search

fortinet-ansible-dev / ansible-galaxy-fortios-collection

GNU General Public License v3.0
85 stars 49 forks source link

fortios_system_admin unable to create admin user #349

Closed CledersonE closed 1 month ago

CledersonE commented 1 month ago

I'm trying to create a simple admin user in a lab environment using the fortios_system_admin module and I'm facing issues. I've already look at examples from other issues such as 126 and 20 but still I'm not able to create the user. Here is the playbook and the logs from Fortigate:

Playbook:

- name: "Playbook: Create simple admin user"
  hosts: fgt_instance_active
  gather_facts: false
  vars:
    fortios_access_token: "{{ lookup('community.hashi_vault.hashi_vault', 'secret=secret/data/fortigate_ansible_token:value')}}"
    ansible_connection: httpapi
    ansible_network_os: fortinet.fortios.fortios
    ansible_httpapi_use_ssl: yes
    ansible_httpapi_validate_certs: no
    ansible_httpapi_port: 443
    vdom: "root"
    desired_password: "new_password_test"
  tasks:
    - name: "Create new admin user"
      fortinet.fortios.fortios_system_admin:
        vdom:  "{{ vdom }}"
        access_token: "{{ fortios_access_token }}"
        state: present
        system_admin:
          name: "new_admin_test"
          accprofile: "super_admin"
          password: "{{ desired_password }}"

FortiGate logs:

lab-fortigate-active~nce # diagnose debug enable

lab-fortigate-active~nce # diagnose debug cli 8
Debug messages will be on for 30 minutes.

lab-fortigate-active~nce # diagnose debug application httpsd -1
Debug messages will be on for 30 minutes.

[httpsd 2615 - 1725979337     info] fweb_debug_final[355] -- Completed GET request for "/api/v2/monitor/system/status" (HTTP 200)
[httpsd 2612 - 1725979337     info] fweb_debug_init[513] -- New PUT request for "/api/v2/cmdb/system/admin/new_admin_test" from "<redacted_public_ip>"
[httpsd 2612 - 1725979337     info] fweb_debug_init[515] -- User-Agent: "Python-urllib/3.10"
[httpsd 2612 - 1725979337     info] fweb_debug_init[517] -- Handler "api_cmdb_v2-handler" assigned to request
[httpsd 2612 - 1725979337     info] api_access_check_for_api_key[682] -- API Key request authorized for ansible_test_user from<redacted_public_ip>
[httpsd 2612 - 1725979337     info] api_store_parameter[327] -- add API parameter 'vdom' (type=string)
[httpsd 2612 - 1725979337     info] api_store_parameter[327] -- add API parameter 'access_token' (type=string)
[httpsd 2612 - 1725979337     info] api_store_parameter[327] -- add API parameter 'accprofile' (type=string)
[httpsd 2612 - 1725979337     info] api_store_parameter[327] -- add API parameter 'name' (type=string)
[httpsd 2612 - 1725979337     info] api_store_parameter[327] -- add API parameter 'password' (type=string)
[httpsd 2612 - 1725979337     info] api_cmdb_request_init_by_path[2693] -- new CMDB query (path='system',name='admin')
[httpsd 2612 - 1725979337     info] api_cmdb_request_init_by_path[2725] -- querying CMDB entry (mkey='new_admin_test')
[httpsd 2612 - 1725979337  warning] api_cmdb_request_init_by_path[2728] -- unable to find 'new_admin_test' in table 'system.admin'
[httpsd 2612 - 1725979337     info] handle_cli_req_v2[4419] -- new CMDB API request (vdom='root',user='ansible_test_user')
[httpsd 2612 - 1725979337    error] _api_cmdb_v2_config[2268] -- Object with mkey new_admin_test not found and allow_append flag not set
[httpsd 2612 - 1725979337  warning] api_return_http_result[1292] -- API error 404 raised
[httpsd 2612 - 1725979337     info] handle_cli_req_v2[4449] -- returning to original vdom "root"
[httpsd 2612 - 1725979337     info] fweb_debug_final[355] -- Completed PUT request for "/api/v2/cmdb/system/admin/new_admin_test" (HTTP 404)
[httpsd 2615 - 1725979338     info] fweb_debug_init[513] -- New POST request for "/api/v2/cmdb/system/admin" from <redacted_public_ip>
[httpsd 2615 - 1725979338     info] fweb_debug_init[515] -- User-Agent: "Python-urllib/3.10"
[httpsd 2615 - 1725979338     info] fweb_debug_init[517] -- Handler "api_cmdb_v2-handler" assigned to request
[httpsd 2615 - 1725979338     info] api_access_check_for_api_key[682] -- API Key request authorized for ansible_test_user from <redacted_public_ip>
[httpsd 2615 - 1725979338     info] api_store_parameter[327] -- add API parameter 'vdom' (type=string)
[httpsd 2615 - 1725979338     info] api_store_parameter[327] -- add API parameter 'access_token' (type=string)
[httpsd 2615 - 1725979338     info] api_store_parameter[327] -- add API parameter 'accprofile' (type=string)
[httpsd 2615 - 1725979338     info] api_store_parameter[327] -- add API parameter 'name' (type=string)
[httpsd 2615 - 1725979338     info] api_store_parameter[327] -- add API parameter 'password' (type=string)
[httpsd 2615 - 1725979338     info] api_cmdb_request_init_by_path[2693] -- new CMDB query (path='system',name='admin')
[httpsd 2615 - 1725979338     info] handle_cli_req_v2[4419] -- new CMDB API request (vdom='root',user='ansible_test_user')
[httpsd 2615 - 1725979338     info] _api_cmdb_v2_config[2306] -- editing CLI object (append=1, auto_key=0, path=system, name=admin, mkey=(null), flags=0)
[httpsd 2615 - 1725979338     info] api_set_cmdb_attr[2535] -- 'name'
[httpsd 2615 - 1725979338     info] api_set_cmdb_attr[2535] -- 'password'
[httpsd 2615 - 1725979338     info] api_set_cmdb_attr[2535] -- 'accprofile'
0: config system admin
0: edit "new_admin_test"
-3: set accprofile "super_admin"
(skipped) set password <redacted>

cmd=config system admin
edit new_admin_test
abort

[httpsd 2615 - 1725979338     info] cmdb_save_with_children[273] -- appended main node (nret=-3, is_new=1)
[httpsd 2615 - 1725979338    error] cmdb_save_with_children[278] -- saving failed for main node: 'admin' (err=-3)

