Open nodje opened 1 year ago
This is strange, I've seen it before on project sync and controller with 90 some projects, or if it took over 10 seconds due to the ansible requests fuction default timeout. Did you set anything for async?
Hum, nope, I haven't set anything for async
Relooked at this, was not an issue, however it may have to do with SSO? was it enabled, I know it can cause screwy things with auth, and may have to do with how it was looking up the group?
Here was my test playbook
---
- name: Hub Stuff
hosts: localhost
connection: local
gather_facts: false
vars:
ah_hostname: hub.nas
ah_username: admin
ah_password: secret123
ah_validate_certs: false
ah_groups:
- name: DBA
state: present
ah_users:
- username: service
is_superuser: true
password: 2834ASDF23!
- username: DBA
groups:
- DBA
append: false
password: 2834ASDF23!
roles:
- galaxy.galaxy.group
- galaxy.galaxy.user
...
Let me know if Keycloak/SSO was connected to the hub, and if the group was created from SSO. I've only seen this error really on SSO related hubs trying to use tokens instead of user/pass on some endpoints.
We are not using SSO on this instance.
Relooking the issue myself, it strikes me that the user causing the issue is the one that is used to authent against the AH instance by the playbook.
Since reordering the list of user worked I haven't looked at it anymore. But testing again, I confirm the issue is still there.
Also, if only the service
user is created, there's no issue.
It's ONLY if DBA
user created AFTER service
...
I am running into a similar issue as this one, currently using 2.0.6 and when I configure a user without the password parameter set , then everything works fine, but as soon as I include the password parameter for the user then I receive the following error message:
Traceback (most recent call last):
File "/tmp/ansible_ah_user_payload_07s5f4ab/ansible_ah_user_payload.zip/ansible_collections/galaxy/galaxy/plugins/module_utils/ah_api_module.py", line 295, in make_request
AttributeError: 'dict' object has no attribute 'read'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/runner/.ansible/tmp/ansible-tmp-1712761112.0405471-245-239305278471077/AnsiballZ_ah_user.py", line 107, in <module>
_ansiballz_main()
File "/runner/.ansible/tmp/ansible-tmp-1712761112.0405471-245-239305278471077/AnsiballZ_ah_user.py", line 99, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/runner/.ansible/tmp/ansible-tmp-1712761112.0405471-245-239305278471077/AnsiballZ_ah_user.py", line 47, in invoke_module
runpy.run_module(mod_name='ansible_collections.galaxy.galaxy.plugins.modules.ah_user', init_globals=dict(_module_fqn='ansible_collections.galaxy.galaxy.plugins.modules.ah_user', _modlib_path=modlib_path),
File "/usr/lib64/python3.9/runpy.py", line 225, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib64/python3.9/runpy.py", line 97, in _run_module_code
_run_code(code, mod_globals, init_globals,
File "/usr/lib64/python3.9/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/tmp/ansible_ah_user_payload_07s5f4ab/ansible_ah_user_payload.zip/ansible_collections/galaxy/galaxy/plugins/modules/ah_user.py", line 240, in <module>
File "/tmp/ansible_ah_user_payload_07s5f4ab/ansible_ah_user_payload.zip/ansible_collections/galaxy/galaxy/plugins/modules/ah_user.py", line 236, in main
File "/tmp/ansible_ah_user_payload_07s5f4ab/ansible_ah_user_payload.zip/ansible_collections/galaxy/galaxy/plugins/module_utils/ah_ui_object.py", line 437, in create_or_update
File "/tmp/ansible_ah_user_payload_07s5f4ab/ansible_ah_user_payload.zip/ansible_collections/galaxy/galaxy/plugins/module_utils/ah_ui_object.py", line 391, in update
File "/tmp/ansible_ah_user_payload_07s5f4ab/ansible_ah_user_payload.zip/ansible_collections/galaxy/galaxy/plugins/module_utils/ah_api_module.py", line 297, in make_request
KeyError: 'non_field_errors'
Could this be due to the same issue, or is this caused by something else?
@yazmatazz I'm unsure if this is the same issue but I'e just done some diagnistics and found that the issue is almost certainly because the API is rejecting your password for being too simple. I'll push a fix to surface this error. We shall see if that also fixes the main error in this bug though
Thank you, the issue was indeed due to a weak password.
