search

fortinet-ansible-dev / ansible-galaxy-fortios-collection

GNU General Public License v3.0
85 stars 49 forks source link

Change system admin password forbidden #126

Open kaon1 opened 3 years ago

kaon1 commented 3 years ago

Can I change the system admin password via ansible? I am seeing this error.

[httpsd 27871 - 1626985220 error] _api_cmdb_v2_config[1189] -- Modification of the 'password' field of system.admin is forbidden.

JieX19 commented 3 years ago

Hi @kaon1

I can reproduce the error and will open a ticket in the internal system.

kaon1 commented 3 years ago

For others with the same issue, as a workaround I created a playbook which deletes the user and then re-adds it with the new desired password. Some gotchas:

  1. You have to authenticate as a different user to make the change
  2. It's not idempotent, will always make the change whether the password is the same or not
---
- name: "Playbook: Update password by deleting and re-adding user"
  hosts: lab
  gather_facts: false
  vars:
    ansible_connection: httpapi
    ansible_network_os: fortinet.fortios.fortios
    ansible_httpapi_use_ssl: yes
    ansible_httpapi_validate_certs: no
    ansible_httpapi_port: 443
    vdom: "root"
    ansible_user: "{{ lookup('env','FG_UN') }}"
    ansible_password: "{{ lookup('env','FG_PW') }}"
    desired_new_password: "{{ lookup('env','FG_NEW_PW') }}"
    username: xxx
  tasks:
    - name: "Task1: Delete User"
      fortinet.fortios.fortios_system_admin:
        vdom:  "{{ vdom }}"
        state: absent
        system_admin:
          name: "{{ username }}"

    - name: "Task2: Re-add user with new password"
      fortinet.fortios.fortios_system_admin:
        vdom:  "{{ vdom }}"
        state: present
        system_admin:
          name: "{{ username }}"
          accprofile: "super_admin"
          trusthost1: "xxx"
          password: "{{ desired_new_password }}"

- name: "Test New Password"
  hosts: lab
  gather_facts: false
  vars:
    ansible_connection: httpapi
    ansible_network_os: fortinet.fortios.fortios
    ansible_httpapi_use_ssl: yes
    ansible_httpapi_validate_certs: no
    ansible_httpapi_port: 443
    vdom: "root"
    ansible_user: xxx
    ansible_password: "{{ lookup('env','FG_NEW_PW') }}"
  tasks:
    - name: "Task3: Test new password"
      fortinet.fortios.fortios_configuration_fact:
        vdom:  "{{ vdom }}"
        selector: "system_admin"
JieX19 commented 3 years ago

Thanks! @kaon1

Yep, the workaround works fine. We expect the password is changed directly like we do on GUI. I've submitted a ticket to api team and will update you once it's fixed.

JieX19 commented 3 years ago

Hi @kaon1 I just noticed that you were using the module fortios_system_admin, which is used for admin management. There's a module system_change-password that is used for changing password. BUT the api is not working as expected, also got rejected when changing the password.