1784514 – [ansible-freeipa] Not able to modify "requires_pre_auth", "ok_to_auth_as_delegate" and "ok_as_delegate" variable in the host module

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1784514 - [ansible-freeipa] Not able to modify "requires_pre_auth", "ok_to_auth_as_delegate" and "ok_as_delegate" variable in the host module

Summary: [ansible-freeipa] Not able to modify "requires_pre_auth", "ok_to_auth_as_dele...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ansible-freeipa
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-12-17 15:56 UTC by Varun Mylaraiah
Modified:	2023-05-14 08:13 UTC (History)
CC List:	0 users
Fixed In Version:	ansible-freeipa-0.1.8-2.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-28 16:01:56 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-9874	None	None	None	2023-05-14 08:13:39 UTC
Red Hat Issue Tracker	RHELPLAN-36617	None	None	None	2023-05-14 08:11:42 UTC
Red Hat Product Errata	RHBA-2020:1705	None	None	None	2020-04-28 16:02:07 UTC

Description Varun Mylaraiah 2019-12-17 15:56:19 UTC

Description of problem:
"requires_pre_auth", "ok_as_delegate", and "ok_to_auth_as_delegate" variable are not working on existing host in the host module

Version-Release number of selected component (if applicable):
ansible-freeipa-0.1.7-1.el8.noarch



Steps to Reproduce:
Observe this error with the below playbook.

fatal: [master.ipadomain.test]: FAILED! => {"changed": false, "msg": "'bool' object is not iterable"}

Playbook-1
###########
# cat addhost2.yaml
---
- name: Playbook to handle hosts
  hosts: ipaserver
  become: true

  tasks:
  - ipahost:
      ipaadmin_password: <xxxxxxxxx>
      name: host14.ipadomain.test
      description: Example host
      ok_to_auth_as_delegate: False

Playbook-2
###########
# cat addhost2.yaml
---
- name: Playbook to handle hosts
  hosts: ipaserver
  become: true

  tasks:
  - ipahost:
      ipaadmin_password: <xxxxxxxxx>
      name: host14.ipadomain.test
      description: Example host
      ok_as_delegate: False

Playbook-3
###########
# cat addhost2.yaml
---
- name: Playbook to handle hosts
  hosts: ipaserver
  become: true

  tasks:
  - ipahost:
      ipaadmin_password: <xxxxxxxxx>
      name: host14.ipadomain.test
      description: Example host
      requires_pre_auth: False

Playbook-4
###########
# cat addhost2.yaml
---
- name: Playbook to handle hosts
  hosts: ipaserver
  become: true

  tasks:
  - ipahost:
      ipaadmin_password: <xxxxxxxxx>
      name: host14.ipadomain.test
      description: Example host
      requires_pre_auth: False
      ok_as_delegate: False
      ok_to_auth_as_delegate: False


Expected results:
should accept changes

Additional info:
Command-line output
===================
[root@master ~]# ipa host-mod hosta1.ipadomain.test --ok-as-delegate=True --ok-to-auth-as-delegate=True --requires-pre-auth=True
-------------------------------------
Modified host "hosta1.ipadomain.test"
-------------------------------------
  Host name: hosta1.ipadomain.test
  Principal name: host/hosta1.ipadomain.test
  Principal alias: host/hosta1.ipadomain.test
  Requires pre-authentication: True
  Trusted for delegation: True
  Trusted to authenticate as user: True
  Password: False
  Keytab: False
  Managed by: hosta1.ipadomain.test


[root@master ~]# ipa host-mod hosta1.ipadomain.test --ok-as-delegate=False --ok-to-auth-as-delegate=False --requires-pre-auth=False
-------------------------------------
Modified host "hosta1.ipadomain.test"
-------------------------------------
  Host name: hosta1.ipadomain.test
  Principal name: host/hosta1.ipadomain.test
  Principal alias: host/hosta1.ipadomain.test
  Requires pre-authentication: False
  Trusted for delegation: False
  Trusted to authenticate as user: False
  Password: False
  Keytab: False
  Managed by: hosta1.ipadomain.test

