- Introduction and Ansible playbook download
- Script flow charts
- Introduction of REST API and Cisco FMC API Explorer
- Script prerequisites
- Request Access Token
- Get policy content, modify content and "PUT' in FMC - Part 1
- Get policy content, modify content and "PUT' in FMC - Part 2
- Get deployable devices and deploy policy
In the last post, I described the prerequisites for our main task playbook. Now, we can start writing the main task yml file in "/etc/ansible/roles/FMC-enable-policyrule/tasks/main.yml".
First of all, we need to be authenticated by the FMC server. Different systems have different authentication methods for REST API calls. Some of them require user to provide username/password for every call. For FMC, it uses Token Based Authentication mechanism for API users. The following shows the message flows for obtaining and using the access token:
Click to Expand |
In the following API calls, the API user can use this "x_auth_access_token" in the header field and no need to provide username/password again in the whole token life cycle.
location: /etc/ansible/roles/FMC-enable-policyrule/tasks/main.yml
---
- name: POST
uri:
url:
"https://{{FMC_IP}}/api/fmc_platform/v1/auth/generatetoken"
method: POST
user:
"{{username}}"
password:
"{{password}}"
validate_certs:
no
force_basic_auth: yes
status_code: 204
register: token
|
In this "POST" call, we specific the url, username, password and define "force_basic_auth" as "yes". By default, Ansible will use "200" as status return code if it's not specified. In our case, FMC will send "204" as return code so we need to specific it here as well.
And the following shows the reply from the FMC server. And the highlighted line is the "x_auth_access_token" we need.
"token": {
"accept_ranges": "bytes",
"cache_control": "no-cache, no-store, must-revalidate, max-age=0",
"changed": false,
"connection": "close",
"content_length": "0",
"cookies": {},
"date": "Thu, 21 Jun 2018 12:15:45 GMT",
"domain_id": "111",
"domain_uuid": "e276abec-e0f2-11e3-8169-6d9ed49b625f",
"domains": "[{\"name\":\"Global\",\"uuid\":\"e276abec-e0f2-11e3-8169-6d9ed49b625f\"}, {\"name\":\"Global/Sydney\",\"uuid\":\"dd731f3e-8297-5b05-7ac3-000000000001\"}]",
"failed": false,
"global": "e276abec-e0f2-11e3-8169-6d9ed49b625f",
"msg": "OK (0 bytes)",
"redirected": false,
"server": "Apache",
"status": 204,
"url": "https://192.168.1.205/api/fmc_platform/v1/auth/generatetoken",
"user_uuid": "2bd20b46-708d-11e8-bc24-cd319511305b",
"vary": "Accept-Charset,Accept-Encoding,Accept-Language,Accept",
"x_auth_access_token": "a7103106-380d-4593-8184-044e8b2ea7fe",
"x_auth_refresh_token": "042d27db-fa8e-435c-9250-3926f2841445",
"x_frame_options": "SAMEORIGIN"
}
}
|
Next, we need to set a new available ("acc_token") and assign this access token to it.
location: /etc/ansible/roles/FMC-enable-policyrule/tasks/main.yml
- name: get token set_fact: acc_token: "{{token.x_auth_access_token}}" |
In the next post, I will show you the most important part of this play book - how to modify the policy content of the existing access policy.
Reference:
No comments:
Post a Comment