search

ansible-collections / netapp.ontap

Ansible collection to support NetApp ONTAP configuration.
https://galaxy.ansible.com/netapp/ontap
GNU General Public License v3.0
56 stars 36 forks source link

netapp.ontap.na_ontap_user module / role & read-only access #89

Closed orb71 closed 2 years ago

orb71 commented 2 years ago

Summary

Hello,

It is not directly related to the module, but to ZAPI it looks like. The ONTAP command line works fine (just a few warnings)

Component Name

netapp.ontap.na_ontap_user module

Ansible Version

ansible [core 2.12.1]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/xxx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/xxx/.local/lib/python3.8/site-packages/ansible
  ansible collection location = /home/xxx/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.8.10 (default, Jun 22 2022, 20:18:18) [GCC 9.4.0]
  jinja version = 2.10.1
  libyaml = True

ONTAP Collection Version

Collection                Version
------------------------- -------
brocade.fos               1.3.0
community.vmware          2.7.0
netapp.ontap              21.21.0
netapp_eseries.santricity 1.3.0

# /usr/lib/python3/dist-packages/ansible_collections
Collection                    Version
----------------------------- -------
amazon.aws                    2.3.0
ansible.netcommon             2.6.1
ansible.posix                 1.4.0
ansible.utils                 2.6.1
ansible.windows               1.10.0
arista.eos                    3.1.0
awx.awx                       19.4.0
azure.azcollection            1.13.0
check_point.mgmt              2.3.0
chocolatey.chocolatey         1.2.0
cisco.aci                     2.2.0
cisco.asa                     2.1.0
cisco.dnac                    6.5.0
cisco.intersight              1.0.19
cisco.ios                     2.8.1
cisco.iosxr                   2.9.0
cisco.ise                     1.2.1
cisco.meraki                  2.8.0
cisco.mso                     1.4.0
cisco.nso                     1.0.3
cisco.nxos                    2.9.1
cisco.ucs                     1.8.0
cloud.common                  2.1.2
cloudscale_ch.cloud           2.2.2
community.aws                 2.6.1
community.azure               1.1.0
community.ciscosmb            1.0.5
community.crypto              2.3.4
community.digitalocean        1.20.0
community.dns                 2.2.0
community.docker              2.6.0
community.fortios             1.0.0
community.general             4.8.3
community.google              1.0.0
community.grafana             1.5.0
community.hashi_vault         2.5.0
community.hrobot              1.4.0
community.kubernetes          2.0.1
community.kubevirt            1.0.0
community.libvirt             1.1.0
community.mongodb             1.4.1
community.mysql               2.3.8
community.network             3.3.0
community.okd                 2.2.0
community.postgresql          1.7.4
community.proxysql            1.4.0
community.rabbitmq            1.2.1
community.routeros            2.1.0
community.sap                 1.0.0
community.sap_libs            1.1.0
community.skydive             1.0.0
community.sops                1.2.2
community.vmware              1.18.2
community.windows             1.10.0
community.zabbix              1.7.0
containers.podman             1.9.3
cyberark.conjur               1.1.0
cyberark.pas                  1.0.14
dellemc.enterprise_sonic      1.1.1
dellemc.openmanage            4.4.0
dellemc.os10                  1.1.1
dellemc.os6                   1.0.7
dellemc.os9                   1.0.4
f5networks.f5_modules         1.17.0
fortinet.fortimanager         2.1.5
fortinet.fortios              2.1.6
frr.frr                       1.0.4
gluster.gluster               1.0.2
google.cloud                  1.0.2
hetzner.hcloud                1.6.0
hpe.nimble                    1.1.4
ibm.qradar                    1.0.3
infinidat.infinibox           1.3.3
infoblox.nios_modules         1.2.2
inspur.sm                     1.3.0
junipernetworks.junos         2.10.0
kubernetes.core               2.3.2
mellanox.onyx                 1.0.0
netapp.aws                    21.7.0
netapp.azure                  21.10.0
netapp.cloudmanager           21.18.0
netapp.elementsw              21.7.0
netapp.ontap                  21.20.0
netapp.storagegrid            21.10.0
netapp.um_info                21.8.0
netapp_eseries.santricity     1.3.0
netbox.netbox                 3.7.1
ngine_io.cloudstack           2.2.4
ngine_io.exoscale             1.0.0
ngine_io.vultr                1.1.2
openstack.cloud               1.8.0
openvswitch.openvswitch       2.1.0
ovirt.ovirt                   1.6.6
purestorage.flasharray        1.13.0
purestorage.flashblade        1.9.0
sensu.sensu_go                1.13.1
servicenow.servicenow         1.0.6
splunk.es                     1.0.2
t_systems_mms.icinga_director 1.30.0
theforeman.foreman            2.2.0
vmware.vmware_rest            2.2.0
vyos.vyos                     2.8.0
wti.remote                    1.0.4