[httpsd 2615 - 1725979338    error] cmdb_commit_from_json[2295] -- error saving request object to CLI (-3)
[httpsd 2615 - 1725979338    error] _api_cmdb_v2_config[2342] -- error editing object (nret=-3)
[httpsd 2615 - 1725979338  warning] api_return_http_result[1292] -- API error -3 raised
[httpsd 2615 - 1725979338     info] handle_cli_req_v2[4449] -- returning to original vdom "root"
[httpsd 2615 - 1725979338     info] fweb_debug_final[355] -- Completed POST request for "/api/v2/cmdb/system/admin" (HTTP 500)
[cmdb_find_root_entity_by_node:90] vdom='vsys_hamgmt' is not a cmdb vdom
[cmdb_find_root_entity_by_node:90] vdom='vsys_ha' is not a cmdb vdom
[cmdb_find_root_entity_by_node:90] vdom='vsys_fgfm' is not a cmdb vdom
[cmdb_find_root_entity_by_node:90] vdom='vsys_hamgmt' is not a cmdb vdom
[cmdb_find_root_entity_by_node:90] vdom='vsys_ha' is not a cmdb vdom
[cmdb_find_root_entity_by_node:90] vdom='vsys_fgfm' is not a cmdb vdom
[cmdb_find_root_entity_by_node:90] vdom='vsys_hamgmt' is not a cmdb vdom
[cmdb_find_root_entity_by_node:90] vdom='vsys_ha' is not a cmdb vdom
[cmdb_find_root_entity_by_node:90] vdom='vsys_fgfm' is not a cmdb vdom
[cmdb_find_root_entity_by_node:90] vdom='vsys_hamgmt' is not a cmdb vdom
[cmdb_find_root_entity_by_node:90] vdom='vsys_ha' is not a cmdb vdom
[cmdb_find_root_entity_by_node:90] vdom='vsys_fgfm' is not a cmdb vdom
[httpsd 2612 - 1725979338     info] fweb_debug_init[513] -- New POST request for "/logout" from "<redacted_public_ip>"
[httpsd 2612 - 1725979338     info] fweb_debug_init[515] -- User-Agent: "Python-urllib/3.10"
[httpsd 2612 - 1725979338     info] fweb_debug_init[517] -- Handler "logout-handler" assigned to request
[httpsd 2612 - 1725979338     info] fweb_debug_final[355] -- Completed POST request for "/logout" (HTTP 200)

lab-fortigate-active~nce # diagnose debug disable

In addition, I tried to create the same user using the FortiGate cli and it works without any problem:


lab-fortigate-active~nce (admin) # edit "new_admin_test"
new entry 'new_admin_test' added

lab-fortigate-active~nce (new_admin_test) # set accprofile "super_admin"
path=system, objname=admin, size=1312, sz_attr=1

lab-fortigate-active~nce (new_admin_test) # set password "new_password_test"
path=system, objname=admin, size=1312, sz_attr=1

lab-fortigate-active~nce (new_admin_test) # end
cmd_clean_context 0, abort=0

lab-fortigate-active~nce # config system admin

lab-fortigate-active~nce (admin) # show
path=system, objname=admin, tablename=(null), size=1312
config system admin
    edit "admin"
        set accprofile "super_admin"
        set vdom "root"
        set password <redacted>
    next
    edit "new_admin_test"
        set accprofile "super_admin"
        set vdom "root"
        set password <redacted>
    next
end

Am I doing something wrong or missing anything on the creation? The collection that I'm using is fortinet.fortios 2.3.7

MaxxLiu22 commented 1 month ago

Hi @CledersonE ,

Thank you for raising this question. I’ve tested your script on my end, and everything seems to be functioning correctly. From the debug messages, it appears that the issue arises at the set accprofile "super_admin" line. One possible explanation could be that the API user credentials you’re using might not have sufficient permissions to create an admin user with the "super_admin" accprofile. The "super_admin" profile has the highest level of permissions, and even if you create an accprofile with full read/write permissions, some operations might still be restricted.

Could you kindly review your API user settings? If the issue continues, please let me know your FOS version, and I’ll be happy to test it with that information.

config system api-user
    edit "api"
        set api-key ENC SH209Bx5uJzXLrfT4O+9ZB62KW1rG5BXaCCtjUoMC6z6eRxehE3PqiuIsbexHc=
        set accprofile "super_admin" 
    next
end

Thanks, Maxx

CledersonE commented 1 month ago

Hi @MaxxLiu22, Thank you very much for the quick response. You nail it. Indeed, I was creating a separate accprofile for my API users since from the GUI you can't create an rest_api user and add the super_admin profile. As a result, I've created a new accprofil, granted all the permissions and thought that would work as the super_admin (I didn't know that despite you add all the permissions, the super_admin would have more ones). Once I've changed my API user to the super_admin, I was able to create the new admin user with the Ansible playbook.

Once again, thank you very much for your support!