Bug 1893679

Summary: [ansible-freeipa] Required error message while adding non-existing members in role handling
Product: Red Hat Enterprise Linux 8 Reporter: Varun Mylaraiah <mvarun>
Component: ansible-freeipaAssignee: Rafael Jeffman <rjeffman>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.4CC: rjeffman, twoerner
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:51:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Varun Mylaraiah 2020-11-02 10:54:47 UTC 
Cloned: https://github.com/freeipa/ansible-freeipa/issues/411



There is no error message while adding non-existing members(user/group/host/host group/service) in the role and also it removed existing member as well

[root@master ~]# ipa role-show newrole
  Role name: newrole
  Member users: vuser01
  Member groups: vgroup01
  Member hosts: teshoat.ipadomain.test
  Member host-groups: hostgroup01
  Privileges: User Administrators, Group Administrators, Host Administrators, DNS Administrators, DNS Servers
  Member services: newhost1/master.ipadomain.test
[root@ansible ~]# cat newrole2.yaml
---
- name: "nonexisting user as a member"
  hosts: ipaserver

  tasks:
  - iparole:
      ipaadmin_password: <password>
      name: newrole
      user: nouser
      action: member

[root@ansible ~]# ansible-playbook -vv -i inventory/server.hosts newrole2.yaml 
ansible-playbook 2.9.11
  config file = /root/ansible.cfg
  configured module search path = ['/root/ansible-freeipa/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.8/site-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 3.8.5 (default, Aug 12 2020, 00:00:00) [GCC 10.2.1 20200723 (Red Hat 10.2.1-1)]
Using /root/ansible.cfg as config file

PLAYBOOK: newrole2.yaml **********************************************************************************************
1 plays in newrole2.yaml

PLAY [nonexisting user as a member] **********************************************************************************

TASK [Gathering Facts] ***********************************************************************************************
task path: /root/newrole2.yaml:2
[DEPRECATION WARNING]: Distribution fedora 32 on host master.ipadomain.test should use /usr/bin/python3, but is using
 /usr/bin/python for backward compatibility with prior Ansible releases. A future Ansible release will default to 
using the discovered platform python for this host. See 
https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information. This 
feature will be removed in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False 
in ansible.cfg.
ok: [master.ipadomain.test]
META: ran handlers

TASK [iparole] *******************************************************************************************************
task path: /root/newrole2.yaml:6
changed: [master.ipadomain.test] => {"changed": true}
META: ran handlers
META: ran handlers

PLAY RECAP ***********************************************************************************************************
master.ipadomain.test      : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0 

[root@master ~]# ipa role-show newrole
  Role name: newrole
  Member groups: vgroup01
  Member hosts: teshoat.ipadomain.test
  Member host-groups: hostgroup01
  Privileges: User Administrators, Group Administrators, Host Administrators, DNS Administrators, DNS Servers
Expected:
Should not remove existing members and should display an error if entry not exists.

CLI Console output:

[root@master ~]# ipa role-add-member newrole --users=nouser 
  Role name: newrole
  Member groups: vgroup01
  Member hosts: teshoat.ipadomain.test
  Member host-groups: hostgroup01
  Privileges: User Administrators, Group Administrators, Host Administrators, DNS Administrators, DNS Servers
  Failed members: 
    member user: nouser: no such entry
    member group: 
    member host: 
    member host group: 
    member service: 
    member User ID override: 
-------------------------
Number of members added 0
-------------------------
Comment 1 Varun Mylaraiah 2020-11-10 13:06:26 UTC 
*** Bug 1893683 has been marked as a duplicate of this bug. ***
Comment 3 Rafael Jeffman 2020-12-15 17:46:30 UTC 
There is an upstream patch for this issue: https://github.com/freeipa/ansible-freeipa/pull/469
Comment 5 Rafael Jeffman 2021-01-07 14:16:32 UTC 
Upstream PR was merged.
Comment 9 Varun Mylaraiah 2021-01-21 11:13:42 UTC 
Verified

Version:
ansible-freeipa-0.3.2-1.el8.noarch
ipa-server-4.9.0-1.module+el8.4.0+9274+259c83ee.x86_64

