search

ansible / galaxy_collection

Collection of modules and roles to configure Automation Hub
GNU General Public License v3.0
57 stars 55 forks source link

Weird issue with user module #311

Open nodje opened 1 year ago

nodje commented 1 year ago

Using 2.0.2:

This config fails:

---
ah_users:
  - username: service
    is_superuser: true
    password: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      30643930336231306161343931396539396530646631623966646638643963333832353065333632
      3166386438303265336566336330663933313366363530310a643335653364643462313166333539
      30313266363834633037366639623365356634613562613038396661303961336332386435643832
      3231623761363332610a663431313531656235373837636138366135313130653237346537626533
      6166
  - username: DBA
    groups:
      - DBA
    append: false
    password: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      32626137336230373934633263623830666334376434336637363138353732323537313366643231
      3232353365633264373036326465303036373866326162310a353336363432313137343937643765
      30613463666133663830643562333430623363393438376433366430386331373464363764613339
      3566653562333835380a646433393333623865653165646362333663636138303663653233636236
      3533
...

with log:

TASK [infra.ah_configuration.user : Create User | Wait for finish the user creation] *********************************************************************************************************************************************************************
FAILED - RETRYING: [localhost]: Create User | Wait for finish the user creation (50 retries left).
changed: [localhost] => (item={'failed': 0, 'started': 1, 'finished': 0, 'ansible_job_id': '985190343965.294533', 'results_file': '/root/.ansible_async/985190343965.294533', 'changed': False, '__user': {'username': 'service', 'is_superuser': True, 'password': 'stagingbis'}, 'ansible_loop_var': '__user'}) => {"__users_job_async_result_item": {"__user": {"is_superuser": true, "password": "stagingbis", "username": "service"}, "ansible_job_id": "985190343965.294533", "ansible_loop_var": "__user", "changed": false, "failed": 0, "finished": 0, "results_file": "/root/.ansible_async/985190343965.294533", "started": 1}, "ansible_job_id": "985190343965.294533", "ansible_loop_var": "__users_job_async_result_item", "attempts": 2, "changed": true, "finished": 1, "id": 3, "name": "service", "results_file": "/root/.ansible_async/985190343965.294533", "started": 1, "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": [], "type": "user", "warnings": ["The field password of user service has encrypted data and may inaccurately report task is changed."]}
failed: [localhost] (item={'failed': 0, 'started': 1, 'finished': 0, 'ansible_job_id': '102807972648.294552', 'results_file': '/root/.ansible_async/102807972648.294552', 'changed': False, '__user': {'username': 'DBA', 'groups': ['DBA'], 'append': False, 'password': 'DBA123&123&'}, 'ansible_loop_var': '__user'}) => {"__users_job_async_result_item": {"__user": {"append": false, "groups": ["DBA"], "password": "DBA123&123&", "username": "DBA"}, "ansible_job_id": "102807972648.294552", "ansible_loop_var": "__user", "changed": false, "failed": 0, "finished": 0, "results_file": "/root/.ansible_async/102807972648.294552", "started": 1}, "ansible_job_id": "102807972648.294552", "ansible_loop_var": "__users_job_async_result_item", "attempts": 1, "changed": false, "finished": 1, "msg": "Error while getting server version: You do not have permission to GET /api/galaxy/ (HTTP 403).", "results_file": "/root/.ansible_async/102807972648.294552", "started": 1, "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

but when I put user DBA first in the list it works, as in:

---
ah_users:
  - username: DBA
    groups:
      - DBA
    append: false
    password: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      32626137336230373934633263623830666334376434336637363138353732323537313366643231
      3232353365633264373036326465303036373866326162310a353336363432313137343937643765
      30613463666133663830643562333430623363393438376433366430386331373464363764613339
      3566653562333835380a646433393333623865653165646362333663636138303663653233636236
      3533
  - username: service
    is_superuser: true
    password: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      30643930336231306161343931396539396530646631623966646638643963333832353065333632
      3166386438303265336566336330663933313366363530310a643335653364643462313166333539
      30313266363834633037366639623365356634613562613038396661303961336332386435643832
      3231623761363332610a663431313531656235373837636138366135313130653237346537626533
      6166
...

