search

ansible-collections / netapp.ontap

Ansible collection to support NetApp ONTAP configuration.
https://galaxy.ansible.com/netapp/ontap
GNU General Public License v3.0
57 stars 36 forks source link

netapp.ontap.na_ontap_snapshot module reports "failed" - missing gather_subset parameter #139

Closed fostermi closed 1 year ago

fostermi commented 1 year ago

Summary

The netapp.ontap.na_ontap_rest_info module has a gather_subset parameter that limits the scope of what is reqeusted by API calls to the vserver, which is needed because read/write permissions set for a specific SVM level don't allow higher level info gathering, and otherwise would return a "403 Unauthorized" error.

The netapp.ontap.na_ontap_snapshot uses API calls to check to see if a snapshot of the same name exists, but doesn't use this gather_subset parameter, so the API call returns the not authorized for that command error. However, the module does successfully create a snapshot, but the overall Ansible module returns a failed state with message "Error when creating snapshot: job reported error.

Without a gather_subset parameter, this module (and possibly others) fail similarly as described here: https://docs.ansible.com/ansible/latest/collections/netapp/ontap/na_ontap_rest_info_module.html

Component Name

netapp.ontap.na_ontap_snapshot

Ansible Version

$ ansible --version
ansible [core 2.13.6]
  config file = /Users/me/git/lasp/wi/ansible/ansible.cfg
  configured module search path = ['/Users/me/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/me/venvs/ansible-6.5.0/lib/python3.10/site-packages/ansible
  ansible collection location = /Users/me/.ansible/collections:/usr/share/ansible/collections
  executable location = /Users/meifo4973/venvs/ansible-6.5.0/bin/ansible
  python version = 3.10.8 (main, Oct 13 2022, 10:19:13) [Clang 12.0.0 (clang-1200.0.32.29)]
  jinja version = 3.1.2
  libyaml = True

ONTAP Collection Version

$ ansible-galaxy collection list
# /Users/me/venvs/ansible-6.5.0/lib/python3.10/site-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    3.5.0  
ansible.netcommon             3.1.3  
ansible.posix                 1.4.0  
ansible.utils                 2.6.1  
ansible.windows               1.11.1 
arista.eos                    5.0.1  
awx.awx                       21.7.0 
azure.azcollection            1.13.0 
check_point.mgmt              2.3.0  
chocolatey.chocolatey         1.3.1  
cisco.aci                     2.2.0  
cisco.asa                     3.1.0  
cisco.dnac                    6.6.0  
cisco.intersight              1.0.19 
cisco.ios                     3.3.2  
cisco.iosxr                   3.3.1  
cisco.ise                     2.5.5  
cisco.meraki                  2.11.0 
cisco.mso                     2.0.0  
cisco.nso                     1.0.3  
cisco.nxos                    3.2.0  
cisco.ucs                     1.8.0  
cloud.common                  2.1.2  
cloudscale_ch.cloud           2.2.2  
community.aws                 3.6.0  
community.azure               1.1.0  
community.ciscosmb            1.0.5  
community.crypto              2.7.0  
community.digitalocean        1.22.0 
community.dns                 2.3.3  
community.docker              2.7.1  
community.fortios             1.0.0  
community.general             5.7.0  
community.google              1.0.0  
community.grafana             1.5.3  
community.hashi_vault         3.3.1  
community.hrobot              1.5.2  
community.libvirt             1.2.0  
community.mongodb             1.4.2  
community.mysql               3.5.1  
community.network             4.0.1  
community.okd                 2.2.0  
community.postgresql          2.2.0  
community.proxysql            1.4.0  
community.rabbitmq            1.2.2  
community.routeros            2.3.0  
community.sap                 1.0.0  
community.sap_libs            1.3.0  
community.skydive             1.0.0  
community.sops                1.4.1  
community.vmware              2.10.0 
community.windows             1.11.0 
community.zabbix              1.8.0  
containers.podman             1.9.4  
cyberark.conjur               1.2.0  
cyberark.pas                  1.0.14 
dellemc.enterprise_sonic      1.1.2  
dellemc.openmanage            5.5.0  
dellemc.os10                  1.1.1  
dellemc.os6                   1.0.7  
dellemc.os9                   1.0.4  
f5networks.f5_modules         1.20.0 
fortinet.fortimanager         2.1.5  
fortinet.fortios              2.1.7  
frr.frr                       2.0.0  
gluster.gluster               1.0.2  
google.cloud                  1.0.2  
hetzner.hcloud                1.8.2  
hpe.nimble                    1.1.4  
ibm.qradar                    2.1.0  
ibm.spectrum_virtualize       1.10.0 
infinidat.infinibox           1.3.3  
infoblox.nios_modules         1.4.0  
inspur.ispim                  1.1.0  
inspur.sm                     2.2.0  
junipernetworks.junos         3.1.0  
kubernetes.core               2.3.2  
mellanox.onyx                 1.0.0  
netapp.aws                    21.7.0 
netapp.azure                  21.10.0
netapp.cloudmanager           21.20.1
netapp.elementsw              21.7.0 
netapp.ontap                  21.24.1
netapp.storagegrid            21.11.1
netapp.um_info                21.8.0 
netapp_eseries.santricity     1.3.1  
netbox.netbox                 3.8.0  
ngine_io.cloudstack           2.2.4  
ngine_io.exoscale             1.0.0  
ngine_io.vultr                1.1.2  
openstack.cloud               1.10.0 
openvswitch.openvswitch       2.1.0  
ovirt.ovirt                   2.2.3  
purestorage.flasharray        1.14.0 
purestorage.flashblade        1.10.0 
purestorage.fusion            1.1.1  
sensu.sensu_go                1.13.1 
servicenow.servicenow         1.0.6  
splunk.es                     2.1.0  
t_systems_mms.icinga_director 1.31.0 
theforeman.foreman            3.7.0  
vmware.vmware_rest            2.2.0  
vultr.cloud                   1.1.0  
vyos.vyos                     3.0.1  
wti.remote                    1.0.4  

