ansible-collections/cisco.nxos

Some builtin roles fail when added to user profiles in nxos_user

thomasbridge74 opened this issue · 0 comments

SUMMARY

A number of NXOS builtin roles are not supported by the nxos_user module.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

nxos_user

ANSIBLE VERSION
$ ansible --version
ansible [core 2.14.6]
  config file = /home/thomas.bridge/compliance_checks/ansible.cfg
  configured module search path = ['/home/thomas.bridge/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/thomas.bridge/compliance_checks/.venv/lib/python3.9/site-packages/ansible
  ansible collection location = /home/thomas.bridge/compliance_checks/collections
  executable location = /home/thomas.bridge/compliance_checks/.venv/bin/ansible
  python version = 3.9.16 (main, Dec  7 2022, 01:11:51) [GCC 9.4.0] (/home/thomas.bridge/compliance_checks/.venv/bin/python)
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
$ ansible-galaxy collection list cisco.nxos

# /home/thomas.bridge/PROJECT/collections/ansible_collections
Collection Version
---------- -------
cisco.nxos 0.0.0  

# /home/thomas.bridge/PROJECT/.venv/lib/python3.9/site-packages/ansible_collections
Collection Version
---------- -------
cisco.nxos 4.3.0  
CONFIGURATION
(compliance-py3.9) thomas.bridge@vdi-ld6-lnx-161:~/PROJECT_FOLDER$ ansible-config dump --only-changed
COLLECTIONS_PATHS(/home/thomas.bridge/PROJECT_FOLDER/ansible.cfg) = ['/home/thomas.bridge/PROJECT_FOLDER/collections']
CONFIG_FILE() = /home/thomas.bridge/PROJECT_FOLDER/ansible.cfg
DEFAULT_FORKS(/home/thomas.bridge/PROJECT_FOLDER/ansible.cfg) = 5
HOST_KEY_CHECKING(/home/thomas.bridge/PROJECT_FOLDER/ansible.cfg) = False
PERSISTENT_COMMAND_TIMEOUT(/home/thomas.bridge/PROJECT_FOLDER/ansible.cfg) = 450
RETRY_FILES_ENABLED(/home/thomas.bridge/PROJECT_FOLDER/ansible.cfg) = True
OS / ENVIRONMENT

Host OS: Ubuntu 22.04
Two target NXOS versions: 9.3(10) and 7.0(3)I7(6)

STEPS TO REPRODUCE
---
- name: "Local User management"
  hosts: all
  gather_facts: false

  tasks:
    - name: "Creating accounts on Nexus"
      cisco.nxos.nxos_user:
        aggregate:
          - name: devopsuser
            role: 
              - dev-ops
      register: user_report
EXPECTED RESULTS

The user to have the dev-ops role assigned and ansible to execute correctly

ACTUAL RESULTS
TASK [Creating accounts on Nexus] *************************************************************************************************************************************************************
task path: /home/thomas.bridge/PROJECT_FOLDER/pb.yml:7
redirecting (type: action) cisco.nxos.nxos_user to cisco.nxos.nxos
redirecting (type: become) ansible.builtin.enable to ansible.netcommon.enable
redirecting (type: become) ansible.builtin.enable to ansible.netcommon.enable
redirecting (type: action) cisco.nxos.nxos_user to cisco.nxos.nxos
redirecting (type: action) cisco.nxos.nxos_user to cisco.nxos.nxos
redirecting (type: action) cisco.nxos.nxos_user to cisco.nxos.nxos
redirecting (type: action) cisco.nxos.nxos_user to cisco.nxos.nxos
[WARNING]: Module did not set no_log for update_password
fatal: [UK1-lab-device-2]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "aggregate": [
                {
                    "configured_password": null,
                    "name": "devopsuser",
                    "role": [
                        "dev-ops"
                    ],
                    "roles": [
                        "dev-ops"
                    ],
                    "sshkey": null,
                    "state": "present",
                    "update_password": null
                }
            ],
            "configured_password": null,
            "name": null,
            "purge": false,
            "roles": null,
            "sshkey": null,
            "state": "present",
            "update_password": "always"
        }
    },
    "msg": "invalid role specified"
}
fatal: [UK1-lab-device-3]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "aggregate": [
                {
                    "configured_password": null,
                    "name": "devopsuser",
                    "role": [
                        "dev-ops"
                    ],
                    "roles": [
                        "dev-ops"
                    ],
                    "sshkey": null,
                    "state": "present",
                    "update_password": null
                }
            ],
            "configured_password": null,
            "name": null,
            "purge": false,
            "roles": null,
            "sshkey": null,
            "state": "present",
            "update_password": "always"
        }
    },
    "msg": "invalid role specified"
}
        to retry, use: --limit @/home/thomas.bridge/PROJECT_FOLDER/pb.retry

PLAY RECAP ************************************************************************************************************************************************************************************
UK1-lab-device-2           : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   
UK1-lab-device-3           : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0 

Comment

I believe the issue is that the BUILTIN_ROLES list variable at https://github.com/ansible-collections/cisco.nxos/blob/main/plugins/modules/nxos_user.py#L207

I will create a pull request to update this variable with all the system roles I see in our lab environment.