fix nxos_aaa_server issues (#38117)
This commit is contained in:
saichint
Trishna Guha
parent
b4debfad9a
commit
697c301f04
3 changed files with 49 additions and 29 deletions
|
|
@ -39,7 +39,6 @@ notes:
|
||||||
stored as encrypted (type 7).
|
stored as encrypted (type 7).
|
||||||
- Changes to the global AAA server key with encrypt_type=0
|
- Changes to the global AAA server key with encrypt_type=0
|
||||||
are not idempotent.
|
are not idempotent.
|
||||||
- If global AAA server key is not found, it's shown as "unknown"
|
|
||||||
- state=default will set the supplied parameters to their default values.
|
- state=default will set the supplied parameters to their default values.
|
||||||
The parameters that you want to default must also be set to default.
|
The parameters that you want to default must also be set to default.
|
||||||
If global_key=default, the global key will be removed.
|
If global_key=default, the global key will be removed.
|
||||||
|
|
@ -51,7 +50,7 @@ options:
|
||||||
choices: ['radius', 'tacacs']
|
choices: ['radius', 'tacacs']
|
||||||
global_key:
|
global_key:
|
||||||
description:
|
description:
|
||||||
- Global AAA shared secret.
|
- Global AAA shared secret or keyword 'default'.
|
||||||
encrypt_type:
|
encrypt_type:
|
||||||
description:
|
description:
|
||||||
- The state of encryption applied to the entered global key.
|
- The state of encryption applied to the entered global key.
|
||||||
|
|
@ -60,14 +59,15 @@ options:
|
||||||
deadtime:
|
deadtime:
|
||||||
description:
|
description:
|
||||||
- Duration for which a non-reachable AAA server is skipped,
|
- Duration for which a non-reachable AAA server is skipped,
|
||||||
in minutes. Range is 1-1440. Device default is 0.
|
in minutes or keyword 'default.
|
||||||
|
Range is 1-1440. Device default is 0.
|
||||||
server_timeout:
|
server_timeout:
|
||||||
description:
|
description:
|
||||||
- Global AAA server timeout period, in seconds. Range is 1-60.
|
- Global AAA server timeout period, in seconds or keyword 'default.
|
||||||
Device default is 5.
|
Range is 1-60. Device default is 5.
|
||||||
directed_request:
|
directed_request:
|
||||||
description:
|
description:
|
||||||
- Enables direct authentication requests to AAA server.
|
- Enables direct authentication requests to AAA server or keyword 'default'
|
||||||
Device default is disabled.
|
Device default is disabled.
|
||||||
choices: ['enabled', 'disabled']
|
choices: ['enabled', 'disabled']
|
||||||
state:
|
state:
|
||||||
|
|
@ -116,7 +116,14 @@ from ansible.module_utils.network.nxos.nxos import nxos_argument_spec, check_arg
|
||||||
from ansible.module_utils.basic import AnsibleModule
|
from ansible.module_utils.basic import AnsibleModule
|
||||||
|
|
||||||
|
|
||||||
def execute_show_command(command, module, command_type='cli_show'):
|
PARAM_TO_DEFAULT_KEYMAP = {
|
||||||
|
'server_timeout': '5',
|
||||||
|
'deadtime': '0',
|
||||||
|
'directed_request': 'disabled',
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
def execute_show_command(command, module):
|
||||||
command = {
|
command = {
|
||||||
'command': command,
|
'command': command,
|
||||||
'output': 'text',
|
'output': 'text',
|
||||||
|
|
@ -142,8 +149,7 @@ def get_aaa_server_info(server_type, module):
|
||||||
global_key_command = 'show run | sec {0}'.format(server_type)
|
global_key_command = 'show run | sec {0}'.format(server_type)
|
||||||
aaa_regex = r'.*{0}-server\skey\s\d\s+(?P<key>\S+).*'.format(server_type)
|
aaa_regex = r'.*{0}-server\skey\s\d\s+(?P<key>\S+).*'.format(server_type)
|
||||||
|
|
||||||
server_body = execute_show_command(
|
server_body = execute_show_command(server_command, module)[0]
|
||||||
server_command, module, command_type='cli_show_ascii')[0]
|
|
||||||
|
|
||||||
split_server = server_body.splitlines()
|
split_server = server_body.splitlines()
|
||||||
|
|
||||||
|
|
@ -154,30 +160,25 @@ def get_aaa_server_info(server_type, module):
|
||||||
elif line.startswith('deadtime'):
|
elif line.startswith('deadtime'):
|
||||||
aaa_server_info['deadtime'] = line.split(':')[1]
|
aaa_server_info['deadtime'] = line.split(':')[1]
|
||||||
|
|
||||||
request_body = execute_show_command(
|
request_body = execute_show_command(request_command, module)[0]
|
||||||
request_command, module, command_type='cli_show_ascii')[0]
|
|
||||||
aaa_server_info['directed_request'] = request_body.replace('\n', '')
|
|
||||||
|
|
||||||
key_body = execute_show_command(
|
if bool(request_body):
|
||||||
global_key_command, module, command_type='cli_show_ascii')[0]
|
aaa_server_info['directed_request'] = request_body.replace('\n', '')
|
||||||
|
else:
|
||||||
|
aaa_server_info['directed_request'] = 'disabled'
|
||||||
|
|
||||||
|
key_body = execute_show_command(global_key_command, module)[0]
|
||||||
|
|
||||||
try:
|
try:
|
||||||
match_global_key = re.match(aaa_regex, key_body, re.DOTALL)
