topic Re: WebAPI "add-access-role": invalid parameter for [users] in API / CLI Discussion

WebAPI "add-access-role": invalid parameter for [users]

Rene_Dreher — Tue, 10 Nov 2020 09:30:36 GMT

I'm trying to create an acces role. with the parameter "users" : "any" it works without problems. but if i want to add an AD Group i always run into an error. does anyone have an idea

https://sc1.checkpoint.com/documents/latest/APIs/?#web/add-access-role~v1.5%20

R80.30 T217

Postman:

{

"name" : "MyRole1112",

"networks" : "any",

"users": [

{

"source": "qa.mydom.com__AD",

"selection": "my-ad-group",

"base_dn": "qa.mydom.com/my/Base/DN/"

}

"machines" : "all identified",

"remote-access-clients" : "any"

Status 400 Bad Request

{

"code": "generic_err_invalid_parameter",

"message": "Invalid parameter for [users]. Invalid value"

}

Ansible Error (WebAPI] :

- name: ADD-Access-Role

uri:

url: "https://1.2.3.4/web_api/add-access-role"

validate_certs: false

method: POST

body_format: json

headers:

X-chkp-sid: "{{ loginoutput.json.sid }}"

body:

name: "MyRole1112"

networks: "any"

users:

source: "qa.mydom.com__AD"

selection: "my-ad-group"

base_dn: "qa.mydom.com/my/Base/DN/"

machines: "all identified"

remote-access-clients: "any"

TASK [ADD-Access-Role] ***************************************************************************************************************************
fatal: [1.2.3.4]: FAILED! => {"changed": false, "connection": "close", "content": "{\n \"code\" : \"generic_err_invalid_parameter\",\n \"message\" : \"Invalid parameter for [users]. The invalid value [source=\\\"qa.mydom.com__AD\\\" selection=\\\"my-ad-group\\\" base_dn=\\\"my/Base/DN/\\\"] should be replaced by one of the following values: [any, all identified]\"\n}", "content_type": "application/json",

Re: WebAPI "add-access-role": invalid parameter for [users]

Jim_Oqvist — Tue, 10 Nov 2020 15:19:13 GMT

Hi Rene,

Your postman example is missing a closing bracket in the end "}"

Why not use the official module from the Check Point collection for Ansible for this?
https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_access_role_module.html#ansible-collections-check-point-mgmt-cp-mgmt-access-role-module
Latest collection is available here: https://galaxy.ansible.com/check_point/mgmt

Your base_dn is not correct.
Please note that base_dn is only required if selection is not a unique name in active directory
Also note that base_dn is a unique identifier, the API is not really looking for the base DN it is looking for the CN of the object in LDAP, that parameter is a bit misleading

Here is a working example where the domain is darkness.local

--- - name: playbook name hosts: localhost gather_facts: false connection: local tasks: - name: ADD-Access-Role uri: url: "https://192.168.233.70/web_api/add-access-role" validate_certs: false method: POST body_format: json headers: X-chkp-sid: "{{ loginoutput.json.sid }}" body: name: "Ansible_Role2" networks: "any" users: source: "darkness.local__AD" selection: "Domain Admins" base-dn: "CN=Domain Admins,DC=darkness,DC=local" machines: "all identified" remote-access-clients: "any" register: role_response

I think your example should look something like this.

--- - name: playbook name hosts: localhost gather_facts: false connection: local tasks: - name: ADD-Access-Role uri: url: "https://1.2.3.4/web_api/add-access-role" validate_certs: false method: POST body_format: json headers: X-chkp-sid: "{{ loginoutput.json.sid }}" body: name: "MyRole1112" networks: "any" users: source: "qa.mydom.com__AD" selection: "Domain Admins" base-dn: "CN=Domain Admins,CN=Users,DC=qa,DC=mydom,DC=com" machines: "all identified" remote-access-clients: "any" register: role_response

Re: WebAPI "add-access-role": invalid parameter for [users]

Rene_Dreher — Wed, 11 Nov 2020 07:51:03 GMT

Hi Jim,

thank you very much for your support. You are absolutely right, the Base DN is faulty. I have commented this one out and it works. Unfortunately the correct format is not described in the API documentation.

