unreal badger
Hi Team
I'm trying to set DACLs using file security permissions module and got below error.
I noticed that this module is trying to 'access_control', 'ignore_paths', 'propagation_mode' into 'acls' list.
But as per REST API document are global param and doesn't belong into 'acls' list. I'm thinking this is causing the failure because, I was able to test this successfully in Postman without any issues.
Could you please let me know on this?
jolly quiver
The issue is that ONTAP reinterpret the ACLs, and formats then very differently than what is inputed. The warning indicates it, and the error message shows the differences between what you requested and what ONTAP did. ``` patch-acls still required for
[{'access': 'access_allow', 'apply_to': {'files': True, 'sub_folders': True, 'this_folder': True},
'rights': 'full_control', 'user': 'BUILTIN\\Administrators', 'access_control': 'file_directory', 'propagation_mode': 'propagate'}] -
post-acls still required for
[{'access': 'access_allow', 'apply_to': {'files': True, 'sub_folders': True, 'this_folder': True}, 'rights': 'modify', 'user': 'LG_blore_axa_DATA_axa_share_01_W',
'access_control': 'file_directory', 'propagation_mode': 'propagate'}, {'access': 'access_allow', 'apply_to': {'files': True, 'sub_folders': True, 'this_folder': True},
'rights': 'read_and_execute', 'user': 'LG_blore_axa_DATA_axa_share_01_R', 'access_control': 'file_directory', 'propagation_mode': 'propagate'},
{'access': 'access_allow', 'apply_to': {'files': True, 'sub_folders': True, 'this_folder': True}, 'rights': 'full_control', 'user': 'LG_blore_axa_DATA_axa_share_01_A',
'access_control': 'file_directory', 'propagation_mode': 'propagate'}] -
delete-acls still required for
[{'access': 'access_allow', 'access_control': 'file_directory', 'inherited': None, 'propagation_mode': None, 'rights': None,
If you're confident with what you're sending, and not interested in idempotency, you can ignore the error using the validate_changes option.
But I think it's better to use advanced_rights and try to match ONTAP expectations.
unreal badger
Okay. But the same payload works as REST API call from postman?
jolly quiver
It works also for us. There was no error from ONTAP. It's our module that reports a discrepancy.
unreal badger
okay, so what should be done now. Will 'validate_changes' is enough?
jolly quiver
It's enough, but I think it's much better to change the playbook to match ONTAP expectations by using advanced_rights.
unreal badger
Sure thing! Let me work on using advanced_rights options
Thanks Laurent! I will get back if any issues
It worked with validate_change: ignore option. I will work with advanced rights
unreal badger
@jolly quiver , I was able to use advanced rights and test it today. But this is also failing without validate_change option. I had to force validate_changes: ignore to make it work.
I think validation has something to be fixed. But using validate_changes: ignore it's forcing post call every time, but its good REST API accepts it.
Attaching latest logs. Could you please check this issue?
ONTAP: 9.11.1
Collections: 22.2.0
wicked zenith
yes the error is expected one.
this is little complex.
a desired acl sometime gets configured as 2 acls in ONTAP.
after initial POST/PATCH, module will validate whether desired and current are same and report if there is difference.
unreal badger
Okay. When I do this directly in REST API, I dont see any difference in GET and POST Calls. What is the best way to use Ansible with this error? Always use validate change with ignore?
I noticed PATCH call can't take acls as a list. It needs it as a dictionary. So if Ansible module is switching to PATCH then it should be doing separate calls for each acls
unreal badger
@jolly quiver , let me know how to resolve this issue, when get a chance to check this. thanks in advance!
jolly quiver
If you compare the post-acls still required for with delete-acls still required for, you can see that you are sending LG_blore_axa_DATA_axa_share_01_A but ONTAP is configuring GSDC\\\\LG_blore_axa_DATA_axa_share_01_A This create a discrepancy for 3 entries.
For BUILTIN\\\\Administrators There is a difference in attributes. Though I don't see what's wrong. We should handle access_control and propagation_mode correctly.
unreal badger
@jolly quiver , I tried adding the domain and tested it. I also limited the config to what is needed. But still no luck.
I notice, 'propagation_mode' and 'access_control' are being added in the payload inside 'acls' child element.
As per REST API document (https://library.netapp.com/ecmdocs/ECMLP2882307/html/index.html#/NAS/file_directory_security_create & https://library.netapp.com/ecmdocs/ECMLP2882307/html/index.html#/NAS/file_directory_security_modify) , in both cases of POST and PATCH 'propagation_mode' and 'access_control' should be in parent dictionary payload and not inside acls. 'acls' only needs 'rights', 'advanced_rights', 'apply_to', 'access' and 'user'.
I checked our na module code and I see this params are being added into acls payload explicitly if its not present. I think this should be removed. This could be causing the dictionaries to not match when validation is enabled.
For timing being I'm enforcing validate_changes to ignore.
wicked zenith
we are removing 'propogation_mode' and 'access_control' if its present in acls key.
unreal badger
From code snippet I see its getting added and set empty. Not sure there is any other block you are removing it. But I see this in the ansible failure payload
wicked zenith
REST will report error if we try to set unsupported keys, snippet function actually removing the propogation_mode and access_control from each acl.
but when testing we could find other issues in the module.
Thanks
unreal badger
Thanks Mohan!
wicked zenith
From code snippet I see its getting added and set empty. Not sure there is any o...
sorry I missed the last part, is there Unexpected argument error ?
unreal badger
Yes. Please look the screen shot I have attached
wicked zenith
message.txt file is good, its not having unexpected argument error
unreal badger
if access_control not in acls_groups:
acls_groups[access_control] = {}
if propagation_mode not in acls_groups[access_control]:
acls_groups[access_control][propagation_mode] = []
acls_groups[access_control][propagation_mode].append(acl)
"acls": [
{
"access": "access_allow",
"access_control": null,
"advanced_rights": {
"append_data": true,
"delete": true,
"delete_child": true,
"execute_file": true,
"full_control": true,
"read_attr": true,
"read_data": true,
"read_ea": true,
"read_perm": true,
"write_attr": true,
"write_data": true,
"write_ea": true,
"write_owner": true,
"write_perm": true
},
"apply_to": {
"files": true,
"sub_folders": true,
"this_folder": true
},
"ignore_paths": null,
"propagation_mode": null,
"rights": null,
"user": "BUILTIN\Administrators"
},
above output is from the file showing acls has 'access_control' and 'propagation_mode'
in above module line 642 to 646 is adding these params
jolly quiver
There is some inconsistency in the APIs, so we are working around them by adding/deleting elements.
You can see this is working for the 3 other users (GSDC...).
But it's possible we missed one case and it causes a mismatch when comparing the results. Not sure why this happens only with BULTIN. Mohan is looking into it. ONTAP may not be returning some info we are expecting.
jolly quiver
Tracking this as DEVOPS-5859
craggy bough
is it possible to get a good example of this module in ansible. the examples are barebones in the doc. I am confused as to how to use the acls portion and whee things go.