|
match_global_key = re.match(aaa_regex, key_body, re.DOTALL)
|
||||||
group_key = match_global_key.groupdict()
|
group_key = match_global_key.groupdict()
|
||||||
aaa_server_info['global_key'] = group_key["key"].replace('\"', '')
|
aaa_server_info['global_key'] = group_key["key"].replace('\"', '')
|
||||||
except (AttributeError, TypeError):
|
except (AttributeError, TypeError):
|
||||||
aaa_server_info['global_key'] = 'unknown'
|
aaa_server_info['global_key'] = None
|
||||||
|
|
||||||
return aaa_server_info
|
return aaa_server_info
|
||||||
|
|
||||||
|
|
||||||
def set_aaa_server_global_key(encrypt_type, key, server_type):
|
|
||||||
if not encrypt_type:
|
|
||||||
encrypt_type = ''
|
|
||||||
return '{0}-server key {1} {2}'.format(
|
|
||||||
server_type, encrypt_type, key)
|
|
||||||
|
|
||||||
|
|
||||||
def config_aaa_server(params, server_type):
|
def config_aaa_server(params, server_type):
|
||||||
cmds = []
|
cmds = []
|
||||||
|
|
||||||
|
|
@ -215,13 +216,13 @@ def default_aaa_server(existing, params, server_type):
|
||||||
global_key = params.get('global_key')
|
global_key = params.get('global_key')
|
||||||
existing_key = existing.get('global_key')
|
existing_key = existing.get('global_key')
|
||||||
|
|
||||||
if deadtime is not None:
|
if deadtime is not None and existing.get('deadtime') != PARAM_TO_DEFAULT_KEYMAP['deadtime']:
|
||||||
cmds.append('no {0}-server deadtime 1'.format(server_type))
|
cmds.append('no {0}-server deadtime 1'.format(server_type))
|
||||||
|
|
||||||
if server_timeout is not None:
|
if server_timeout is not None and existing.get('server_timeout') != PARAM_TO_DEFAULT_KEYMAP['server_timeout']:
|
||||||
cmds.append('no {0}-server timeout 1'.format(server_type))
|
cmds.append('no {0}-server timeout 1'.format(server_type))
|
||||||
|
|
||||||
if directed_request is not None:
|
if directed_request is not None and existing.get('directed_request') != PARAM_TO_DEFAULT_KEYMAP['directed_request']:
|
||||||
cmds.append('no {0}-server directed-request'.format(server_type))
|
cmds.append('no {0}-server directed-request'.format(server_type))
|
||||||
|
|
||||||
if global_key is not None and existing_key is not None:
|
if global_key is not None and existing_key is not None:
|
||||||
|
|
|
||||||
|
|
@ -73,7 +73,7 @@
|
||||||
- assert: *false
|
- assert: *false
|
||||||
|
|
||||||
- name: "Remove radius server configuration"
|
- name: "Remove radius server configuration"
|
||||||
nxos_aaa_server:
|
nxos_aaa_server: &rad_def
|
||||||
server_type: radius
|
server_type: radius
|
||||||
deadtime: default
|
deadtime: default
|
||||||
server_timeout: default
|
server_timeout: default
|
||||||
|
|
@ -85,6 +85,12 @@
|
||||||
|
|
||||||
- assert: *true
|
- assert: *true
|
||||||
|
|
||||||
|
- name: "Check Idempotence"
|
||||||
|
nxos_aaa_server: *rad_def
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- assert: *false
|
||||||
|
|
||||||
rescue:
|
rescue:
|
||||||
|
|
||||||
- debug: msg="connection={{ ansible_connection }} nxos_aaa_server failure detected"
|
- debug: msg="connection={{ ansible_connection }} nxos_aaa_server failure detected"
|
||||||
|
|
@ -94,4 +100,4 @@
|
||||||
nxos_aaa_server: *remove
|
nxos_aaa_server: *remove
|
||||||
register: result
|
register: result
|
||||||
|
|
||||||
- debug: msg="END connection={{ ansible_connection }} nxos_aaa_server radius.yaml sanity test"
|
- debug: msg="END connection={{ ansible_connection }} nxos_aaa_server radius.yaml sanity test"
|
||||||
|
|
|
||||||
|
|
@ -79,11 +79,24 @@
|
||||||
- assert: *false
|
- assert: *false
|
||||||
|
|
||||||
- name: "Remove tacacs server configuration"
|
- name: "Remove tacacs server configuration"
|
||||||
nxos_aaa_server: *remove
|
nxos_aaa_server: &tac_def
|
||||||
|
server_type: tacacs
|
||||||
|
deadtime: default
|
||||||
|
server_timeout: default
|
||||||
|
global_key: default
|
||||||
|
directed_request: default
|
||||||
|
state: default
|
||||||
|
provider: "{{ connection }}"
|
||||||
register: result
|
register: result
|
||||||
|
|
||||||
- assert: *true
|
- assert: *true
|
||||||
|
|
||||||
|
- name: "Check Idempotence"
|
||||||
|
nxos_aaa_server: *tac_def
|
||||||
|
register: result
|
||||||
|
|
||||||
|
- assert: *false
|
||||||
|
|
||||||
rescue:
|
rescue:
|
||||||
|
|
||||||
- debug: msg="connection={{ ansible_connection }} nxos_aaa_server failure detected"
|
- debug: msg="connection={{ ansible_connection }} nxos_aaa_server failure detected"
|
||||||
|
|
@ -100,4 +113,4 @@
|
||||||
state: disabled
|
state: disabled
|
||||||
provider: "{{ connection }}"
|
provider: "{{ connection }}"
|
||||||
|
|
||||||
- debug: msg="END connection={{ ansible_connection }} nxos_aaa_server tacacs.yaml sanity test"
|
- debug: msg="END connection={{ ansible_connection }} nxos_aaa_server tacacs.yaml sanity test"
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue