|
| 1 | +Examine permissions of the current login token |
| 2 | + |
| 3 | +Compatibility |
| 4 | +——————————————————————————————————————————————————— |
| 5 | +NetBackup 8.1.1 Linux/Unix master server |
| 6 | + |
| 7 | + |
| 8 | +Who is this for? |
| 9 | +--------------------------------------------------- |
| 10 | +NetBackup Administrators |
| 11 | +IT Operations Teams |
| 12 | + |
| 13 | + |
| 14 | +What is This? |
| 15 | +--------------------------------------------------- |
| 16 | +The NetBackup REST API will authenticate any valid user account provided to the login API. Not every user |
| 17 | +has permissions to do anything in NetBackup, however, and this script simply dumps the payload of the |
| 18 | +token returned by NetBackup. The token is a JSON Web Token (jwt - see RFC7519) and the "payload" here |
| 19 | +refers to the payload section of the jwt. The payload contains some standard JWT "claims" as well as some |
| 20 | +NetBackup-specific claims. Of particular interest is the contents of the claim "authz_context" which |
| 21 | +represents the permissions "granted" to this user. |
| 22 | + |
| 23 | +Setup: |
| 24 | +--------------------------------------------------- |
| 25 | +Perl 5.20.2 or later |
| 26 | + |
| 27 | +PERl modules required |
| 28 | +++ JSON |
| 29 | +++ Compress::Zlib |
| 30 | +++ MIME::Base64 |
| 31 | + |
| 32 | +This utility is written in perl and it has been developed and tested on RedHat Linux. |
| 33 | + |
| 34 | + |
| 35 | +Overview: |
| 36 | +--------------------------------------------------- |
| 37 | +Occasionally users have been stumped by the fact that the NetBackup REST login API successfully authenticates |
| 38 | +a user, but the resulting token results in http 401 Not Authorized responses to any of the other REST apis. |
| 39 | + |
| 40 | +The cause is nearly always that the user is not a known NetBackup administrator. Valid known NetBackup |
| 41 | +administrators are "root" on unix, "administrator" on windows, or any user account configured for Enhanced |
| 42 | +Auditing. For non-root users Enhanced Auditing is generally the answer and a helper script makeEAadmin.pl is |
| 43 | +also provided. |
| 44 | + |
| 45 | + |
| 46 | +Outline: |
| 47 | +--------------------------------------------------- |
| 48 | +A successful call to https://<yourmaster>:1556/netbackup/gateway/login will return a JSON Web Token in its |
| 49 | +response body. Use that token as a (string) argument to this script and the claims are displayed as a JSON |
| 50 | +document. In NetBackup 8.1.1, permission is generally all-or-nothing. Look for the specific API permissions |
| 51 | +in the "authz_context" claim such as |
| 52 | + "LIST_JOBS" : [ |
| 53 | + "*" |
| 54 | + ], |
| 55 | +This tells you that this token is issued with a grant to list jobs, and permission is on ALL jobs - ["*"]. |
| 56 | + |
| 57 | +In addition you may see a claim |
| 58 | + "is_admin" : "true", |
| 59 | +this indicates that your jwt is issued with the intent of granting all access a NetBackup administrator would |
| 60 | +have in previous versions of NetBackup. |
| 61 | + |
| 62 | +If the claims you see do not provide the permission you expected, your user account is not an administrator |
| 63 | +known to NetBackup. |
0 commit comments