search

ansible-collections / junipernetworks.junos

Ansible Network Collection for Juniper JunOS
GNU General Public License v3.0
82 stars 63 forks source link

junos_snmp_server requires both -password and -key values for SNMP auth/privacy #487

Open WRobertson2 opened 8 months ago

WRobertson2 commented 8 months ago
SUMMARY

When trying to execute a play using junos_snmp_server using SNMPv3, when attempting a configuration with authentication_sha or privacy_aes128, (attempting to configure using the password key instead of the hashed key) I receive an error for a missing "key" value.

When configuring via the command line, I am able to successfully configure the two secrets using authentication-password/privacy-password without the respective -key command. In fact, if specified with both -key and -password values, the -password appears to take precedence.

ISSUE TYPE
COMPONENT NAME

junipernetworks.junos.snmp_server config: snmp_v3: usm: local_engine: users:

ANSIBLE VERSION
$ ansible --version
ansible [core 2.16.2]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/wroberts/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.12/site-packages/ansible
  ansible collection location = /home/wroberts/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.12.1 (main, Dec 18 2023, 00:00:00) [GCC 13.2.1 20231205 (Red Hat 13.2.1-6)] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

Also tried:

$ ansible --version
ansible [core 2.14.11]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/wroberts/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.11/site-packages/ansible
  ansible collection location = /home/wroberts/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.11.6 (main, Oct  3 2023, 00:00:00) [GCC 13.2.1 20230728 (Red Hat 13.2.1-1)] (/usr/bin/python3)
  jinja version = 3.0.3
  libyaml = True
COLLECTION VERSION
$ ansible-galaxy collection list junipernetworks.junos

# /home/wroberts/.ansible/collections/ansible_collections
Collection            Version
--------------------- -------
junipernetworks.junos 6.0.0  

# /usr/lib/python3.12/site-packages/ansible_collections
Collection            Version
--------------------- -------
junipernetworks.junos 5.3.1
CONFIGURATION
$ ansible-config dump --only-changed
CONFIG_FILE() = /etc/ansible/ansible.cfg
EDITOR(env: EDITOR) = /usr/bin/nano
OS / ENVIRONMENT

Target device JunOS version: JunOS 20.4R3-S5.4

STEPS TO REPRODUCE
- name: Configure SNMP server authentication
  junipernetworks.junos.junos_snmp_server:
    config:
      snmp_v3:
        usm:
          local_engine:
            users:
              - name: "{{ snmp_username }}"
                authentication_sha:
                  password: "{{ snmp_auth_passwd }}"
                privacy_aes128:
                  password: "{{ snmp_auth_passwd }}"
EXPECTED RESULTS

The same as set snmp v3 usm local-engine user $USERNAME authentication-sha authentication-password $PASSWORD and set snmp v3 usm local-engine user $USERNAME privacy-aes128 privacy-password $PASSWORD. Namely, that the configuration file is changed to include the hashed results of the given password values, without prompting for a hashed input.

ACTUAL RESULTS

Error is thrown, and ansible seems upset that I never specified a key, only a password. In fact, if run again with both a password and a key, the configuration completes successfully.

TASK [snmp-node : Configure SNMP server authentication] ************************
failed: [gra-juniper.mgmt] (item={'username': 'REDACTED', 'authpasswd': 'REDACTED', 'encpasswd': 'REDACTED, 'group': 'REDACTED'}) => {"ansible_loop_var": "item", "changed": false, "item": {"authpasswd": "REDACTED", "encpasswd": "REDACTED", "group": "REDACTED", "username": "REDACTED"}, "module_stderr": "'key'", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"}
WRobertson2 commented 8 months ago

I was able to get what I consider to be the expected behavior by applying this patch. I think it would be better to except a particular type of exception, but it was a quick-and-dirty test.

Gittins commented 4 months ago

I'm hitting the same issue. Adding both the "key" and "password" allows the task to work, but obviously isn't how this module is supposed to function.

The error message I'm seeing is this:

TASK [All-in-one SNMP configuration] ****************************************************************************************************************************************************************************************************
task path: /home/userxyz/ansible/snmp_v3_configure_playbook.yml:134
redirecting (type: action) junipernetworks.junos.junos_snmp_server to junipernetworks.junos.junos
redirecting (type: action) junipernetworks.junos.junos_snmp_server to junipernetworks.junos.junos
redirecting (type: action) junipernetworks.junos.junos_snmp_server to junipernetworks.junos.junos
fatal: [mydevice]: FAILED! => {
    "changed": false,
    "module_stderr": "'key'",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}

Any news on getting a fix for this?