request was succesful \n\n";
+    
+    	$data = decode_json($response->content);
+    	my $pretty = JSON->new->pretty->encode($data);
+    	print "Received data \n$pretty\n\n\n";
+}
+else {
+    	print "HTTP GET error code: ", $response->code, "\n";
+    	print "HTTP GET error message: ", $response->message, "\n";
+	#die;  let this fall through to cleanup code	
+}
+
+#
+# Another example, list jobs...
+#
+my $url = "https://$fqdn_hostname:1556/netbackup/admin/jobs";
+my $jobs_req = HTTP::Request->new(GET => $url);
+$jobs_req->header('Authorization' => $token);
+
+my $response = $ua->request($jobs_req);
+
+print "**************************************************************";
+print "\n\n Making Get Request to list all jobs \n\n";
+if ($response->is_success) {
+        print "List jobs request was succesful \n\n";
+
+        $data = decode_json($response->content);
+        my $pretty = JSON->new->pretty->encode($data);
+        print "Received data \n$pretty\n\n\n";
+}
+else {
+        print "HTTP GET error code: ", $response->code, "\n";
+        print "HTTP GET error message: ", $response->message, "\n";
+        #die;  let this fall through to cleanup code    
+}
+
+
+
+#
+# Logging out will cleanup the session and invalidate the token immediately.
+# If you do not log out, the session expires after 24 hours.
+#
+print "**************************************************************";
+print "\n\nLogout of the REST APIs and cleanup the session(optional)\n";
+
+my $logout_url = "https://$fqdn_hostname:1556/netbackup/logout";
+my $logout_req = HTTP::Request->new(POST => $logout_url);
+$logout_req->header('content-type' => $content_type);
+$logout_req->header('Authorization' => $token);
+
+my $resp = $ua->request($logout_req);
+if ($resp->is_success) {
+    print "Successfully logged out\n\n";
+} else {
+    print "Failed to logout of the current session\n";
+    print "HTTP POST error code: ", $resp->code, "\n";
+    print "HTTP POST error message: ", $resp->message, "\n";
+    die;
+}
+
+
+print "Revoking the user's administrator privileges...\n\n";
+system q["/usr/openv/netbackup/bin/admincmd/bpnbaz" -DelUser vx:vx:testuser];
+
+print "Disabling enhanced auditing...\n\n";
+system q[echo y|"/usr/openv/netbackup/bin/admincmd/bpnbaz" -DisableExAudit];
+
+print "\n\n Deleting the user\n\n";
+system q["/usr/openv/netbackup/bin/bpnbat" -RemoveUser testuser vx];
+
+