Changing password erases the userid on a PA-220
pchiquit opened this issue · 3 comments
Describe the bug
When executing he following playbook:
- name: Change user password using the password itself
panos_administrator:
provider:
ip_address: "{{ ansible_host }}"
username: '{{ credential_username }}'
password: '{{ credential_password }}'
admin_username: '{{ credential_username }}'
admin_password: "{{ credential_stagingPassword }}"
#superuser: true
commit: true
#no_log: true
delegate_to: localhost
I get the following failure:
ASK [PanOS : Change user password using the password itself] *********************************************************************************************************************************************************
fatal: [rtptest-pa-220b.raleigh.ibm.com -> localhost]: FAILED! => {"changed": false, "msg": "Failed commit: URLError: code: 403 reason: Invalid Credential"}
After that action, the userid doesn't show up on the PanOS interface or on the CLI. If I do a config audit
I can see that the entries for the userid now only have the phash field. So it goes from:
test { permissions { role-based { superuser yes; } } phash ****}
to
test { phash ********; } ”
Expected behavior
I would expect the other fields to stay and the password to be changed and the commit to work.
Current behavior
Userid is disabled/vanished, commit does not work.
Possible solution
Steps to reproduce
Describe above.
1.
2.
3.
4.
Screenshots
Context
Trying to automate password change of local userids on Palo Alto firewall devices.
Your Environment
ansible 2.9.2
Latest version of Pan-module installed yesterday.
The problem here is that you're trying to change the password of the user that you're authenticated as, so the fix here is that the module needs to refresh the API key before continuing.
Thanks for the fix. While it seems you resolved the commit problem, the userids are still being wiped as it only writes the phash
section of the user definition. The userid is not visible on the UI and can't be logged in anymore. After the password change the userid looks like this:
admin {
phash $1$vxxxxxxxxxxxxxxxxxxx;
}
Having state=present
means "I don't know what's there, but make sure it looks like this after the module is invoked." This behavior is universal across all panos
modules (except panos_mgtconfig). You're asking Ansible to delete everything except the password in your task since you have nothing else configured :)
You need to re-specify the user type (password profile, authentication profile, etc) in your task and you should be good to go.