Merge branch 'master' into feature/sample-api-policy-python

kcvemula · kcvemula · commit acc18e9f971f · 2018-07-10T13:20:59.000-05:00
diff --git a/README.md b/README.md
@@ -39,3 +39,17 @@ Pre-requisites:
 - NetBackup 8.1.1 or higher
 - See script README for perl requirements and usage
 
+#### Executing the snippets using curl
+Pre-requisites:
+- NetBackup 8.1.1 or higher
+- curl 7.51.0 or higher
+- jq command-line parser (https://github.com/stedolan/jq/releases)
+
+Use the following commands to run the curl samples.
+- `./get_nb_jobs.sh -master <master_server> -username <username> -password <password>`
+- `./get_nb_images.sh -master <master_server> -username <username> -password <password>`
+
+#### Tools
+The `tools` folder contains utilities that have proven useful in the development of projects using
+NetBackup REST APIs, but do not provide any API usage examples.  Again, these tools are not for
+production use, but they may be of some use in your work.
diff --git a/snippets/curl/get_nb_images.sh b/snippets/curl/get_nb_images.sh
@@ -0,0 +1,101 @@
+!/bin/sh
+
+#####################n#####################################################
+
+# This script demonstrates the usage of netbackup REST API for listing 
+# the backup images
+
+# This script requires jq command-line JSON parser 
+# if your system does not have jq installed, this will not work
+# jq can be downloaded from here: https://github.com/stedolan/jq/releases
+
+###########################################################################
+
+port=1556
+master_server=""
+username=""
+password=""
+domainname=""
+domaintype=""
+
+showHelp()
+{
+	echo ""
+	echo "Invalid command parameters"
+	echo "Usage:"
+	echo "./get_nb_images.sh -master <master_server> -username <username> -password <password> -domainname <dname> -domaintype <unixpwd/nt>"
+	echo ""
+	exit 1
+}
+
+parseArguments()
+{
+	if [ $# -lt 6 ]; then
+		showHelp
+	fi
+	
+	while [ "$1" != "" ]; do
+		case $1 in
+			-master)
+				master_server=$2
+				;;
+			-username)
+				username=$2
+				;;
+			-password)
+				password=$2
+				;;
+			-domainname)
+				domainname=$2
+				;;
+			-domaintype)
+				domaintype=$2
+				;;
+			*)
+				showHelp
+				;;
+		esac
+		shift 2
+	done
+	
+	if [ -z "$master_server" ] || [ -z "$username" ] || [ -z "$password" ] || [ -z "$domainname" ] || [ -z "$domaintype" ]; then
+		showhelp
+	fi
+
+	if [ "${domaintype^^}" = "WINDOWS" ] || [ "${domaintype^^}" = "NT" ]; then
+		domaintype="nt"
+	fi
+}
+
+###############main############
+
+parseArguments "$@"
+
+basepath="https://$master_server:$port/netbackup"
+content_header='content-type:application/json'
+
+##############login#############
+
+uri="$basepath/login"
+
+data=$(jq --arg name $username --arg pass $password --arg dname $domainname --arg dtype $domaintype \
+		--null-input '{userName: $name, password: $pass, domainName: $dname, domainType: $dtype}')
+
+jwt=$(curl -k -X POST $uri -H $content_header -d "$data" | jq --raw-output '.token')
+
+param1="filter=policyType eq 'Standard'"
+param2="page[limit]=10"
+
+##############jobs##############
+
+auth_header="authorization:$jwt"
+uri="$basepath/catalog/images"
+
+curl --insecure --request  GET --globoff --get $uri  -H $content_header -H $auth_header \
+	--data-urlencode "$param1" \
+	--data-urlencode "$param2" \
+	| \
+	jq '[.data[]|{IMAGE_ID: .id, POLICY: .attributes.policyName, CLIENT: .attributes.clientName, BACKUP_TIME: .attributes.backupTime}]'
+
+exit 0
+
diff --git a/snippets/curl/get_nb_jobs.sh b/snippets/curl/get_nb_jobs.sh
@@ -0,0 +1,100 @@
+!/bin/sh
+
+
+#####################n#####################################################
+
+# This script demonstrates the usage of netbackup REST API for listing the jobs
+
+# This script requires jq command-line JSON parser 
+# if your system does not have jq installed, this will not work
+# jq can be downloaded from here: https://github.com/stedolan/jq/releases
+
+###########################################################################
+
+port=1556
+master_server=""
+username=""
+password=""
+domainname=""
+domaintype=""
+
+showHelp()
+{
+	echo ""
+	echo "Invalid command parameters"
+	echo "Usage:"
+	echo "./get_nb_jobs.sh -master <master_server> -username <username> -password <password> -domainname <dname> -domaintype <unixpwd/nt>"
+	echo ""
+	exit 1
+}
+
+parseArguments()
+{
+	if [ $# -lt 10 ]; then
+		showHelp
+	fi
+	
+	while [ "$1" != "" ]; do
+		case $1 in
+			-master)
+				master_server=$2
+				;;
+			-username)
+				username=$2
+				;;
+			-password)
+				password=$2
+				;;
+			-domainname)
+				domainname=$2
+				;;
+			-domaintype)
+				domaintype=$2
+				;;
+			*)
+				showHelp
+				;;
+		esac
+		shift 2
+	done
+	
+	if [ -z "$master_server" ] || [ -z "$username" ] || [ -z "$password" ] || [ -z "$domainname" ] || [ -z "$domaintype" ]; then
+		showhelp
+	fi
+
+	if [ "${domaintype^^}" = "WINDOWS" ] || [ "${domaintype^^}" = "NT" ]; then
+		domaintype="nt"
+	fi
+}
+
+###############main#############
+
+parseArguments "$@"
+
+basepath="https://$master_server:$port/netbackup"
+content_header='content-type:application/json'
+
+##############login#############
+
+uri="$basepath/login"
+
+data=$(jq --arg name $username --arg pass $password --arg dname $domainname --arg dtype $domaintype \
+		--null-input '{userName: $name, password: $pass, domainName: $dname, domainType: $dtype}')
+
+jwt=$(curl -k -X POST $uri -H $content_header -d "$data" | jq --raw-output '.token')
+
+param1="filter=jobType eq 'BACKUP'"
+param2="page[limit]=10"
+
+##############jobs##############
+
+auth_header="authorization:$jwt"
+uri="$basepath/admin/jobs"
+
+curl --insecure --request GET --globoff --get $uri  -H $content_header -H $auth_header \
+	--data-urlencode "$param1" \
+	--data-urlencode "$param2" \
+	| \
+	jq '[.data[]|{JOBID: .id, TYPE: .attributes.jobType, STATE: .attributes.state, STATUS: .attributes.status}]'
+exit 0
+
diff --git a/snippets/perl/README_makeEAadmin.txt b/snippets/perl/README_makeEAadmin.txt
@@ -18,7 +18,7 @@ What is This?
 This script is provided as a demonstration of how to create a non-root admin account to be used for the 
 purpose of invoking the NetBackup REST APIs.
 
