topic Re: Cannot change GAiA admin password via ansible/API in Ansible

Cannot change GAiA admin password via ansible/API

cm — Wed, 11 Dec 2024 14:17:00 GMT

Hi,

I'm trying to automate initial configuration of GAiA gateways and I have an issue when trying to change the password for "admin", like this:

- name: set admin user password hash check_point.gaia.cp_gaia_user: name: admin password_hash: $6$xxxxx must_change_password: False

When I try this, I get an error:

Checkpoint device returned error 400 with message {'code': 'err_validation_failed', 'errors': 'Cannot change this attribute of user admin', 'msg': 'Validation Error'}

This also happens when I use "password" instead of "password_hash", and it is limited to the "admin" user. I am accessing the API as a separate user "apiuser" because I thought maybe the password of the accessing user cannot be changed, but that's not the issue.

This is on R81.20 JHF89/API level 1.7

So, how do I change that password via the API and ansible?

Re: Cannot change GAiA admin password via ansible/API

the_rock — Wed, 11 Dec 2024 15:46:53 GMT

Is this management or gateway?

Andy

Re: Cannot change GAiA admin password via ansible/API

the_rock — Wed, 11 Dec 2024 15:51:52 GMT

https://sc1.checkpoint.com/documents/latest/APIs/?#clish/set-user~v2%20

Re: Cannot change GAiA admin password via ansible/API

cm — Wed, 11 Dec 2024 15:59:12 GMT

That's on the gateway, so using the GAiA API, not the mgmt API...

Re: Cannot change GAiA admin password via ansible/API

the_rock — Wed, 11 Dec 2024 16:02:33 GMT

Hm, that link I sent is gaia cli.

Andy

https://sc1.checkpoint.com/documents/latest/APIs/?#clish/set-user~v1.7%20

Re: Cannot change GAiA admin password via ansible/API

cm — Wed, 11 Dec 2024 17:03:55 GMT

I don't think so. That's just the management API as called from clish, not the GAiA API which is a different beast. The link you posted affects the user objects in the SMC, not the GAiA users...

Re: Cannot change GAiA admin password via ansible/API

the_rock — Wed, 11 Dec 2024 17:55:24 GMT

Maybe below?

Andy

https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#web/set-user~v1.8%20

Re: Cannot change GAiA admin password via ansible/API

PhoneBoy — Wed, 11 Dec 2024 21:03:55 GMT

Just to confirm, you can change other users passwords using this playbook, but not the admin user?

Re: Cannot change GAiA admin password via ansible/API

Jim_Oqvist — Wed, 11 Dec 2024 21:07:49 GMT

Hi,

it seems to be a bug in the ansible collection.

it is possible to change the admin password using the set-user api call directly (https://sc1.checkpoint.com/documents/latest/GaiaAPIs/index.html#cli/set-user~v1.7%20).

It also seems like this is only triggered when trying to change the password of the user "admin" if you crate a new user for example called test it works as expected.

This is reproducible with this playbook https://github.com/checkpointsw-devsec/chkp-api-examples/blob/master/Ansible/Gaia/cp_gaia_user.yml

I suggest you open a issue here: https://github.com/CheckPointSW/CheckPointAnsibleGAIACollection or if you open a service request with TAC to get it solved.

Kind Regards

Jim

Re: Cannot change GAiA admin password via ansible/API

Jim_Oqvist — Thu, 12 Dec 2024 08:00:54 GMT

Hi PhoneBoy,

Yes that is correct, the error message is only presented when you try to change the user "admin" se below result using this playbook: https://github.com/checkpointsw-devsec/chkp-api-examples/blob/master/Ansible/Gaia/cp_gaia_user.yml

TASK [Set password for the test user] *************************************************************************************************************************************************************************************************************************************** changed: [192.168.233.51] => { "changed": true, "invocation": { "module_args": { "allow_access_using": [ "CLI", "Web-UI" ], "homedir": null, "must_change_password": null, "name": "test", "password": null, "password_hash": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "primary_system_group_id": 100, "real_name": "test user", "roles": null, "secondary_system_groups": null, "shell": "cli", "state": "present", "uid": null, "unlock": null } }, "user": { "allow_access_using": [], "homedir": "/home/test", "locked": "", "must_change_password": "", "name": "test", "primary_system_group_id": 100, "real_name": "test user", "requires_two_factor_authentication": false, "roles": [], "secondary_system_groups": [], "shell": "cli", "uid": 0 } } TASK [print test user settings] ********************************************************************************************************************************************************************************************************************************************* ok: [192.168.233.51] => { "msg": { "changed": true, "failed": false, "user": { "allow_access_using": [], "homedir": "/home/test", "locked": "", "must_change_password": "", "name": "test", "primary_system_group_id": 100, "real_name": "test user", "requires_two_factor_authentication": false, "roles": [], "secondary_system_groups": [], "shell": "cli", "uid": 0 }, "warnings": [ "Module did not set no_log for must_change_password" ] } } TASK [Set password for the admin user] ************************************************************************************************************************************************************************************************************************************** fatal: [192.168.233.51]: FAILED! => { "changed": false, "invocation": { "module_args": { "allow_access_using": [ "CLI", "Web-UI" ], "homedir": null, "must_change_password": null, "name": "admin", "password": null, "password_hash": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "primary_system_group_id": 100, "real_name": null, "roles": null, "secondary_system_groups": null, "shell": "cli", "state": "present", "uid": null, "unlock": null } }, "msg": "Checkpoint device returned error 400 with message {'code': 'err_validation_failed', 'errors': 'Cannot change this attribute of user admin', 'msg': 'Validation Error'}" } PLAY RECAP ****************************************************************************************************************************************************************************************************************************************************************** 192.168.233.51 : ok=5 changed=1 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

Re: Cannot change GAiA admin password via ansible/API

cm — Thu, 12 Dec 2024 09:14:09 GMT

Thanks for confirming that the problem is not on my side. I'll proceed with a TAC case...

Re: Cannot change GAiA admin password via ansible/API

Jim_Oqvist — Thu, 12 Dec 2024 09:30:31 GMT

Hi,

I have informed the relevant R&D owner and have also reported this as an issue on Github here:

There is a bug in the ansible module: cp_gaia_user - Failing to change password-hash of user with name "admin"