The nxos_user module will try to delete accounts which are known to the device via AAA "caching". As these accounts aren't in the running configuration, the no username <aaa_user> has no effect. But the next time the module is run against those devices, it attempts to remove them again.
(May be related to #107 which was closed for lack of information.
# /home/thomas.bridge/.cache/pypoetry/virtualenvs/compliance-5rXZBRZ5-py3.9/lib/python3.9/site-packages/ansible_collections
Collection Version
---------- -------
cisco.nxos 4.0.1
CONFIGURATION
CONFIG_FILE() = None
OS / ENVIRONMENT
Issue shows up when running the module against switches with version 7.0 and 9.3
STEPS TO REPRODUCE
Have a device using AAA for login.
Login using an account not configured as a local_user.
Run local_user module against the device twice and check the output of the commands variable.
EXPECTED RESULTS
I would expect the module to ignore/not attempt to delete a cached output.
ACTUAL RESULTS
A no username <aaa_user> command is attempted/executed on every run.
Comments
The issue appears to be that in the map_config_to_obj function the module is getting the configuration from the show user-account command. However, that command will show "cached" users learnt from AAA which aren't part of the device configuration (a sanitized output is shown below). The module will then calculate that a no username <aaa_user> should be executed as part of the change, but that doesn't change the device configuration and means that the next time the module is run it will again attempt to execute a change.
user:admin
this user account has no expiry date
roles:network-admin
user:local_user
this user account has no expiry date
roles:network-admin
user:aaa_user1
roles:network-admin
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user account
Local login not possible
SUMMARY
The nxos_user module will try to delete accounts which are known to the device via AAA "caching". As these accounts aren't in the running configuration, the
no username <aaa_user>has no effect. But the next time the module is run against those devices, it attempts to remove them again.(May be related to #107 which was closed for lack of information.
ISSUE TYPE
COMPONENT NAME
nxos_user
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
Issue shows up when running the module against switches with version 7.0 and 9.3
STEPS TO REPRODUCE
EXPECTED RESULTS
I would expect the module to ignore/not attempt to delete a cached output.
ACTUAL RESULTS
A
no username <aaa_user>command is attempted/executed on every run.Comments
The issue appears to be that in the
map_config_to_objfunction the module is getting the configuration from theshow user-accountcommand. However, that command will show "cached" users learnt from AAA which aren't part of the device configuration (a sanitized output is shown below). The module will then calculate that ano username <aaa_user>should be executed as part of the change, but that doesn't change the device configuration and means that the next time the module is run it will again attempt to execute a change.https://github.com/ansible-collections/cisco.nxos/blob/fa98d2be96a45417ef6e4a2e78d55f0125409ec9/plugins/modules/nxos_user.py#L322