Hello again. I’m looking to make some scripts to do some common tasks and am leaning towards doing it with the management API. I see how the web UI gives you a nice JSON API call, I’m looking for an example using curl that includes the session authentication.
Does anyone want to share an example I can use to rinse and repeat? I admit my API Kung Fu is not strong, and I’m looking to save myself a ton of research to get me up to speed.
Hello,
Here is an adapted (untested) example from what I’ve done against the client api. Note, admin.* cert stuff comes from the .id section of your enrolled admin identity. For example, you can extract the ca as follows:
cat admin.json | jq -r '.id.ca'
#!/usr/bin/env bash
controller_ip=[controller_ip]
controller_port=[controller_port]
function edge_management_cert_login {
curl -sSL \
--cacert ./certs/admin.ca \
--cert ./certs/admin.cert \
--key ./certs/admin.key \
--request POST \
--header 'Content-Type: application/json' \
--url https://"$controller_ip":"$controller_port"/edge/management/v1/authenticate?method=cert
}
function edge_management_list_identities {
local zt_session="$1"
curl -sSL \
--cacert ./certs/admin.ca \
--request GET \
--header 'Content-Type: application/json' \
--header "zt-session: $zt_session" \
--url https://"$controller_ip":"$controller_port"/edge/management/v1/identities
}
login_json="$(edge_managment_cert_login)"
zt_session="$(jq -r '.data.token' <<< "$login_json")"
edge_management_list_identities "$zt_session"
Note, you can likely also generate a bash client library using an OpenAPI generator, which should be self documenting. Hope this gets you started.
You just need to create a certificate Authenticator before using the cert method.
The default admin user only has updb Authenticator at first, but you can easily create another admin identity with either authentication method
EDIT: it’s not typically necessary to create a cert Authenticator because creating an identity automatically creates the Authenticator
If you really wanted to use the “Default Admin” user (e.g. Identity which has attribute “isDefaultAdmin” == true), then you could certainly do that with the default updb authenticator that is created as follows:
function edge_management_cert_login {
curl -sSL \
--request POST \
--header 'Content-Type: application/json' \
--url https://"$controller_ip":"$controller_port"/edge/management/v1/authenticate?method=password \
--data '{"username": "admin", "password": [password]"}'
}
To be clear, I prefer not to use the default admin user, but instead create a new user with admin priviledges (will have attribute "isAdmin": true, but "isDefaultAdmin": false visible in GET /identitites). To create these, run:
ziti edge create identity user [my_admin] --admin --jwt-output-file my_admin_enrollment.jwt
By default, these create a cert based authenticator, not a updb based one.
If you wanted to still use updb insetad in this fashion, do:
ziti edge create identity user [my_admin] --admin --updb [my_admin] --jwt-output-file my_admin_enrollment.jwt
# You can use -p to pass the password, but you will be prompted otherwise
ziti edge enroll ./my_admin_enrollment.jwt
Nice tip @sabedevops. Forget what I said about creating a cert Authenticator. That only applies if you’re not enrolling the identity. Enrollment automatically creates the cert Authenticator (client certificate fingerprint authentication method).
EDIT: the automatically-created Authenticator resulting from enrollment can have method: updb or method: cert