-This deomonstration is written as a perl script and uses the perl module “UserAgent” to invoke https 
+This demonstration is written as a perl script and uses the perl module “UserAgent” to invoke https 
 requests to the NetBackup REST APIs.
 
 
@@ -31,7 +31,7 @@ PERl modules required
 ++ JSON
 ++ HTTP
 
-This utility is written in perl, and is meant to be run directly on the NetBackup master server.  The caller of this utility must have sufficient priveleges to execute a NetBackup command line on the Master.  Although 
+This utility is written in perl, and is meant to be run directly on the NetBackup master server.  The caller of this utility must have sufficient privileges to execute a NetBackup command line on the Master.  Although 
 it has been developed and tested on RedHat Linux, it should be compatible with any non-windows NetBackup 
 master server.  
 
@@ -46,7 +46,7 @@ Overview:
 This script provides an example of how to login to the NetBackup Rest APIs and get a "token" to be used in 
 subsequent REST API calls.  In this demonstration, the utility creates a new "fictional user" in NetBackup
 using the mechanisms described by the "Enhanced Auditing" mechanism in NetBackup. At the time of this writing, 
-NetBackup 8.1.1 will accept root, local/administrator and any Enhanced Auditing user as a fully-priveleged 
+NetBackup 8.1.1 will accept root, local/administrator and any Enhanced Auditing user as a fully-privileged 
 REST API user.
 
 Once an administrator is created, the script demonstrates how to "login" to the REST API services and get 
@@ -57,13 +57,13 @@ Outline:
 ---------------------------------------------------
 Setup: First a fictional user is added to "vx domain" using standard NetBackup command lines (bpnbat) for
 the purposes of testing.  Next, this new fictional user is added to the list of non-root administrators 
-in the Enhanced Auditing configuration, making this account pseudo root priveleged for the purposes of 
+in the Enhanced Auditing configuration, making this account pseudo root privileged for the purposes of 
 NetBackup administration.
 