Closing, as issue was found!
I'm not in a position to test my issue with a stronger password before next week. But can this explain why in my case the ordering of the user creation played a role in the failure of the task?
Yes I believe that would have been the issue. I eventually managed to recreate the same or a similar issue and it was now resolved.
We still have the ordering issue. I just tested this:
---
ah_configuration_user_secure_logging: false
ah_users:
- username: DBA
groups:
- DBA
append: false
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
32626137336230373934633263623830666334376434336637363138353732323537313366643231
3232353365633264373036326465303036373866326162310a353336363432313137343937643765
30613463666133663830643562333430623363393438376433366430386331373464363764613339
3566653562333835380a646433393333623865653165646362333663636138303663653233636236
3533
- username: service
is_superuser: true
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
30643930336231306161343931396539396530646631623966646638643963333832353065333632
3166386438303265336566336330663933313366363530310a643335653364643462313166333539
30313266363834633037366639623365356634613562613038396661303961336332386435643832
3231623761363332610a663431313531656235373837636138366135313130653237346537626533
6166
- username: readregistry
password: readregistry
It fails with the following error:
TASK [infra.ah_configuration.user : Create User | Wait for finish the user creation] ***
Wednesday 15 May 2024 10:25:50 +0200 (0:00:01.971) 0:00:06.223 *********
Wednesday 15 May 2024 10:25:50 +0200 (0:00:01.971) 0:00:06.222 *********
FAILED - RETRYING: [localhost]: Create User | Wait for finish the user creation (50 retries left).
changed: [localhost] => (item={'failed': 0, 'started': 1, 'finished': 0, 'ansible_job_id': 'j321129434228.84', 'results_file': '/root/.ansible_async/j321129434228.84', 'changed': False, '__user': {'username': 'DBA', 'groups': ['DBA'], 'append': False, 'password': 'DBA123&123&'}, 'ansible_loop_var': '__user'})
changed: [localhost] => (item={'failed': 0, 'started': 1, 'finished': 0, 'ansible_job_id': 'j944304046596.102', 'results_file': '/root/.ansible_async/j944304046596.102', 'changed': False, '__user': {'username': 'service', 'is_superuser': True, 'password': 'stagingbis'}, 'ansible_loop_var': '__user'})
failed: [localhost] (item={'failed': 0, 'started': 1, 'finished': 0, 'ansible_job_id': 'j231521529837.119', 'results_file': '/root/.ansible_async/j231521529837.119', 'changed': False, '__user': {'username': 'readregistry', 'password': 'readregistry'}, 'ansible_loop_var': '__user'}) => {"__users_job_async_result_item": {"__user": {"password": "readregistry", "username": "readregistry"}, "ansible_job_id": "j231521529837.119", "ansible_loop_var": "__user", "changed": false, "failed": 0, "finished": 0, "results_file": "/root/.ansible_async/j231521529837.119", "started": 1}, "ansible_job_id": "j231521529837.119", "ansible_loop_var": "__users_job_async_result_item", "attempts": 1, "changed": false, "finished": 1, "msg": "GET error: You do not have permission to GET /api/galaxy/_ui/v1/users/ (HTTP 403).", "results_file": "/root/.ansible_async/j231521529837.119", "started": 1, "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
If I move the new readregistry
user to the top, it works, same as my original issue.
This works:
---
ah_configuration_user_secure_logging: false
ah_users:
- username: readregistry
password: readregistry
- username: DBA
groups:
- DBA
append: false
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
32626137336230373934633263623830666334376434336637363138353732323537313366643231
3232353365633264373036326465303036373866326162310a353336363432313137343937643765
30613463666133663830643562333430623363393438376433366430386331373464363764613339
3566653562333835380a646433393333623865653165646362333663636138303663653233636236
3533
- username: service
is_superuser: true
password: !vault |
$ANSIBLE_VAULT;1.1;AES256
30643930336231306161343931396539396530646631623966646638643963333832353065333632
3166386438303265336566336330663933313366363530310a643335653364643462313166333539
30313266363834633037366639623365356634613562613038396661303961336332386435643832
3231623761363332610a663431313531656235373837636138366135313130653237346537626533
6166
Using 2.0.2:
This config fails:
with log:
but when I put user DBA first in the list it works, as in:
NB: I'm using this user
service
to run the playbook