search

fortinet-ansible-dev / ansible-galaxy-fortios-collection

GNU General Public License v3.0
84 stars 48 forks source link

Creating new admin user fails on v7.2.1 #197

Closed wagonza closed 2 years ago

wagonza commented 2 years ago

Trying to create a new admin user fails with the below error on v7.2.1.

"cli_error": "entry not found in datasource\n\nvalue parse error before 'super_admin'\nCommand fail. Return code -3\n",

Example playbook as follows:

- name: "Playbook: Update password by deleting and re-adding user"
  hosts: fortinet
  gather_facts: false
  vars:
    ansible_connection: httpapi
    ansible_network_os: fortinet.fortios.fortios
    ansible_httpapi_use_ssl: yes
    ansible_httpapi_validate_certs: no
    ansible_httpapi_port: 443
  tasks:
    - name: "Add new admin user"
      fortinet.fortios.fortios_system_admin:
        vdom:  'root'
        state: present
        access_token: 'xxx'
        system_admin:
          name: "newuser"
          accprofile: "super_admin"
          password: "myNewPassword"
          trusthost1: 'x.x.x.x/x'

Enabling debugging with:

# diagnose debug enable
# diagnose debug application httpsd -1
# diagnose debug cli 8

Output:

[httpsd 5682 - 1661966327     info] fweb_debug_init[408] -- New POST request for "/api/v2/cmdb/system/admin" from "z.z.z.z:53464"
[httpsd 5682 - 1661966327     info] fweb_debug_init[410] -- User-Agent: "Python-urllib/3.10"
[httpsd 5682 - 1661966327     info] fweb_debug_init[412] -- Handler "api_cmdb_v2-handler" assigned to request
[httpsd 5682 - 1661966327  warning] api_access_check_for_api_key[688] -- API Key request authorized for xxx from z.z.z.z.
[httpsd 5682 - 1661966327     info] api_store_parameter[320] -- add API parameter 'vdom' (type=string)
[httpsd 5682 - 1661966327     info] api_store_parameter[320] -- add API parameter 'access_token' (type=string)
[httpsd 5682 - 1661966327     info] api_store_parameter[320] -- add API parameter 'accprofile' (type=string)
[httpsd 5682 - 1661966327     info] api_store_parameter[320] -- add API parameter 'name' (type=string)
[httpsd 5682 - 1661966327     info] api_store_parameter[320] -- add API parameter 'trusthost1' (type=string)
[httpsd 5682 - 1661966327     info] api_cmdb_request_init_by_path[1671] -- new CMDB query (path='system',name='admin')
[httpsd 5682 - 1661966327     info] handle_cli_req_v2[3120] -- new CMDB API request (vdom='root',user='xxx')
[httpsd 5682 - 1661966327     info] _api_cmdb_v2_config[1342] -- editing CLI object (append=1, auto_key=0, path=system, name=admin, mkey=(null), flags=0)
[httpsd 5682 - 1661966327     info] api_set_cmdb_attr[1980] -- 'name'
[httpsd 5682 - 1661966327     info] api_set_cmdb_attr[1980] -- 'trusthost1'
[httpsd 5682 - 1661966327     info] api_set_cmdb_attr[1980] -- 'accprofile'
0: config system admin
0: edit "newuser"
0: set trusthost1 x.x.x.x y.y.y.y
-3: set accprofile "super_admin"
(skipped) unset vdom

(skipped) unset gui-global-menu-favorites

(skipped) unset gui-vdom-menu-favorites

[httpsd 5682 - 1661966327     info] cmdb_save_with_children[280] -- appended main node (nret=-3, is_new=1)
[httpsd 5682 - 1661966327    error] cmdb_save_with_children[285] -- saving failed for main node: 'admin' (err=-3)

[httpsd 5682 - 1661966327    error] cmdb_commit_from_json[1749] -- error saving request object to CLI (-3)
[httpsd 5682 - 1661966327    error] _api_cmdb_v2_config[1378] -- error editing object (nret=-3)
[httpsd 5682 - 1661966327  warning] api_return_http_result[1272] -- API error -3 raised
lix-fortinet commented 2 years ago

Hi @wagonza,

Thank you for raising this issue. Please check whether the login user has super_admin accprofile. Lower level accprofile do not have the right to create user with higher level accprofile. If it still not work, please let me know the Ansible FortiOS galaxy collection version that you are using.

Thanks, Xing

wagonza commented 2 years ago

Thanks @lix-fortinet - that worked. Interesting, I figured since the API user had System as set to read+write it would be able to create a user and specify any profile. One assumes the API user can do anything as deemed by what is configured in Access Control. Another area where it failed was that the API user could update Administrator Settings, NTP, DNS, timezone etc. but it could not update the Email Service section.

wagonza commented 2 years ago

Oh by the way version I am using is 2.1.6

lix-fortinet commented 2 years ago

Hi @wagonza,

Thank you for your update. Access Control may not contain all read/write rights. I am not so clear about the another failed area, do you mean the issue of could not update the Email service is under super_admin accprofile?

Thanks, Xing