-APIs: The new administrator user is logged into the REST APIs and recieves a session token.  This token is
+APIs: The new administrator user is logged into the REST APIs and receives a session token.  This token is
 captured and included in each subsequent API call as the contents of the standard http "Authorization" 
 header. The Front End Data report is run as an example of this. Finally the user is logged out of 
-NetBackup REST which ends the session associated with that toekn.
+NetBackup REST which ends the session associated with that token.
 
 Cleanup: Remove our fictional user from the Enhanced Auditing users list and remove the user account 
 from the vx domain.
diff --git a/snippets/perl/makeEAadmin.pl b/snippets/perl/makeEAadmin.pl
@@ -32,12 +32,6 @@
 print "Granting VxSS user administrator privileges...\n\n";
 system q["/usr/openv/netbackup/bin/admincmd/bpnbaz" -AddUser vx:vx:testuser];
 
-print "Add the new user to the EA user list...\n\n";
-my $auth_file = '/usr/openv/java/auth.conf';
-open(my $fh, '>>', $auth_file) or die "Could not open auth.conf";
-	say $fh "testuser ADMIN=All JBP=ALL";
-close $fh;
-
 print "Restarting services...";
 system q["/usr/openv/netbackup/bin/bp.kill_all"];
 system q["/usr/openv/netbackup/bin/bp.start_all"];
@@ -85,7 +79,7 @@
 print "**************************************************************";
 print "\n\n Making Get Request to Catalog/FrontendData with token \n\n";
 if ($response->is_success) {
-    	print "/Catalog/frontenddata request was succesful \n\n";
+    	print "/Catalog/frontenddata request was successful \n\n";
     
     	$data = decode_json($response->content);
     	my $pretty = JSON->new->pretty->encode($data);
@@ -109,7 +103,7 @@
 print "**************************************************************";
 print "\n\n Making Get Request to list all jobs \n\n";
 if ($response->is_success) {
-        print "List jobs request was succesful \n\n";
+        print "List jobs request was successful \n\n";
 
         $data = decode_json($response->content);
         my $pretty = JSON->new->pretty->encode($data);
diff --git a/tools/perl/README_tokendump.txt b/tools/perl/README_tokendump.txt
@@ -0,0 +1,63 @@
+Examine permissions of the current login token
+
+Compatibility
+———————————————————————————————————————————————————
+NetBackup 8.1.1 Linux/Unix master server
+
+
+Who is this for?
+---------------------------------------------------
+NetBackup Administrators
+IT Operations Teams
+
+
+What is This?
+---------------------------------------------------
+The NetBackup REST API will authenticate any valid user account provided to the login API. Not every user
+has permissions to do anything in NetBackup, however, and this script simply dumps the payload of the 
+token returned by NetBackup.  The token is a JSON Web Token (jwt - see RFC7519) and the "payload" here
+refers to the payload section of the jwt. The payload contains some standard JWT "claims" as well as some
+NetBackup-specific claims.  Of particular interest is the contents of the claim "authz_context" which 
+represents the permissions "granted" to this user.
+
+Setup:
+---------------------------------------------------
+Perl 5.20.2 or later
+
+PERl modules required
+++ JSON
+++ Compress::Zlib
+++ MIME::Base64
+
+This utility is written in perl and it has been developed and tested on RedHat Linux.
+
+
+Overview:
+---------------------------------------------------
+Occasionally users have been stumped by the fact that the NetBackup REST login API successfully authenticates
+a user, but the resulting token results in http 401 Not Authorized responses to any of the other REST apis.
+
+The cause is nearly always that the user is not a known NetBackup administrator.  Valid known NetBackup
+administrators are "root" on unix, "administrator" on windows, or any user account configured for Enhanced
+Auditing. For non-root users Enhanced Auditing is generally the answer and a helper script makeEAadmin.pl is
+also provided.
+
+
+Outline:
+---------------------------------------------------
+A successful call to https://<yourmaster>:1556/netbackup/gateway/login will return a JSON Web Token in its
+response body.  Use that token as a (string) argument to this script and the claims are displayed as a JSON
+document.  In NetBackup 8.1.1, permission is generally all-or-nothing.  Look for the specific API permissions
+in the "authz_context" claim such as 
+      "LIST_JOBS" : [
+         "*"
+      ],
+This tells you that this token is issued with a grant to list jobs, and permission is on ALL jobs - ["*"].
+
+In addition you may see a claim 
+	"is_admin" : "true",
+this indicates that your jwt is issued with the intent of granting all access a NetBackup administrator would
+have in previous versions of NetBackup.
+
+If the claims you see do not provide the permission you expected, your user account is not an administrator
+known to NetBackup. 
diff --git a/tools/perl/tokendump.pl b/tools/perl/tokendump.pl