I copied the Base DN from an old script which uses the old Ansible module. https://github.com/CheckPointSW/cpAnsible with the old module the BaseDN worked in this format.

I have looked at the Ansible Galaxy ChekPoint module in version 2 and started with it. But I had two problems for my use case:
- set-group: I cannot add a single host to a group. I have to read the group, save the result and then add all hosts again.
-add-access-rule -> position: Can I add the rule to a specific rule number or to the top or bottom of the rule set. Unfortunately I cannot assign it to a section like this example:
{
"layer" : "network",
"position" : {
"bottom" : "My Access Section"
},
"name" : "Last rule in the section"
}
This also still worked in the "old" Ansible module.

So I'm testing everything to decide later if I want to do everything in Ansible or via the WebAPI.

Best greetings from Hamburg Germany

Rene

Re: WebAPI "add-access-role": invalid parameter for [users]

Jim_Oqvist — Wed, 11 Nov 2020 10:09:26 GMT

Hi Rene, thanks for your feedback.

With the current cp_mgmt_access_rule, you are indeed correct. It is not possible to place it in top or bottom of a specific section identified by uid or name or before and after specific section/rule identified by uid or name.
As you say you can only place it in the top, bottom or at a specific rule number.
For the cp_mgmt_group you are actually able to remove and add objects in a group. The only thing that does not work is when you try to remove all objects from the group, since the module will at that moment not take the "members" information of the group object into account when comparing your code in the playbook with the reality.

I do recommend you to open two issues at https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection/issues for 1 and 2 in order to get the modules improved.

Here is a working example where you can try to add and remove host objects from an existing group. just uncomment the re comment the different members between your playbook runs.

cp_mgmt_group.yml

--- # To Run # ansible-playbook cp_mgmt_group.yml -e "target=192.168.233.70" -i 192.168.233.70, # - name: Build Ansible demo policy automation_policy on Check Point management server {{ target }} hosts: "{{ target }}" connection: httpapi vars: # Credentials for cp_mgmt* modules and Settings for the Check Point httpapi plugin that provides methods to connect to Checkpoint devices over a HTTP(S)-based api. ansible_httpapi_use_ssl: True ansible_httpapi_validate_certs: False ansible_network_os: check_point.mgmt.checkpoint #Using Galaxy https://galaxy.ansible.com/check_point collection # ansible_checkpoint_domain: SMC User # Default domain for a SMS (SmartCenter), you only need to set the domain variable when connecting to a MDS ansible_user: api_user # Change to your Check Point management admin user ansible_ssh_pass: vpn123 # Change to your Check Point management admin password #ansible_api_key: xxxxxxxxxx # Optionally you can use API key instead of username and password gather_facts: no tasks: - name: add-group, set or delete Check Point group object check_point.mgmt.cp_mgmt_group: members: # - Mail server # - Web server # - DB server state: present name: Ansible Group color: forest green - name: Add, set or delete Check Point host object check_point.mgmt.cp_mgmt_host: state: present name: Mail server ip_address: 192.168.1.1 color: red comments: my mail server host objects - name: Add, set or delete Check Point host object check_point.mgmt.cp_mgmt_host: state: present name: Web server ip_address: 10.1.1.55 color: yellow comments: my blue jump host object - name: Add, set or delete Check Point host object check_point.mgmt.cp_mgmt_host: state: present name: DB server ip_address: 10.1.2.55 color: red comments: my ubuntu host object - name: present cp_mgmt_publish:

Re: WebAPI "add-access-role": invalid parameter for [users]

Rene_Dreher — Wed, 11 Nov 2020 14:24:16 GMT

Yes, but you must specify each "member" individually in the group.