ONTAP Version

Data ONTAP Release 9.10.1: Sat Jan 15 15:04:44 UTC 2022

Playbook

- name: Harvest2-Role
      na_ontap_user_role:
        state: present
        name: harvest2-nabox
        command_directory_name: "{{ item }}"
        access_level: readonly
        vserver: "{{ xxx_vmw }}"
        use_rest: always
      loop: "{{ harvest2_read }}"

harvest2_read: [
  "cluster",
  "lun",
  "snapmirror",
  "statistics",
  "storage aggregate",
  "storage disk",
  "storage shelf",
  "system health status show", 
  "system health subsystem show",  
  "system node",
  "version",
  "volume",
  "network interface",
  "security",
  "storage encryption disk",
  "vserver"
]

Steps to Reproduce

Expected Results

NETAPP::> security login role create -role harvest2-role -access readonly -cmddirname "storage disk"

NETAPP::> security login role create -role harvest2-nabox -access readonly -cmddirname "cluster"

NETAPP::> security login role create -role harvest2-nabox -access readonly -cmddirname "lun"

NETAPP::> security login role create -role harvest2-nabox -access readonly -cmddirname "snapmirror"

NETAPP::> security login role create -role harvest2-nabox -access readonly -cmddirname "statistics"

NETAPP::> security login role create -role harvest2-nabox -access readonly -cmddirname "storage aggregate"

NETAPP::> security login role create -role harvest2-nabox -access readonly -cmddirname "storage disk"

NETAPP::> security login role create -role harvest2-nabox -access readonly -cmddirname "storage shelf"

NETAPP::> security login role create -role harvest2-nabox -access readonly -cmddirname "system health status show"

NETAPP::> security login role create -role harvest2-nabox -access readonly -cmddirname "system health subsystem show"

Warning: This operation will also affect the following commands: "system health subsystem modify"

NETAPP::> security login role create -role harvest2-nabox -access readonly -cmddirname "system node"

NETAPP::> security login role create -role harvest2-nabox -access readonly -cmddirname "version"

NETAPP::> security login role create -role harvest2-nabox -access readonly -cmddirname "volume"

NETAPP::> security login role create -role harvest2-nabox -access readonly -cmddirname "network interface"

NETAPP::> security login role create -role harvest2-nabox -access readonly -cmddirname "security"

Warning: "security certificate authority show-text" will not be accessible. Set the access to "all" if you want to allow it. Warning: "security certificate keystore show-text" will not be accessible. Set the access to "all" if you want to allow it. Warning: "security certificate truststore show-text" will not be accessible. Set the access to "all" if you want to allow it.

NETAPP::> security login role create -role harvest2-nabox -access readonly -cmddirname "storage encryption disk"

NETAPP::> security login role create -role harvest2-nabox -access readonly -cmddirname "vserver"

Warning: "vserver services access-check authentication show-creds" will not be accessible. Set the access to "all" if you want to allow it. Warning: "vserver services access-check authentication show-ontap-admin-unix-creds" will not be accessible. Set the access to "all" if you want to allow it. Warning: "vserver services access-check name-mapping show" will not be accessible. Set the access to "all" if you want to allow it. Warning: "vserver services access-check server-discovery show-host" will not be accessible. Set the access to "all" if you want to allow it. Warning: "vserver services access-check server-discovery show-site" will not be accessible. Set the access to "all" if you want to allow it. Warning: "vserver services name-service nis-domain group-database show" will not be accessible. Set the access to "all" if you want to allow it. Warning: "vserver services name-service nis-domain netgroup-database show" will not be accessible. Set the access to "all" if you want to allow it. Warning: "vserver services name-service unix-group file show" will not be accessible. Set the access to "all" if you want to allow it. Warning: "vserver services name-service unix-user file show" will not be accessible. Set the access to "all" if you want to allow it.

Actual Results

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: netapp_lib.api.zapi.zapi.NaApiError: NetApp API failed. Reason - 13001:A Vserver admin cannot use command directory "storage aggregate" with access level "readonly". Use a different access level.
[WARNING]: Using ZAPI for na_ontap_user_role, ignoring 'use_rest: always'.
failed: [NETAPP] (item=storage aggregate) => {"ansible_loop_var": "item", "changed": false, "item": "storage aggregate", "msg": "Error creating role harvest2-nabox: NetApp API failed. Reason - 13001:A Vserver admin cannot use command directory "storage aggregate" with access level "readonly". Use a different access level."}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: netapp_lib.api.zapi.zapi.NaApiError: NetApp API failed. Reason - 13001:A Vserver admin cannot use command directory "storage disk" with access level "readonly". Use a different access level.
failed: [NETAPP] (item=storage disk) => {"ansible_loop_var": "item", "changed": false, "item": "storage disk", "msg": "Error creating role harvest2-nabox: NetApp API failed. Reason - 13001:A Vserver admin cannot use command directory "storage disk" with access level "readonly". Use a different access level."}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: netapp_lib.api.zapi.zapi.NaApiError: NetApp API failed. Reason - 13001:A Vserver admin cannot use command directory "storage shelf" with access level "readonly". Use a different access level.
failed: [NETAPP] (item=storage shelf) => {"ansible_loop_var": "item", "changed": false, "item": "storage shelf", "msg": "Error creating role harvest2-nabox: NetApp API failed. Reason - 13001:A Vserver admin cannot use command directory "storage shelf" with access level "readonly". Use a different access level."}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: netapp_lib.api.zapi.zapi.NaApiError: NetApp API failed. Reason - 13001:A Vserver admin cannot use command directory "system health status show" with access level "readonly". Use a different access level.
failed: [NETAPP] (item=system health status show) => {"ansible_loop_var": "item", "changed": false, "item": "system health status show", "msg": "Error creating role harvest2-nabox: NetApp API failed. Reason - 13001:A Vserver admin cannot use command directory "system health status show" with access level "readonly". Use a different access level."}
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: netapp_lib.api.zapi.zapi.NaApiError: NetApp API failed. Reason - 13001:A Vserver admin cannot use command directory "storage encryption disk" with access level "readonly". Use a different access level.
failed: [NETAPP] (item=storage encryption disk) => {"ansible_loop_var": "item", "changed": false, "item": "storage encryption disk", "msg": "Error creating role harvest2-nabox: NetApp API failed. Reason - 13001:A Vserver admin cannot use command directory "storage encryption disk" with access level "readonly". Use a different access level."}
lonico commented 2 years ago

I think that ZAPI is correct. Note that in the CLI, vserver is not present. The vserver defaults to the custer admin vserver. What value are you using in the playbook?

carchi8py commented 2 years ago

@orb71 can you try what @lonico metioned above.

orb71 commented 2 years ago

My apologies for the late reply. @lonico is correct, I was not targeting the cluster.

All work as exptected.