Passed	ansible_freeipa_tests/rbac_module.py::TestRole::()::test_role_negative_scenarios[add_nonexisting_user_as_a_member-no such entry]
------------------------------ Captured log call -------------------------------
transport.py               293 INFO     WRITE inventory/rbac.hosts
sftp.py                    158 DEBUG    [chan 0] open(b'inventory/rbac.hosts', 'wb')
sftp.py                    158 DEBUG    [chan 0] open(b'inventory/rbac.hosts', 'wb') -> 00000000
sftp.py                    158 DEBUG    [chan 0] close(00000000)
transport.py               329 INFO     PUT rbac_module.yml
sftp.py                    158 DEBUG    [chan 0] open(b'rbac_module.yml', 'wb')
sftp.py                    158 DEBUG    [chan 0] open(b'rbac_module.yml', 'wb') -> 00000000
sftp.py                    158 DEBUG    [chan 0] close(00000000)
sftp.py                    158 DEBUG    [chan 0] stat(b'rbac_module.yml')
channel.py                1212 DEBUG    [chan 82] Max packet in: 32768 bytes
channel.py                1212 DEBUG    [chan 82] Max packet out: 32768 bytes
transport.py              1819 DEBUG    Secsh channel 82 opened.
transport.py               318 INFO     RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/rbac.hosts', 'rbac_module.yml']
transport.py               519 DEBUG    RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/rbac.hosts', 'rbac_module.yml']
channel.py                1212 DEBUG    [chan 82] Sesch channel 82 request ok
transport.py               563 DEBUG    -bash: line 1: cd: /root/multihost_tests: No such file or directory
transport.py               563 DEBUG    -bash: line 2: /root/multihost_tests/env.sh: No such file or directory
transport.py               563 DEBUG    ansible-playbook 2.9.17
transport.py               563 DEBUG      config file = /root/ansible.cfg
transport.py               563 DEBUG      configured module search path = ['/root/ansible-freeipa/plugins/modules', '/usr/share/ansible/plugins/modules']
transport.py               563 DEBUG      ansible python module location = /usr/lib/python3.6/site-packages/ansible
transport.py               563 DEBUG      executable location = /usr/bin/ansible-playbook
transport.py               563 DEBUG      python version = 3.6.8 (default, Dec  7 2020, 09:56:35) [GCC 8.4.1 20200928 (Red Hat 8.4.1-1)]
transport.py               563 DEBUG    Using /root/ansible.cfg as config file
transport.py               563 DEBUG    Skipping callback 'actionable', as we already have a stdout callback.
transport.py               563 DEBUG    
transport.py               563 DEBUG    PLAYBOOK: rbac_module.yml ******************************************************
transport.py               563 DEBUG    1 plays in rbac_module.yml
transport.py               563 DEBUG    
transport.py               563 DEBUG    PLAY [Playbook to ensure not able to add nonexisting user members in role] *****
transport.py               563 DEBUG    
transport.py               563 DEBUG    TASK [Gathering Facts] *********************************************************
transport.py               563 DEBUG    task path: /root/rbac_module.yml:2
transport.py               563 DEBUG    ok: [master.ipadomain.test]
transport.py               563 DEBUG    META: ran handlers
transport.py               563 DEBUG    
transport.py               563 DEBUG    TASK [iparole] *****************************************************************
transport.py               563 DEBUG    task path: /root/rbac_module.yml:6
transport.py               563 DEBUG    fatal: [master.ipadomain.test]: FAILED! => {"changed": false, "msg": "role_add_member: user nouser: no such entry"}
transport.py               563 DEBUG    
transport.py               563 DEBUG    PLAY RECAP *********************************************************************
transport.py               563 DEBUG    master.ipadomain.test      : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   
transport.py               563 DEBUG    
channel.py                1212 DEBUG    [chan 82] EOF received (82)
channel.py                1212 DEBUG    [chan 82] EOF sent (82)
transport.py               217 DEBUG    Exit code: 2
Comment 11 errata-xmlrpc 2021-05-18 15:51:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ansible-freeipa bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2021:1860