Comment 1 Thomas Woerner 2020-02-11 09:42:38 UTC

Here is the upstream PR: https://github.com/freeipa/ansible-freeipa/pull/201

Comment 4 Varun Mylaraiah 2020-03-03 10:12:27 UTC

Verified

Manual execution console output:
================================
# rpm -q ansible-freeipa
ansible-freeipa-0.1.8-3.el8.noarch

############
Test case-1 Test to verify that the bool parameters can be modified(requires-pre-auth, ok-as-delegate, and ok-to-auth-as-delegate is False) 
############
[root@master ~]# ipa host-show host514a.ipadomain.test --all
ipa: ERROR: host514a.ipadomain.test: host not found

[root@ansible ~]# cat bz514_01.yaml
---
- name: Playbook to handle hosts
  hosts: ipaserver
  become: true

  tasks:
  - ipahost:
      ipaadmin_password: <xxxxxxxxx>
      name: host514a.ipadomain.test
      description: Example host
      force: yes
      ok_to_auth_as_delegate: False
      ok_as_delegate: False
      requires_pre_auth: False

[root@ansible ~]# ansible-playbook -vv -i inventory/server.hosts bz514_01.yaml
ansible-playbook 2.9.5
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 3.6.8 (default, Dec  5 2019, 15:45:45) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
Using /etc/ansible/ansible.cfg as config file

PLAYBOOK: bz514_01.yaml **********************************************************************************************
1 plays in bz514_01.yaml

PLAY [Playbook to handle hosts] **************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************
task path: /root/bz514_01.yaml:2
ok: [master.ipadomain.test]
META: ran handlers

TASK [ipahost] *******************************************************************************************************
task path: /root/bz514_01.yaml:7
changed: [master.ipadomain.test] => {"changed": true, "host": {}}
META: ran handlers
META: ran handlers

PLAY RECAP ***********************************************************************************************************
master.ipadomain.test      : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   


[root@master ~]# ipa host-show host514a.ipadomain.test --all
  dn: fqdn=host514a.ipadomain.test,cn=computers,cn=accounts,dc=ipadomain,dc=test
  Host name: host514a.ipadomain.test
  Description: Example host
  Principal name: host/host514a.ipadomain.test
  Principal alias: host/host514a.ipadomain.test
  Requires pre-authentication: False
  Trusted for delegation: False
  Trusted to authenticate as user: False
  Password: False
  Keytab: False
  Managed by: host514a.ipadomain.test
  Managing: host514a.ipadomain.test
  cn: host514a.ipadomain.test
  ipauniqueid: fd468c4c-5c5e-11ea-97d0-fa163e2d47e1
  krbpwdpolicyreference: cn=Default Host Password Policy,cn=computers,cn=accounts,dc=ipadomain,dc=test
  krbticketflags: 0
  objectclass: ipaobject, nshost, ipahost, pkiuser, ipaservice, krbprincipalaux, krbprincipal, ieee802device,
               ipasshhost, krbticketpolicyaux, top, ipaSshGroupOfPubKeys
  serverhostname: host514a

############
Test case-2 Test to verify that the bool parameters can be modified(requires-pre-auth, ok-as-delegate, and ok-to-auth-as-delegate is True)
############
[root@ansible ~]# cat bz514_02.yaml
---
- name: Playbook to handle hosts
  hosts: ipaserver
  become: true

  tasks:
  - ipahost:
      ipaadmin_password: <xxxxxxxxx>
      name: host514a.ipadomain.test
      ok_to_auth_as_delegate: True
      ok_as_delegate: True
      requires_pre_auth: True

[root@ansible ~]# ansible-playbook -vv -i inventory/server.hosts bz514_02.yaml 
ansible-playbook 2.9.5
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 3.6.8 (default, Dec  5 2019, 15:45:45) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
Using /etc/ansible/ansible.cfg as config file

PLAYBOOK: bz514_02.yaml **********************************************************************************************
1 plays in bz514_02.yaml

PLAY [Playbook to handle hosts] **************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************
task path: /root/bz514_02.yaml:2
ok: [master.ipadomain.test]
META: ran handlers

TASK [ipahost] *******************************************************************************************************
task path: /root/bz514_02.yaml:7
changed: [master.ipadomain.test] => {"changed": true, "host": {}}
META: ran handlers
META: ran handlers

PLAY RECAP ***********************************************************************************************************
master.ipadomain.test      : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   


[root@master ~]# ipa host-show host514a.ipadomain.test --all
  dn: fqdn=host514a.ipadomain.test,cn=computers,cn=accounts,dc=ipadomain,dc=test
  Host name: host514a.ipadomain.test
  Description: Example host
  Principal name: host/host514a.ipadomain.test
  Principal alias: host/host514a.ipadomain.test
  Requires pre-authentication: True
  Trusted for delegation: True
  Trusted to authenticate as user: True
  Password: False
  Keytab: False
  Managed by: host514a.ipadomain.test
  Managing: host514a.ipadomain.test
  cn: host514a.ipadomain.test
  ipauniqueid: fd468c4c-5c5e-11ea-97d0-fa163e2d47e1
  krbpwdpolicyreference: cn=Default Host Password Policy,cn=computers,cn=accounts,dc=ipadomain,dc=test
  krbticketflags: 3145856
  objectclass: ipaobject, nshost, ipahost, pkiuser, ipaservice, krbprincipalaux, krbprincipal, ieee802device,
               ipasshhost, krbticketpolicyaux, top, ipaSshGroupOfPubKeys
  serverhostname: host514a

Comment 5 Varun Mylaraiah 2020-03-03 12:08:42 UTC

Automated test console output:
===============================

2020-03-03T10:21:23 ansible_freeipa_tests/host_module.py::Testhost33_34::test_add_host_with_preauth_delegate_authdelegate_no 
2020-03-03T10:21:23 [1m-------------------------------- live log call ---------------------------------[0m
2020-03-03T10:21:23 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['ipactl', 'status']
2020-03-03T10:21:26 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['kinit', 'admin']
2020-03-03T10:21:26 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['ipa', 'host-find']
2020-03-03T10:21:27 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['kdestroy', '-A']
2020-03-03T10:21:27 [pytest_multihost.host.Host.ansible.ParamikoTransport] [32mINFO[0m WRITE inventory/host.hosts
2020-03-03T10:21:27 [pytest_multihost.host.Host.ansible.ParamikoTransport] [32mINFO[0m PUT host_module.yml
2020-03-03T10:21:27 [pytest_multihost.host.Host.ansible.ParamikoTransport] [32mINFO[0m RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/host.hosts', 'host_module.yml']
2020-03-03T10:21:32 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['kinit', 'admin']
2020-03-03T10:21:32 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['ipa', 'host-show', 'myhost1784514.ipadomain.test', '--all']
2020-03-03T10:21:33 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['kdestroy', '-A']
2020-03-03T10:21:33 [32mPASSED[0m[36m [ 83%][0m
2020-03-03T10:21:33 ansible_freeipa_tests/host_module.py::Testhost33_34::test_add_host_with_preauth_delegate_authdelegate_yes 
2020-03-03T10:21:33 [1m-------------------------------- live log call ---------------------------------[0m
2020-03-03T10:21:33 [pytest_multihost.host.Host.ansible.ParamikoTransport] [32mINFO[0m WRITE inventory/host.hosts
2020-03-03T10:21:33 [pytest_multihost.host.Host.ansible.ParamikoTransport] [32mINFO[0m PUT host_module.yml
2020-03-03T10:21:33 [pytest_multihost.host.Host.ansible.ParamikoTransport] [32mINFO[0m RUN ['ansible-playbook', '--ssh-extra-args="-o StrictHostKeyChecking=no"', '-vv', '-i', 'inventory/host.hosts', 'host_module.yml']
2020-03-03T10:21:39 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['kinit', 'admin']
2020-03-03T10:21:39 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['ipa', 'host-show', 'myhost1784514.ipadomain.test', '--all']
2020-03-03T10:21:40 [pytest_multihost.host.Host.master.ParamikoTransport] [32mINFO[0m RUN ['kdestroy', '-A']
2020-03-03T10:21:40 [32mPASSED[0m[36m [100%][0m

Comment 7 errata-xmlrpc 2020-04-28 16:01:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1705

Note You need to log in before you can comment on or make changes to this bug.