search

openshift / community.okd

OKD/Openshift collection for Ansible
http://galaxy.ansible.com/community/okd
GNU General Public License v3.0
56 stars 36 forks source link

'OpenshiftGroupsSync' object has no attribute '_OpenshiftGroupsSync__ldap_connection' #155

Closed sigbjornaib closed 2 years ago

sigbjornaib commented 2 years ago

When using community.okd.openshift_adm_groups_sync, the following error is logged: AttributeError: 'OpenshiftGroupsSync' object has no attribute '_OpenshiftGroupsSync__ldap_connection'

This is the task that fails: 

- name: oc adm groups sync
  community.okd.openshift_adm_groups_sync:
    #api_key: "{{ openshift_auth_results.openshift_auth.api_key }}"
    username: "{{ openshift_admin_username }}"
    password: "{{ openshift_admin_password }}"
    host: "{{ openshift_admin_url }}"
    validate_certs: "{{ openshift_validate_certs }}"
    type: ldap
    sync_config:
      kind: LDAPSyncConfig
      apiVersion: v1
      url: 'ldaps://{{ ipa_ldap_server }}'
      insecure: true
      validate_certs: true
      #ca: ca.crt
      bindDN: '{{ oauth_company_ipa_ldap_binddn }}'
      bindPassword: '{{ oauth_company_ipa_ldap_bindpassword }}'
      augmentedActiveDirectory:
          groupsQuery:
              derefAliases: 'never'
              pageSize: '0'
          groupUIDAttribute: 'dn'
          groupNameAttributes: '[ cn ]'
          usersQuery:
              baseDN: "{{ ipa_ldap_basedn_users }}"
              scope: 'sub'
              derefAliases: 'never'
              filter: '(objectclass=inetOrgPerson)'
              pageSize: 0
          userNameAttributes: '[ uid ]'
          groupMembershipAttributes: '[ memberOf ]'
    allow_groups:
      - cn=openshift-cluster-admin,cn=groups,cn=accounts,dc=company,dc=net
  ignore_errors: true

Any idea what is going on here?

Thanks.

gravesm commented 2 years ago

@sigbjornaib Could you provide the output from running the playbook with -vvv?

sigbjornaib commented 2 years ago

Sure. Please see below.