# /Users/me/.ansible/collections/ansible_collections
Collection            Version   
--------------------- ----------
amazon.aws            5.0.0-dev0
infoblox.nios_modules 1.4.0

ONTAP Version

9.10.1

Playbook

- name: create SnapShot
  netapp.ontap.na_ontap_snapshot:
    state: present
    snapshot: "{{ ansible_date_time.iso8601_basic_short }}"
    volume: "{{ volume_name }}"
    comment: "Created by Ansible"
    vserver: "{{ vserver }}"
    username: "{{ username }}"
    password: "{{ password }}"
    hostname: "{{ mgmt_lif }}"
    https: true
    use_rest: Always
    validate_certs: false
    force_ontap_version: "9.10.1"
  tags:
    - create_snapshot

Steps to Reproduce

Expected Results

I expect the module returns a "Changed" result.

Actual Results

[WARNING]: Forcing ONTAP version to 9.10.1, unable to read current version: error: {'message': 'not authorized for that command', 'code': '6'}, status_code: 403
fatal: [localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "async_bool": null,
            "cert_filepath": null,
            "comment": "Created by Ansible",
            "expiry_time": null,
            "feature_flags": {},
            "force_ontap_version": "9.10.1",
            "from_name": null,
            "hostname": "10.247.0.49",
            "http_port": null,
            "https": true,
            "ignore_owners": null,
            "key_filepath": null,
            "ontapi": null,
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "snapmirror_label": null,
            "snapshot": "20230228T163132",
            "snapshot_instance_uuid": null,
            "state": "present",
            "use_rest": "Always",
            "username": "ansible_user",
            "validate_certs": false,
            "volume": "my_test_volume",
            "vserver": "my_stage_svm"
        }
    },
    "msg": "Error when creating snapshot: job reported error: {'message': 'not authorized for that command', 'code': '6'} - {'message': 'not authorized for that command', 'code': '6'} - {'message': 'not authorized for that command', 'code': '6'} - {'message': 'not authorized for that command', 'code': '6'}, received {'job': {'uuid': '09227d02-b7c0-11ed-a2a5-00a098e242a9', '_links': {'self': {'href': '/api/cluster/jobs/09227d02-b7c0-11ed-a2a5-00a098e242a9'}}}}."
}
fostermi commented 1 year ago

After further investigation, I'm not sure if the title and description are entirely accurate. I get this error, but I'm not sure when the error is being returned. I now believe it happens when the module attempts to check on the status of the request after it is sent by the rest api module, because the task sits and waits for several seconds before completing.

fostermi commented 1 year ago

After some more digging, I think this is because the module attempts to check the status of the job by querying the API endpoint /api/cluster/jobs, which I don't have permissions to do on our vserver. Is there a way around this?

fostermi commented 1 year ago

Closing this as I think its not relevant now that I know access to the /cluster/jobs endpoint is needed.

carchi8py commented 1 year ago

Ya, Access to /cluster/jobs is needed by most API. Any REST API that is Async or takes some time to complete will return successful (regardless if it worked or not) with a Job. We then monitor that Job which will tell us if it complete or if there was an error.