NB: I'm using this user service to run the playbook

sean-m-sullivan commented 1 year ago

This is strange, I've seen it before on project sync and controller with 90 some projects, or if it took over 10 seconds due to the ansible requests fuction default timeout. Did you set anything for async?

nodje commented 1 year ago

Hum, nope, I haven't set anything for async

sean-m-sullivan commented 11 months ago

Relooked at this, was not an issue, however it may have to do with SSO? was it enabled, I know it can cause screwy things with auth, and may have to do with how it was looking up the group?

Here was my test playbook

---
- name: Hub Stuff
  hosts: localhost
  connection: local
  gather_facts: false

  vars:
    ah_hostname: hub.nas
    ah_username: admin
    ah_password: secret123
    ah_validate_certs: false
    ah_groups:
      - name: DBA
        state: present
    ah_users:
      - username: service
        is_superuser: true
        password: 2834ASDF23!
      - username: DBA
        groups:
          - DBA
        append: false
        password: 2834ASDF23!

  roles:
    - galaxy.galaxy.group
    - galaxy.galaxy.user
...

Let me know if Keycloak/SSO was connected to the hub, and if the group was created from SSO. I've only seen this error really on SSO related hubs trying to use tokens instead of user/pass on some endpoints.

nodje commented 11 months ago

We are not using SSO on this instance.

Relooking the issue myself, it strikes me that the user causing the issue is the one that is used to authent against the AH instance by the playbook.

Since reordering the list of user worked I haven't looked at it anymore. But testing again, I confirm the issue is still there.

Also, if only the service user is created, there's no issue. It's ONLY if DBA user created AFTER service ...

yazmatazz commented 5 months ago

I am running into a similar issue as this one, currently using 2.0.6 and when I configure a user without the password parameter set , then everything works fine, but as soon as I include the password parameter for the user then I receive the following error message:

Traceback (most recent call last):
  File "/tmp/ansible_ah_user_payload_07s5f4ab/ansible_ah_user_payload.zip/ansible_collections/galaxy/galaxy/plugins/module_utils/ah_api_module.py", line 295, in make_request
AttributeError: 'dict' object has no attribute 'read'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/runner/.ansible/tmp/ansible-tmp-1712761112.0405471-245-239305278471077/AnsiballZ_ah_user.py", line 107, in <module>
    _ansiballz_main()
  File "/runner/.ansible/tmp/ansible-tmp-1712761112.0405471-245-239305278471077/AnsiballZ_ah_user.py", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/runner/.ansible/tmp/ansible-tmp-1712761112.0405471-245-239305278471077/AnsiballZ_ah_user.py", line 47, in invoke_module
    runpy.run_module(mod_name='ansible_collections.galaxy.galaxy.plugins.modules.ah_user', init_globals=dict(_module_fqn='ansible_collections.galaxy.galaxy.plugins.modules.ah_user', _modlib_path=modlib_path),
  File "/usr/lib64/python3.9/runpy.py", line 225, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib64/python3.9/runpy.py", line 97, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File "/usr/lib64/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_ah_user_payload_07s5f4ab/ansible_ah_user_payload.zip/ansible_collections/galaxy/galaxy/plugins/modules/ah_user.py", line 240, in <module>
  File "/tmp/ansible_ah_user_payload_07s5f4ab/ansible_ah_user_payload.zip/ansible_collections/galaxy/galaxy/plugins/modules/ah_user.py", line 236, in main
  File "/tmp/ansible_ah_user_payload_07s5f4ab/ansible_ah_user_payload.zip/ansible_collections/galaxy/galaxy/plugins/module_utils/ah_ui_object.py", line 437, in create_or_update
  File "/tmp/ansible_ah_user_payload_07s5f4ab/ansible_ah_user_payload.zip/ansible_collections/galaxy/galaxy/plugins/module_utils/ah_ui_object.py", line 391, in update
  File "/tmp/ansible_ah_user_payload_07s5f4ab/ansible_ah_user_payload.zip/ansible_collections/galaxy/galaxy/plugins/module_utils/ah_api_module.py", line 297, in make_request
KeyError: 'non_field_errors'

Could this be due to the same issue, or is this caused by something else?

Tompage1994 commented 5 months ago

@yazmatazz I'm unsure if this is the same issue but I'e just done some diagnistics and found that the issue is almost certainly because the API is rejecting your password for being too simple. I'll push a fix to surface this error. We shall see if that also fixes the main error in this bug though

yazmatazz commented 5 months ago

Thank you, the issue was indeed due to a weak password.

sean-m-sullivan commented 5 months ago

Closing, as issue was found!

nodje commented 5 months ago

I'm not in a position to test my issue with a stronger password before next week. But can this explain why in my case the ordering of the user creation played a role in the failure of the task?

