Which escaping to use when passing special characters in pdadmin cmds

[sygilber]

Probaby an easy one for you folks.

Submitting a pdadmin cmd which does not contain any special characters work fine:

domain create childDomain sec_master somepassword -desc "somedescription"

but when submitting a pdadmin cmd like the following, that contains a comma for instance, how should we pass it to the role 'execute_pdadmin_domain':

user import _tammon cn=someuser,secAuthority=Default

This is the results I am getting:

"[2018-01-28 19:30:32,946] [PID:15157 TID:140127864330048] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_invoke_request():306] Input Data: {\"admin_pwd\": \"passw0rd\", \"admin_domain\": \"Default\", \"commands\": [\"user import _tammon cn=someuser\", \"secAuthority=Default\"], \"admin_id\": \"sec_master\"}",

Just above the ibmsecurity stack receives the cmd arladt splitted in 2 parts ...

"[2018-01-28 19:12:43,911] [PID:12073 TID:140121321088832] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():46] Request failed: ", "[2018-01-28 19:12:43,912] [PID:12073 TID:140121321088832] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():47] status code: 500", "[2018-01-28 19:12:43,912] [PID:12073 TID:140121321088832] [ERROR] [ibmsecurity.appliance.ibmappliance] [_process_response():49] text: {\"result\":\"cmd> user import _tammon cn=someuser\nCould not perform the administration request\nError: HPDMG0755W The specified Distinguished Name (DN) does not exist. (status 0x14c012f3)\ncmd> secAuthority=Default\nError: Unknown command. Try using 'help' for a list of commands\"}", ""

Somewhere before it get's to python module, the pdadmin cmd gets splitted in 2 pieces which make it invalid for ISAM to process.

[sygilber]

After investiguating a while, I figure out that the splitting of the one liner pdadmin cmd (which contained a comma) takes its origine in the 'isam-ansible-roles/start_config/library/isamadmin.py' implementation where the 'commands' args is parsed as a List. I am no Python expert yet but I figure out it used comma as delimited, therefore the one liner splitting is occuring here.

def main(): module = AnsibleModule( argument_spec=dict( log=dict(default='INFO', choices=['DEBUG', 'INFO', 'ERROR', 'CRITICAL']), appliance=dict(required=True), lmi_port=dict(required=False, default=443, type='int'), username=dict(required=False), password=dict(required=True), isamuser=dict(required=False), isampwd=dict(required=True), isamdomain=dict(required=False, default='Default'), > # commands=dict(required=True, type='list') commands=dict(required=True) ), supports_check_mode=False )

Once I hacked the code not to assume "list", the role 'execute_pdadmin_domain' started to behaves as expected, and it even run a pdadmin cmd file containing multiple lines.

Now the question:

What would be the good way to fix this without breaking working something else ?

[ram-ibm]

Here is one way to fix it:

---
# PDAdmin - create a file with the commands and pass it via pdadmin_cmds variable

- name: Run PDAdmin command(s) against an appliance
  hosts: all
  connection: local
  pre_tasks:
    - name: Read pdadmin commands into variable
      command: "cat {{pdadmin_cmds}}"
      register: pdadmin_cmds_var
      run_once: True
      changed_when: False
  roles:
    - role: execute_pdadmin
      execute_pdadmin_commands: "{{ pdadmin_cmds_var.stdout_lines }}"
      execute_pdadmin_isamuser: "{{sec_master_id}}"
      execute_pdadmin_isampwd:  "{{sec_master_pwd}}"
      when: pdadmin_cmds is defined and pdadmin_cmds_var is defined

The cat command handles the commas in the file much better.

[sygilber]

Using this "cat" solution did the magic trick. However, I wonder if this could not be handled transparently in the ' isam-ansible-roles\start_config\library\isamadmin.py' module? It is pretty legitimate to use commas in pdadmin commands whenever DN is involved. Whoever is going to need to run some of those pdadmin cmds will likely hit this behavior. But I am satisfied with this solution for now. I can continue on my automation journey. Should I leave it open for future consideration?

[ram-ibm]

The issue with commas in the pdadmin commands is with Ansible and the jinja2 templating. The python code can handle it without an issue. Hence this fix is really to make sure Ansible can handle it - the cat command means there is no jinja2 templating messing around with the values.

[sygilber]

I am fine with that.

Then may I suggest that we document this solution in the readme that comes with this role ?