na_ontap_user_role warning and idempotence issue when using "path: DEFAULT" #180
Comments
mamoep
changed the title
|
@mamoep I'll look at this again but there not an easy way around this. By default if you don't give a path ONTAP will set the Path Your second run your playbook has no path, but ontap has it set to DEFAULT so we will remove it. Resulting in the playbook showing as changed again (after removing ontap add it back). SO to fix this we add that bit of code. So if you want Default just leave path blank. |
|
Sorry I don't understand your explanation. No matter how many times I run the example playbook again, it doesn't change anything in ONTAP after the first run. I still consider this a code bug. |
|
I think after some more testing (without the questioned code) I understand the idea behind that part of the code but I still believe it is a bad idea. If I omit the DEFAULT specification I end up with automatically added "DEFAULT: none" (and a useful warning about it).
On the next run that "DEFAULT: none" gets removed by the module, because it wasn't part of the privileges. You can't handle the DEFAULT permissions like this. It is an important part of the role specification and should be treated as such. You already have the warning for exactly this problem category (flipping unspecified but needed paths). Please consider removing this special "DEFAULT" handling for technically correct results. |
|
Still waiting for your feedback on this. |
|
Sorry for the delay on this So the problem we are trying to solve
If you ran this today, the rest of the API will auto-create a Default. So the next run of this would try to delete auto delete that default. Let me talk to the entire team and see if there is another way we can get around this. The big problem here is even if the user doesn't add DEFAULT to their playbook, ONTAP will add it resulting in the second run having issue. |
|
There are also other entries added automatically, depending on the path and access that is requested. That is only handled with a warning currently. In my opinion DEFAULT has to be treated in the same manner. Example new role: Results in: The special handling of DEFAULT produces all kinds of undesired results in my tests. Another example is a role that is almost admin, but restricts some commands. There is no way to get this done with the module currently. |
|
Any update on this issue? Is there a workaround? |
|
This is really annoying, every run of my playbook I get a change: The task itself is pretty simple: - name: Create security roles
netapp.ontap.na_ontap_user_role: # noqa args[module]
name: "{{ na_role.name }}"
privileges: "{{ na_role.privileges }}"
vserver: "{{ na_admin_vserver }}"
delegate_to: localhost
loop: "{{ na_roles }}"
loop_control:
loop_var: na_role
label: "{{ na_role.name }} / {{ na_role.privileges }}"
tags: roles |
Summary
Using "path: DEFAULT" in na_ontap_user_role creates a warning and breaks idempotence of the module.
I could identify the line of code that is responsible, but I don't know why it is done:
https://github.com/ansible-collections/netapp.ontap/blob/11d8b50293be61d3aeddacabf0d3c185644a3c13/plugins/modules/na_ontap_user_role.py#L360C50-L360C50
Component Name
na_ontap_user_role
Ansible Version
ONTAP Collection Version
ONTAP Version
NetApp Release 9.11.1P8: Fri Apr 07 00:02:50 UTC 2023Playbook
Steps to Reproduce
run playbook
Expected Results
No warning and "ok" output on second run.
Actual Results
First run
Second run:
The text was updated successfully, but these errors were encountered: