You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using the ansible.netcommon.httpapi connection plugin for RESTCONF, authentication against the remote device fails. It's suspected, that the logged in Linux username is not used by default as stated in the ansible.netcommon.httpapi documentation
Debian Linux 11 (Ansible control node)
Cisco IOS-XE 17.9 (Catalyst 8000V)
STEPS TO REPRODUCE
Inventory
c8k_student01-1 ansible_host=10.21.128.202
Playbook:
- name: "RESTCONF test playbook"hosts: "all"gather_facts: falsetasks:
- name: get list of resource modules for given network_osvars:
ansible_connection: ansible.netcommon.httpapiansible_network_os: ansible.netcommon.restconfansible_httpapi_use_ssl: trueansible_httpapi_validate_certs: falseansible_httpapi_port: 443ansible_httpapi_restconf_root: /restconf/data/ansible.netcommon.restconf_get:
path: /ietf-interfaces:interfacesregister: "test_var"
remote_user: The username used to authenticate to the remote device when the API connection is first established. If the remote_user is not specified, the connection will use the username of the logged in user.
However, the task fails with a HTTP 401 error.
If setting the ansible_user variable or setting the user via the --user CLI variable, the task runs successfully.
Example working task vars (added the ansible_user variable:
$ ansible-playbook -i inventory.ini play_restconf_test.yml -k -vvvvansible-playbook [core 2.14.1] config file = /home/student01/module03-3/ansible/ansible.cfg configured module search path = ['/home/student01/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /home/student01/module03-3/venv/lib/python3.9/site-packages/ansible ansible collection location = /home/student01/.ansible/collections:/usr/share/ansible/collections executable location = /home/student01/module03-3/venv/bin/ansible-playbook python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] (/home/student01/module03-3/venv/bin/python3) jinja version = 3.1.2 libyaml = TrueUsing /home/student01/module03-3/ansible/ansible.cfg as config fileSSH password: setting up inventory pluginshost_list declined parsing /home/student01/module03-3/ansible/inventory.ini as it did not pass its verify_file() methodscript declined parsing /home/student01/module03-3/ansible/inventory.ini as it did not pass its verify_file() methodauto declined parsing /home/student01/module03-3/ansible/inventory.ini as it did not pass its verify_file() methodyaml declined parsing /home/student01/module03-3/ansible/inventory.ini as it did not pass its verify_file() methodParsed /home/student01/module03-3/ansible/inventory.ini inventory source with ini pluginLoading collection ansible.netcommon from /home/student01/module03-3/venv/lib/python3.9/site-packages/ansible_collections/ansible/netcommonLoading callback plugin default of type stdout, v2.0 from /home/student01/module03-3/venv/lib/python3.9/site-packages/ansible/plugins/callback/default.pySkipping callback 'default', as we already have a stdout callback.Skipping callback 'minimal', as we already have a stdout callback.Skipping callback 'oneline', as we already have a stdout callback.PLAYBOOK: play_restconf_test.yml ***************************************************************************************************************************************************************************************************************************************************Positional arguments: play_restconf_test.ymlverbosity: 4connection: smarttimeout: 10ask_pass: Truebecome_method: sudotags: ('all',)inventory: ('/home/student01/module03-3/ansible/inventory.ini',)forks: 51 plays in play_restconf_test.ymlPLAY [RESTCONF test playbook] ******************************************************************************************************************************************************************************************************************************************************TASK [get list of resource modules for given network_os] ***************************************************************************************************************************************************************************************************************************task path: /home/student01/module03-3/ansible/play_restconf_test.yml:7<10.21.128.202> attempting to start connection<10.21.128.202> using connection plugin ansible.netcommon.httpapiFound ansible-connection at path /home/student01/module03-3/venv/bin/ansible-connection<10.21.128.202> local domain socket does not exist, starting it<10.21.128.202> control socket path is /home/student01/.ansible/pc/1c3550ebe3<10.21.128.202> Loading collection ansible.netcommon from /home/student01/module03-3/venv/lib/python3.9/site-packages/ansible_collections/ansible/netcommon<10.21.128.202> local domain socket listeners started successfully<10.21.128.202> loaded API plugin ansible_collections.ansible.netcommon.plugins.httpapi.restconf from path /home/student01/module03-3/venv/lib/python3.9/site-packages/ansible_collections/ansible/netcommon/plugins/httpapi/restconf.py for platform type ansible.netcommon.restconf<10.21.128.202> <10.21.128.202> local domain socket path is /home/student01/.ansible/pc/1c3550ebe3<10.21.128.202> ESTABLISH LOCAL CONNECTION FOR USER: student01<10.21.128.202> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/student01/.ansible/tmp/ansible-local-1929783zoorheb `"&& mkdir "` echo /home/student01/.ansible/tmp/ansible-local-1929783zoorheb/ansible-tmp-1673249353.6277976-192997-49736109577898 `" && echo ansible-tmp-1673249353.6277976-192997-49736109577898="` echo /home/student01/.ansible/tmp/ansible-local-1929783zoorheb/ansible-tmp-1673249353.6277976-192997-49736109577898 `" ) && sleep 0'Using module file /home/student01/module03-3/venv/lib/python3.9/site-packages/ansible_collections/ansible/netcommon/plugins/modules/restconf_get.py<10.21.128.202> PUT /home/student01/.ansible/tmp/ansible-local-1929783zoorheb/tmpkkmvuf5e TO /home/student01/.ansible/tmp/ansible-local-1929783zoorheb/ansible-tmp-1673249353.6277976-192997-49736109577898/AnsiballZ_restconf_get.py<10.21.128.202> EXEC /bin/sh -c 'chmod u+x /home/student01/.ansible/tmp/ansible-local-1929783zoorheb/ansible-tmp-1673249353.6277976-192997-49736109577898/ /home/student01/.ansible/tmp/ansible-local-1929783zoorheb/ansible-tmp-1673249353.6277976-192997-49736109577898/AnsiballZ_restconf_get.py && sleep 0'<10.21.128.202> EXEC /bin/sh -c '/home/student01/module03-3/venv/bin/python3 /home/student01/.ansible/tmp/ansible-local-1929783zoorheb/ansible-tmp-1673249353.6277976-192997-49736109577898/AnsiballZ_restconf_get.py && sleep 0'<10.21.128.202> EXEC /bin/sh -c 'rm -f -r /home/student01/.ansible/tmp/ansible-local-1929783zoorheb/ansible-tmp-1673249353.6277976-192997-49736109577898/ > /dev/null 2>&1 && sleep 0'The full traceback is: File "/tmp/ansible_ansible.netcommon.restconf_get_payload_8greruxe/ansible_ansible.netcommon.restconf_get_payload.zip/ansible_collections/ansible/netcommon/plugins/modules/restconf_get.py", line 111, in main File "/tmp/ansible_ansible.netcommon.restconf_get_payload_8greruxe/ansible_ansible.netcommon.restconf_get_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/restconf/restconf.py", line 32, in get return connection.send_request( File "/tmp/ansible_ansible.netcommon.restconf_get_payload_8greruxe/ansible_ansible.netcommon.restconf_get_payload.zip/ansible/module_utils/connection.py", line 200, in __rpc__ raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)fatal: [c8k_student01-1]: FAILED! => { "changed": false, "code": -32603, "invocation": { "module_args": { "content": null, "output": "json", "path": "/ietf-interfaces:interfaces" } }, "msg": "HTTP Error 401: Unauthorized"}PLAY RECAP *************************************************************************************************************************************************************************************************************************************************************************c8k_student01-1 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
The text was updated successfully, but these errors were encountered:
SUMMARY
When using the
ansible.netcommon.httpapi
connection plugin for RESTCONF, authentication against the remote device fails. It's suspected, that the logged in Linux username is not used by default as stated in theansible.netcommon.httpapi
documentationISSUE TYPE
COMPONENT NAME
ansible.netcommon.httpapi
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
Debian Linux 11 (Ansible control node)
Cisco IOS-XE 17.9 (Catalyst 8000V)
STEPS TO REPRODUCE
Inventory
c8k_student01-1 ansible_host=10.21.128.202
Playbook:
Run:
EXPECTED RESULTS
It's expected, that when the playbook is started, the user is prompted for the password, because of the
-k
CLI parameter. Because noremote_user
(variableansible_user
) is set explicitly, the logged in username should be used as stated in the documentation (https://docs.ansible.com/ansible/latest/collections/ansible/netcommon/httpapi_connection.html)However, the task fails with a HTTP 401 error.
If setting the
ansible_user
variable or setting the user via the--user
CLI variable, the task runs successfully.Example working task vars (added the
ansible_user
variable:ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: