brocade_interface_fibrechannel returns OK when fos_user_name has insufficient privileges

[mgoetze5]

I tried to change some port configuration as "user" rather than as "admin" and got ok: [fcsw-gts-a1.srv.tgos.de] => {"GET_url": "https://********/rest/running/brocade-interface/fibrechannel", "POST_resp_code": 405, "POST_resp_data": {"errors": {"@xmlns": "urn:ietf:params:xml:ns:yang:ietf-restconf", "error": {"error-app-tag": "Error", "error-info": {"error-code": "25", "error-module": "rest"}, "error-message": "Method not supported", "error-path": "/rest/running/brocade-interface/fibrechannel", "error-tag": "operation-not-supported", "error-type": "application"}}}, "POST_resp_reason": "Method Not Allowed", "POST_url": "https://********/rest/logout", "add_entries": .... IMHO the task should fail when it gets a 4xx response.

[daniel-chung-broadcom]

REST API requires admin level permission. As far as I could tell, the original failure is 405 against the /rest/running/brocade-inteface/fibrechannel as expected. Do you mind clarifying what you would like to see differently? Thanks.

[mgoetze5]

Yes, the REST level correctly returned an error, my problem is the Ansible level translated this to a green "OK" task and continued executing the rest of the playbook, expected behaviour would be for Ansible to mark this as a red "failed" task and abort execution of the playbook.

[daniel-chung-broadcom]

got it. I'll take a look. Thanks

[daniel-chung-broadcom]

Will you be able to share the playbook for repro? I have some questions as to why post operation is being used. Thanks.

[mgoetze5]

Hi Daniel, I won't be able to provide full context as I'm using a custom inventory plugin that reads from our CMDB, but basically:

tasks:

• name: Build port config set_fact: ports: "{{ ports | default([]) + [{ 'name': '0/' + item.name, 'user_friendly_name': item.description, 'persistent_disable': not item.enabled }] }}" when: not item.mgmt_only loop: "{{ netbox_host.interfaces }}"

• name: Write port config brocade_interface_fibrechannel: credential: "{{ credential }}" vfid: -1 ports: "{{ ports }}"

Presumably POST is used because I'm configuring all 48 ports at once which would be too much data for a GET.

[daniel-chung-broadcom]

Thanks. I"ll keep you posted on the investigation.

[prasad-valmeti-broadcom]

Do you see this issue if the number of ports is not 48? Is it specific to more data? This will help to test and figure out the issue. Also please clarify ansible version and fos version used.

[prasad-valmeti-broadcom]

No response to the questions asked. Could you please clarify the questions to work on this issue?

[prasad-valmeti-broadcom]

Please respond to the questions. If there are no issues, please suggest if we close the issue.

[mgoetze5]

@prasad-valmeti-broadcom I feel like I provided more than enough information at the time. Asking me to do testing for you with code and an environment I no longer have access to two years later seems somewhat optimistic.

[prasad-valmeti-broadcom]

Thank you for the details. Issue is addressed in the latest ansible and FOS versions. Please let us know if we can close the issue.

[mgoetze5]

Which patch addressed the issue?

[prasad-valmeti-broadcom]

We tried Ansible 1.3.3 with FOS 9.1, issue was not reproduced.

[prasad-valmeti-broadcom]

Please let us know if you see issues if you use the same or above Ansible and FOS releases.