Changing password erases the userid on a PA-220

Question

Changing password erases the userid on a PA-220

pchiquit opened this issue 5 years ago · 3 comments

Describe the bug

When executing he following playbook:

- name: Change user password using the password itself
  panos_administrator:
    provider: 
      ip_address: "{{ ansible_host }}"
      username: '{{ credential_username }}'
      password: '{{ credential_password }}'
    admin_username: '{{ credential_username }}'
    admin_password: "{{ credential_stagingPassword }}"
    #superuser: true
    commit: true
  #no_log: true
  delegate_to: localhost

I get the following failure:

ASK [PanOS : Change user password using the password itself] *********************************************************************************************************************************************************
fatal: [rtptest-pa-220b.raleigh.ibm.com -> localhost]: FAILED! => {"changed": false, "msg": "Failed commit: URLError: code: 403 reason: Invalid Credential"}

After that action, the userid doesn't show up on the PanOS interface or on the CLI. If I do a config audit I can see that the entries for the userid now only have the phash field. So it goes from:

 test  { permissions { role-based { superuser yes; } } phash ****}

to

test  { phash ********; } ”

Expected behavior

I would expect the other fields to stay and the password to be changed and the commit to work.

Current behavior

Userid is disabled/vanished, commit does not work.

Possible solution

Steps to reproduce

Describe above.
1.
2.
3.
4.

Screenshots

Context

Trying to automate password change of local userids on Palo Alto firewall devices.

Your Environment

ansible 2.9.2
Latest version of Pan-module installed yesterday.

Answer 1 · 2020-02-04T18:38:38.000Z

@pchiquit

The problem here is that you're trying to change the password of the user that you're authenticated as, so the fix here is that the module needs to refresh the API key before continuing.

Answer 2 · 2020-02-11T21:12:08.000Z

Thanks for the fix. While it seems you resolved the commit problem, the userids are still being wiped as it only writes the phash section of the user definition. The userid is not visible on the UI and can't be logged in anymore. After the password change the userid looks like this:

admin {
  phash $1$vxxxxxxxxxxxxxxxxxxx;
}

Answer 3 · 2020-02-11T23:11:12.000Z

@pchiquit

Having state=present means "I don't know what's there, but make sure it looks like this after the module is invoked." This behavior is universal across all panos modules (except panos_mgtconfig). You're asking Ansible to delete everything except the password in your task since you have nothing else configured :)

You need to re-specify the user type (password profile, authentication profile, etc) in your task and you should be good to go.