how to use ansible to verify onboard key-manager backup | NetApp | Page 1

gilded flicker Jun 11, 2024, 3:10 AM

#

After I enabled onboard key-manager on cmode cluster, I store the passphrase and backup key in a vault. But to make sure the passphrase is backup key are correct, I need to verify it. How do I use ansible to do that?

similar to command below, but it requires entering the passphrase and backup key.

security key-manager onboard verify-backup

gilded flicker Jun 13, 2024, 7:08 PM

#

@strange bronze can you shed some light on this?

strange bronze Jun 13, 2024, 9:23 PM

#

I"ll have to look spend some time to look in to this as i haven't played around with key-manager, to see if there a REST api that does something similar.

I know with thing like Password and keys are only even returned when they are created, so checking to see if something modified or the same either can't be done with ansbile. The reason for that is you don't want an API for security reason that confirm or return a user password or key.

For Security/accounts We have a little hack around that. Every time we reun the module we attemp to change you password. If you given us a new password it get set. If you give the same password that on the system (or one of the old) ONTAP will return an error indicating the password in the same (or an old one) https://github.com/ansible-collections/netapp.ontap/blob/main/plugins/modules/na_ontap_user.py#L644 and so we assume you've given the same password, We hide the error and return OK nothing has changed.

GitHub

netapp.ontap/plugins/modules/na_ontap_user.py at main · ansible-col...

Ansible collection to support NetApp ONTAP configuration. - ansible-collections/netapp.ontap

gilded flicker Jun 17, 2024, 3:45 PM

#

could key-manager module has a validate function similar to na_ontap_user module? We pass passphrase and backup-key to it (probably from some vault, so it's secure), and API just return "ok" if they match (verified), or "fail" if not verified. It's very important for us to know the passphrase & backup-key we store in a vault are good, in case we need to add nodes or do a disaster recovery.

strange bronze Jun 18, 2024, 4:37 PM

#

Let me have the team look at it.

I think it should be possible. The rest api on modify has the following error code
65536150 The new passphrase is same as old passphrase.

That looks like would work the same way we have the user version set up. (I don't see a similar code for the backup-key so that one might not be possible).

gilded flicker Jun 20, 2024, 10:12 PM

#

ok, so for passphrase only, might work for now. as for backup-key, we can get it from rest_info, and compare to what's stored in vault.

#

Would like to have this feature ASAP 🙂 😀

gilded flicker Jun 25, 2024, 7:57 PM

#

@strange bronze do you have a enhance ticket created for this? Which version can it be released? Thank you! John

compact parcel Jun 26, 2024, 5:50 AM

#

@gilded flicker We've DEVOPS-6939 open for this change. It should be included in the next release.

#how to use ansible to verify onboard key-manager backup