search

ansible-collections / cisco.ios

Ansible Network Collection for Cisco IOS
GNU General Public License v3.0
293 stars 171 forks source link

ios_user: update_password key failure with aggregate. + others #559

Open tin-ot opened 2 years ago

tin-ot commented 2 years ago
SUMMARY

I noticed 3 different issues with this module:

1) module breaks when the update_password is used in the aggregate dictionary.

  cisco.ios.ios_user:
    aggregate:
      - name: "{{ username1 }}"
        configured_password: "{{ clear passwd1 }}" 
        update_password: 'always'
      - name: "{{ username2 }}"
        configured_password: "{{ clear passwd2 }}" 
        update_password: 'always'

(this breaks)

works as expected is defined like this : 

  cisco.ios.ios_user:
    aggregate:
      - name: "{{ username1 }}"
        configured_password: "{{ clear passwd1 }}" 
      - name: "{{ username2 }}"
        configured_password: "{{ clear passwd2 }}" 
      update_password: 'always'

(this works)

2) some hashes are not blurred in the output with no log

expected result : "username dummy secret **** ****" actual result: "username dummy secret **** $****$human_readable_hash****",

This behaviour depends on the hash. Some are blurred others are clear.

3) ( more of an enhancement ) There is no choice regarding encryption. The only algorithm available through the module is md5 which considered broken. The only recommanded encryption algorithm, as of today, is scrypt. Even if it is possible to configure the device with a hashed password ... it will set the same hash on all configuration files which is not desirable neither.

Proposition: add a new key word in the module to choose the encryption algorithm with clear password as input. the command to be : username <username> privilege 15 algorithm-type scrypt secret <secret>

Work around:

Use the module "naked" with purge key set to true; Configure desired users and passwords with config module in another task.

ISSUE TYPE
COMPONENT NAME
ANSIBLE VERSION
github latestansible [core 2.12.2]
  config file = /remote/users/mcarrouee/.ansible.cfg
...
  python version = 3.8.8 (default, Aug 11 2021, 06:52:42) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)]
  jinja version = 3.0.3
  libyaml = True
COLLECTION VERSION
github latest
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS

module failure with aggregate

The full traceback is:
Traceback (most recent call last):
  File "~/.ansible/tmp/ansible-local-2972609kf089_dt/ansible-tmp-1649944005.6931295-2972638-226093719612968/AnsiballZ_ios_user.py", line 107, in <module>
    _ansiballz_main()
  File "~/.ansible/tmp/ansible-local-2972609kf089_dt/ansible-tmp-1649944005.6931295-2972638-226093719612968/AnsiballZ_ios_user.py", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "~/.ansible/tmp/ansible-local-2972609kf089_dt/ansible-tmp-1649944005.6931295-2972638-226093719612968/AnsiballZ_ios_user.py", line 47, in invoke_module
    runpy.run_module(mod_name='ansible_collections.cisco.ios.plugins.modules.ios_user', init_globals=dict(_module_fqn='ansible_collections.cisco.ios.plugins.modules.ios_user', _modlib_path=modlib_path),
  File "/usr/lib64/python3.8/runpy.py", line 207, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib64/python3.8/runpy.py", line 97, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File "/usr/lib64/python3.8/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_cisco.ios.ios_user_payload_1zvvkg4k/ansible_cisco.ios.ios_user_payload.zip/ansible_collections/cisco/ios/plugins/modules/ios_user.py", line 621, in <module>
  File "/tmp/ansible_cisco.ios.ios_user_payload_1zvvkg4k/ansible_cisco.ios.ios_user_payload.zip/ansible_collections/cisco/ios/plugins/modules/ios_user.py", line 605, in main
  File "/tmp/ansible_cisco.ios.ios_user_payload_1zvvkg4k/ansible_cisco.ios.ios_user_payload.zip/ansible_collections/cisco/ios/plugins/modules/ios_user.py", line 550, in update_objects
KeyError: 'update_password'
roverflow commented 1 year ago

@tin-ot

  1. This is how the update password attribute should be used according to the documentation.
  2. Could you provide me a playbook that could reproduce the case where the hashes are not blured
noziwatele commented 1 year ago

Hi @roverflow - I am seeing the same issues as described by tin-ot.

  1. ios_user documentation indicates that update_password can be used as part of an aggregate dictionary
  2. Playbook task that fails is as follows:
   - name: "Add user"
      cisco.ios.ios_user:
        aggregate:
          - name: "{{ new_username }}"
            hashed_password: 
              type: 9
              value: "{{ new_user_secret }}"
            privilege: 15
            state: present
            update_password: on_create

Task output:

fatal: [device-hostname]: FAILED! => changed=false
  module_stderr: '''update_password'''
  module_stdout: ''
  msg: |-
    MODULE FAILURE
    See stdout/stderr for the exact error

I also see the same issue with hashes not being hidden in output, and agree with tin-ot's enhancement suggestions.

This is with ansible 2.15 and cisco.ios 5.1.0.