Issue with enabling root account

[sri4kanne]

Hello, while setting up new switch using playbook came across an issue where i'm getting below error when enabling "root" account on the switch. Can you please take a look and let me know if there is a way to include this as part of the playbook?

Below is the relevant part of the playbook

  - name: Enable root & user, and add new api accounts
    brocade_list_obj:
      credential: "{{credential}}"
      vfid: -1
      module_name: "brocade-security"
      list_name: "user-config"
      all_entries: False
      entries:
        - name: "apiro"
          password: "{{ password_apiro }}"
          virtual_fabric_role_id_list:
            role_id:
              - "admin=1-128"
          chassis_access_role: "user"
        - name: "apirw"
          password: "{{password_apirw}}"
          virtual_fabric_role_id_list:
            role_id:
              - "admin=1-128"
          chassis_access_role: "admin"
        - name: "user"
          account_enabled: True
        - name: "root"
          account_enabled: True 
    tags: useraccount

fatal: [switch]: FAILED! => {"add_entries": [], "add_retcode": 0, "changed": true, "current_entries": [{"access_end_time": null, "access_start_time": null, "account_description": "root", "account_enabled": false, "account_locked": false, "chassis_access_role": "root", "home_virtual_fabric": "128", "name": "root", "password_change_enforced": false, "virtual_fabric_role_id_list": {"role_id": ["root=1-128"]}}, {"access_end_time": null, "access_start_time": null, "account_description": "Administrator", "account_enabled": true, "account_locked": false, "chassis_access_role": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "home_virtual_fabric": "128", "name": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "password_change_enforced": false, "virtual_fabric_role_id_list": {"role_id": ["********=1-128"]}}

Below are the commands used in cli which will enable root account and allow ssh access using mgmt/console ports. userconfig --change root -e yes and rootaccess --set all are the 2 commands used on cli to enable root access on switch and allow access. Please let me know if you need any more details and thank you for your help!

[daniel-chung-broadcom]

let me take a look. I'll keep you posted.

[daniel-chung-broadcom]

I think the issue is password not being base64 encoded. I added code to convert clear text password to base64 string for user_config as other password fields. Can you please try out user_config_password branch and see if that addresses the issue?

[sri4kanne]

It works fine with 64bit encoded password as it was without any changes for additional accounts. The issue i'm facing with is only enabling "root" account. (It works fine for "user" account)

  - name: Enable root & user, and add new api accounts
    brocade_list_obj:
      credential: "{{credential}}"
      vfid: -1
      module_name: "brocade-security"
      list_name: "user-config"
      all_entries: False
      entries:
        - name: "user"
          account_enabled: True
        - name: "root"
          account_enabled: True 
    tags: useraccount

I did try with the branch too and it's still failing with same error as above and below error msg when using verbose while running the play above. "msg": "Failed to enable account. skiiping due to errorServer '********' not found in known_hosts",

[daniel-chung-broadcom]

Ok. I believe the issue is this attribute is covered using ssh instead of rest because pre 9.0 doesn't cover this particular attribute (it does in 9.0 and up) and ssh connection to the switch is not able to find the host in the known_hosts lists. One way that I usually fix this is to just initiate connection from the ansible host to the switch and input "yes" to adding the switch in the known_hosts list. Another way to fix this is add "ssh_hostkeymust" in the "credential" to the task and set it to false. But then, it will not verify if the switch is known to the ansible host.

[daniel-chung-broadcom]

I also found an example of adding to know_hosts as part of a playbook. I tried one of the examples below and that seems to work for me.

• task:
  known_hosts: name: "{{ item }}" key: "{{ lookup('pipe', 'ssh-keyscan {{ item }},dig +short {{ item }}') }}" with_items:
  • "xx.xx.xx.xx"

https://stackoverflow.com/questions/30226113/ansible-ssh-prompt-known-hosts-issue

[sri4kanne]

thanks for providing details and yeah that helped to enable root account. But still we will not be able to access switch via ssh untill "ssh" access is allowed and cli used for that is "rootaccess --set all" is there an equivalent that i can use in playbook?

[daniel-chung-broadcom]

unfortunately, rootaccess isn't supported through rest and creating a playbook to use ssh for that would not be useful. I'll go ahead and forward the request to appropriate folks.

[sri4kanne]

ok, thanks will stick to manually enabling it for now from switch. Will look into this once we upgrade to FOS 9.x and these features are available.

[daniel-chung-broadcom]

ok. are you ok with closing the issue for the moment then? I think the original issue of ssh connectivity is resolved and rootaccess api support request has been forwarded to appropriate folks. I don't have any information on the feasibility nor timeline at the moment on the rest coverage. Please let me know. Thanks.

[sri4kanne]

sounds good, thanks!