TASK [oc adm groups sync] ***************************************************************************************************************************************************************************************************************************************************
task path: /Users/myuser/git/aib/ansp/openshift-ansible/playbooks/tasks/oauth/company_ipa.yml:150
Thursday 05 May 2022  20:32:21 +0200 (0:00:00.051)       0:00:21.366 **********
redirecting (type: action) community.okd.openshift_adm_groups_sync to kubernetes.core.k8s_info
redirecting (type: action) community.okd.openshift_adm_groups_sync to kubernetes.core.k8s_info
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: myuser
<127.0.0.1> EXEC /bin/sh -c 'echo ~myuser && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /Users/myuser/.ansible/tmp `"&& mkdir "` echo /Users/myuser/.ansible/tmp/ansible-tmp-1651775541.572033-60686-44338772543074 `" && echo ansible-tmp-1651775541.572033-60686-44338772543074="` echo /Users/myuser/.ansible/tmp/ansible-tmp-1651775541.572033-60686-44338772543074 `" ) && sleep 0'
Using module file /Users/myuser/.ansible/collections/ansible_collections/community/okd/plugins/modules/openshift_adm_groups_sync.py
<127.0.0.1> PUT /Users/myuser/.ansible/tmp/ansible-local-603766obew59k/tmpme13br0_ TO /Users/myuser/.ansible/tmp/ansible-tmp-1651775541.572033-60686-44338772543074/AnsiballZ_openshift_adm_groups_sync.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /Users/myuser/.ansible/tmp/ansible-tmp-1651775541.572033-60686-44338772543074/ /Users/myuser/.ansible/tmp/ansible-tmp-1651775541.572033-60686-44338772543074/AnsiballZ_openshift_adm_groups_sync.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/local/Cellar/ansible/5.6.0/libexec/bin/python3.10 /Users/myuser/.ansible/tmp/ansible-tmp-1651775541.572033-60686-44338772543074/AnsiballZ_openshift_adm_groups_sync.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /Users/myuser/.ansible/tmp/ansible-tmp-1651775541.572033-60686-44338772543074/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
  File "/var/folders/03/dw4sbvp93hdbz5tslqjsfcvr0000gn/T/ansible_community.okd.openshift_adm_groups_sync_payload_a3q4ui4i/ansible_community.okd.openshift_adm_groups_sync_payload.zip/ansible_collections/community/okd/plugins/modules/openshift_adm_groups_sync.py", line 221, in main
  File "/var/folders/03/dw4sbvp93hdbz5tslqjsfcvr0000gn/T/ansible_community.okd.openshift_adm_groups_sync_payload_a3q4ui4i/ansible_community.okd.openshift_adm_groups_sync_payload.zip/ansible_collections/community/okd/plugins/module_utils/openshift_groups.py", line 279, in __init__
    self.fail_json(
  File "/var/folders/03/dw4sbvp93hdbz5tslqjsfcvr0000gn/T/ansible_community.okd.openshift_adm_groups_sync_payload_a3q4ui4i/ansible_community.okd.openshift_adm_groups_sync_payload.zip/ansible_collections/community/okd/plugins/module_utils/openshift_groups.py", line 337, in fail_json
    self.close_connection()
  File "/var/folders/03/dw4sbvp93hdbz5tslqjsfcvr0000gn/T/ansible_community.okd.openshift_adm_groups_sync_payload_a3q4ui4i/ansible_community.okd.openshift_adm_groups_sync_payload.zip/ansible_collections/community/okd/plugins/module_utils/openshift_groups.py", line 328, in close_connection
    if self.__ldap_connection:
AttributeError: 'OpenshiftGroupsSync' object has no attribute '_OpenshiftGroupsSync__ldap_connection'
fatal: [localhost]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "allow_groups": [
                "cn=openshift-admins,cn=groups,cn=accounts,dc=company,dc=net"
            ],
            "api_key": null,
            "ca_cert": null,
            "client_cert": null,
            "client_key": null,
            "context": null,
            "deny_groups": [],
            "host": "https://api.ocp1.company.net:6443",
            "impersonate_groups": null,
            "impersonate_user": null,
            "kubeconfig": null,
            "no_proxy": null,
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "persist_config": null,
            "proxy": null,
            "proxy_headers": null,
            "state": "present",
            "sync_config": {
                "apiVersion": "v1",
                "augmentedActiveDirectory": {
                    "groupMembershipAttributes": [
                        "memberOf"
                    ],
                    "groupNameAttributes": [
                        "cn"
                    ],
                    "groupUIDAttribute": "dn",
                    "groupsQuery": {
                        "derefAliases": "never",
                        "pageSize": 0
                    },
                    "userNameAttributes": [
                        "uid"
                    ],
                    "usersQuery": {
                        "baseDN": "cn=users,cn=accounts,dc=company,dc=net",
                        "derefAliases": "never",
                        "filter": "(objectclass=inetOrgPerson)",
                        "pageSize": 0,
                        "scope": "sub"
                    }
                },
                "bindDN": "uid=ocp,cn=users,cn=accounts,dc=company,dc=net",
                "bindPassword": "REDACTED",
                "ca": "/tmp/ca.crt",
                "insecure": false,
                "kind": "LDAPSyncConfig",
                "url": "ldaps://ipaserver.company.net"
            },
            "type": "ldap",
            "username": "kubeadmin",
            "validate_certs": false
        }
    },
    "msg": "'OpenshiftGroupsSync' object has no attribute '_OpenshiftGroupsSync__ldap_connection'"
}
gravesm commented 2 years ago

Thanks, there's a bug here that should be addressed by #165. I may be wrong, but it looks like in your case you do not have python-ldap installed. Can you confirm?

sigbjornaib commented 2 years ago

I did not have python-ldap installed, however I did not see any change in the output from Ansible after installing python-ldap.