search

redhat-cop / infra.aap_configuration

A collection of roles to manage Ansible Controller and previously Ansible Tower
https://galaxy.ansible.com/infra/controller_configuration
GNU General Public License v3.0
268 stars 141 forks source link

Object_diff PERMISSION ERROR on DELETE using admin/1 user token #619

Closed nodje closed 1 year ago

nodje commented 1 year ago

I'm using v2.3.1 on AAP2.3.x

Here's the error detail:

{
  "started": 1,
  "finished": 1,
  "stdout": "",
  "stderr": "",
  "stdout_lines": [],
  "stderr_lines": [],
  "ansible_job_id": "750243350744.902",
  "results_file": "/tmp/.ansible_async/750243350744.902",
  "msg": "You don't have permission to DELETE to /api/v2/credential_types/20/ (HTTP 403).",
  "invocation": {
    "module_args": {
      "name": "Conjur_dynamic_credential",
      "kind": "cloud",
      "state": "absent",
      "controller_oauthtoken": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
      "controller_host": "https://aap2.staging.net",
      "validate_certs": false,
      "controller_username": "",
      "controller_password": "",
      "controller_config_file": null,
      "new_name": null,
      "description": null,
      "inputs": null,
      "injectors": null
    }
  },
  "_ansible_no_log": false,
  "attempts": 1,
  "changed": false,
  "__credentialtypes_job_async_result_item": {
    "failed": 0,
    "started": 1,
    "finished": 0,
    "ansible_job_id": "750243350744.902",
    "results_file": "/tmp/.ansible_async/750243350744.902",
    "changed": false,
    "__controller_credential_type_item": {
      "name": "Conjur_dynamic_credential",
      "state": "absent"
    },
    "ansible_loop_var": "__controller_credential_type_item"
  },
  "ansible_loop_var": "__credentialtypes_job_async_result_item",
  "_ansible_item_label": {
    "failed": 0,
    "started": 1,
    "finished": 0,
    "ansible_job_id": "750243350744.902",
    "results_file": "/tmp/.ansible_async/750243350744.902",
    "changed": false,
    "__controller_credential_type_item": {
      "name": "Conjur_dynamic_credential",
      "state": "absent"
    },
    "ansible_loop_var": "__controller_credential_type_item"
  }
}

I use the same oauthtoken for dispatch and object_diff and dispatch works flawlessly. Indeed a token from User 1/default local admin has System Admin role. and should be able to perform any action.

The way I call the roles: I provide env vars TOWER_HOST. TOWER_VERIFY_SSL, TOWER_OAUTH_TOKEN for the playbook run but this isn't taken into account by object_diff.

I had to provide in the playbook the following vars for object_diff to be able to authent against an AAP instance

vars:
    controller_hostname: "{{ lookup('ansible.builtin.env', 'TOWER_HOST') }}"
    controller_oauthtoken: "{{ lookup('ansible.builtin.env', 'TOWER_OAUTH_TOKEN') }}"
    controller_validate_certs: "{{ lookup('ansible.builtin.env', 'TOWER_VERIFY_SSL') }}"

It works indeed as one can see in the error log, but apparently the oauthtoken doesn't give the proper authorization even though it's a SysAdmin token.

I'm out of idea at this stage, I have to disable object_diff usage

sean-m-sullivan commented 1 year ago

Right now it does not pick up the env variables, will have to look to see if I can fix that, can you tell me if you have the same error on the controller api plugin here? https://github.com/ansible/awx/blob/devel/awx_collection/plugins/lookup/controller_api.py

either awx.awx or ansible.controller, if that works, this will help me figure out how to fix it

nodje commented 1 year ago

Wait Sean, I think there are 2 issues that shouldn't be mixed up here. Or this is me being mixed up, but I think that:

"invocation": {
    "module_args": {
      "name": "Conjur_dynamic_credential",
      "kind": "cloud",
      "state": "absent",
      "controller_oauthtoken": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
      "controller_host": "https://aap2.staging.net",
      "validate_certs": false,
      "controller_username": "",
      "controller_password": "",
      "controller_config_file": null,
      "new_name": null,
      "description": null,
      "inputs": null,
      "injectors": null
    }
  }

So even though controller_hostname, controller_oauthtoken, controller_validate_certs have values, object_diff fails to perform a delete action anyway.

If not, how do you suggest I use the controller_api lookup? What for specifically?

adonisgarciac commented 1 year ago

Hi, object_diff role doesn't remove anything. The error " "msg": "You don't have permission to DELETE to /api/v2/credential_types/20/ (HTTP 403)." comes from another role/module.

Object_diff role will only set the list of object to remove but it has to be removed launching the dispatch role. It seems that you are using right the tower authentication to the object_diff role but not to the dispatch role.

nodje commented 1 year ago

I'm using filetree_read then dispatch. And it works perfectly using ENV var. When I add object_diff in between, then it fails with this DELETE error

adonisgarciac commented 1 year ago

are there credentials assigned to this credential type? I think it's not allowed remove credential_types that have credentials assigned.

nodje commented 1 year ago

right, that's it, sorry about that, never deleted a cred type before. Manual deletion is also refused.

I guess there are no way to automate deleting creds of a a type identified by object_diff, then deleting the cred type in question.

I'm closing the issue.

Do you want a separate issue for the object_diff authent not reading env var?

adonisgarciac commented 1 year ago

Yes, there is a way to remove it. You have to invert the order for the dispatch role. Here you have an example:

https://github.com/redhat-cop/controller_configuration/blob/devel/roles/object_diff/tests/drop_diff.yml#L38-L52

Notice that controller_configuration_dispatcher_roles variable is overwritten because the problem that you are facing. For instance, Credentials are before credential_types while when you launch directly dispatch role without overwrite the controller_configuration_dispatcher_roles variable, is the opposite (credential_types before credentials): https://github.com/redhat-cop/controller_configuration/blob/devel/roles/dispatch/defaults/main.yml

adonisgarciac commented 1 year ago 
Do you want a separate issue for the object_diff authent not reading env var?

object_diff is reading the env var properly, I don't see any error with that.

nodje commented 1 year ago

object_diff is reading the env var properly, I don't see any error with that.

well it fails if controller_hostname, controller_oauthtoken, controller_validate_certs are not provided whereas dispatch works fine with env var TOWER_HOST, TOWER_OAUTH_TOKEN, TOWER_VERIFY_SSL variables

nodje commented 1 year ago

Yes, there is a way to remove it. You have to invert the order for the dispatch role. The issue here is that I cannot activate object_diff on Credentials, there are too many existing on the instance i work with.

For cred type, I can confidently delete the ones I'm not configuring with filetree_read.

Even if I had a way to limit object_diff on Crendentials to a specific Cred type, I guess I could not dynamically provide the Cred type from object_diff.