- name: add-group
cp_mgmt_group:
members:
- host1
- host2
- ..........
- host150
- NewHost1
- NewHost2
name: MyGroup
state: present

If you have an existing group with e.g. 150 objects and want to assign an existing host to this group. There is no "add" only the new member to group. i have a workaround for this but i don't know if this is a nice way to do it in production. here the groups are also much bigger.

- name: Playbook Add Host to Group
  hosts: check_point
  #connection: httpapi
  vars_files:
    - my_vars.yml

  tasks:
    - name: add host
      cp_mgmt_host:
        ipv4_address: "{{ ip_addr }}"
        name: "host_{{ ip_addr }}"
        state: present
        color: black

    - name: Read greoup content
      cp_mgmt_group_facts:
        name: "{{ group }}"
        details_level: standard
      register: groupcontent

    - name: create group list
      set_fact:
        memberlist: "{{ memberlist|default([]) + [ item ] }}"
      with_items: "{{ groupcontent.ansible_facts.group.members | json_query(jmesquery) }}"   #var: jmesquery: "[*].name"

    - name: add new host to list
      set_fact:
        memberlist: "{{ memberlist|default([]) + [ hostname ] }}"

    - name: add list 2 the group
      cp_mgmt_group:
        members: "{{ memberlist }}"
        name: "{{ group }}"
        state: present

- name: Publish
cp_mgmt_publish:

another way is to use the "cp_mgmt_host" here you can create a host and assign it to a group. this works fine even if the host did not exist before. if the host exists before the script runs but ignores the "groups" and does not assign the host to the group. is it also a bug of the ansible module ?

  tasks:
    - name: create a host and add to group
      cp_mgmt_host:
        ipv4_address: "{{ ip_addr }}"
        name: "host_{{ ip_addr }}"
        groups: "{{ group }}"
        state: present
        color: black

Re: WebAPI "add-access-role": invalid parameter for [users]

Jim_Oqvist — Wed, 11 Nov 2020 15:09:22 GMT

Hi Rene,

yes it seems to be a issue in the equals API endpoint used by the Check Point collection for Ansible to verify if there is any diff between the reality and the code. where the equals API endpoint is not checking the value of the group membership on the object.

Thanks for reporting this. I will notify our developers.

You can work around this issue by changing for example the comment of the object at the same time as you change the group. this will force the equals process to understand that there is a diff and execute the set-host API endpoint, in order to update the host object with the new comment including the updated group membership.

Please note, in order to remove a a host from all groups you need to send a empty (and update the comment section) list like this.

- name: Add, set or delete Check Point host object check_point.mgmt.cp_mgmt_host: state: present name: DB server groups: [] ip_address: 10.1.2.55 color: red comments: 2 my ubuntu host object

Re: WebAPI "add-access-role": invalid parameter for [users]

Jim_Oqvist — Wed, 11 Nov 2020 17:48:58 GMT

Just to update. The issue with the equals API is in plans of being fixed in next jumbo HF for R80.20 - R80.40 and R81. Once the fix is in place there should not be any need for the suggested W/A of updating the comment.

Re: WebAPI "add-access-role": invalid parameter for [users]

Rene_Dreher — Thu, 12 Nov 2020 07:58:22 GMT

thx mate

i will wait for the hf and watch the changelog. for the topic "policy position" i will create a issue on github

Re: WebAPI "add-access-role": invalid parameter for [users]

Rene_Dreher — Thu, 12 Nov 2020 08:36:22 GMT

update: GitHub issue #33: https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection/issues/33

Re: WebAPI "add-access-role": invalid parameter for [users]

Rene_Dreher — Mon, 23 Nov 2020 09:46:50 GMT

chkp-orso commented 7 days ago

Hi, Thanks for reaching us. We intentionally removed the first three options because it damages one of Ansible requirements for idempotency. Thanks, Or

CHKP-orso chkp-orso closed this 7 days ago