Tompage1994 commented 4 months ago

Yes I believe that would have been the issue. I eventually managed to recreate the same or a similar issue and it was now resolved.

mondherGL commented 4 months ago

We still have the ordering issue. I just tested this:

---
ah_configuration_user_secure_logging: false
ah_users:
  - username: DBA
    groups:
      - DBA
    append: false
    password: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      32626137336230373934633263623830666334376434336637363138353732323537313366643231
      3232353365633264373036326465303036373866326162310a353336363432313137343937643765
      30613463666133663830643562333430623363393438376433366430386331373464363764613339
      3566653562333835380a646433393333623865653165646362333663636138303663653233636236
      3533
  - username: service
    is_superuser: true
    password: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      30643930336231306161343931396539396530646631623966646638643963333832353065333632
      3166386438303265336566336330663933313366363530310a643335653364643462313166333539
      30313266363834633037366639623365356634613562613038396661303961336332386435643832
      3231623761363332610a663431313531656235373837636138366135313130653237346537626533
      6166
- username: readregistry
    password: readregistry

It fails with the following error:

TASK [infra.ah_configuration.user : Create User | Wait for finish the user creation] ***
Wednesday 15 May 2024  10:25:50 +0200 (0:00:01.971)       0:00:06.223 ********* 
Wednesday 15 May 2024  10:25:50 +0200 (0:00:01.971)       0:00:06.222 ********* 
FAILED - RETRYING: [localhost]: Create User | Wait for finish the user creation (50 retries left).
changed: [localhost] => (item={'failed': 0, 'started': 1, 'finished': 0, 'ansible_job_id': 'j321129434228.84', 'results_file': '/root/.ansible_async/j321129434228.84', 'changed': False, '__user': {'username': 'DBA', 'groups': ['DBA'], 'append': False, 'password': 'DBA123&123&'}, 'ansible_loop_var': '__user'})
changed: [localhost] => (item={'failed': 0, 'started': 1, 'finished': 0, 'ansible_job_id': 'j944304046596.102', 'results_file': '/root/.ansible_async/j944304046596.102', 'changed': False, '__user': {'username': 'service', 'is_superuser': True, 'password': 'stagingbis'}, 'ansible_loop_var': '__user'})
failed: [localhost] (item={'failed': 0, 'started': 1, 'finished': 0, 'ansible_job_id': 'j231521529837.119', 'results_file': '/root/.ansible_async/j231521529837.119', 'changed': False, '__user': {'username': 'readregistry', 'password': 'readregistry'}, 'ansible_loop_var': '__user'}) => {"__users_job_async_result_item": {"__user": {"password": "readregistry", "username": "readregistry"}, "ansible_job_id": "j231521529837.119", "ansible_loop_var": "__user", "changed": false, "failed": 0, "finished": 0, "results_file": "/root/.ansible_async/j231521529837.119", "started": 1}, "ansible_job_id": "j231521529837.119", "ansible_loop_var": "__users_job_async_result_item", "attempts": 1, "changed": false, "finished": 1, "msg": "GET error: You do not have permission to GET /api/galaxy/_ui/v1/users/ (HTTP 403).", "results_file": "/root/.ansible_async/j231521529837.119", "started": 1, "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}

If I move the new readregistry user to the top, it works, same as my original issue.

This works:

---
ah_configuration_user_secure_logging: false
ah_users:
  - username: readregistry
    password: readregistry
  - username: DBA
    groups:
      - DBA
    append: false
    password: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      32626137336230373934633263623830666334376434336637363138353732323537313366643231
      3232353365633264373036326465303036373866326162310a353336363432313137343937643765
      30613463666133663830643562333430623363393438376433366430386331373464363764613339
      3566653562333835380a646433393333623865653165646362333663636138303663653233636236
      3533
  - username: service
    is_superuser: true
    password: !vault |
      $ANSIBLE_VAULT;1.1;AES256
      30643930336231306161343931396539396530646631623966646638643963333832353065333632
      3166386438303265336566336330663933313366363530310a643335653364643462313166333539
      30313266363834633037366639623365356634613562613038396661303961336332386435643832
      3231623761363332610a663431313531656235373837636138366135313130653237346537626533
      6166