topic Re: Ansible with api-key in API / CLI Discussion

Ansible with api-key

marcyn — Wed, 02 Nov 2022 09:07:46 GMT

Hello CheckMates,

Because I haven't found an answer in google, and here using search .. I decided to ask you about this.
I was wondering if it's possible to use api-key authorization with ansible ?

As we all know configuration in file /etc/ansible/hosts looks like this:

[check_point] 10.0.0.1 [check_point:vars] ansible_httpapi_use_ssl=True ansible_httpapi_validate_certs=False ansible_user=apiuser ansible_password=s3cr3tp4$$word ansible_network_os=check_point.mgmt.checkpoint

But....
How much prettier it would be if we could use instead of ansible_user + ansible_password ... something like ansible_api_key.

I haven't found that it is possible ... but maybe someone else thought about this aswell and ... just maybe there is a way ?

--
Best
Marcin

Re: Ansible with api-key

Omer_Kleinstern — Wed, 02 Nov 2022 15:15:31 GMT

Hi @marcyn ,

Yes, it's possible to use api-key authorization with ansible.

Replace ansible_user + ansible_password with ansible_api_key.

Thanks,

Omer

Re: Ansible with api-key

marcyn — Wed, 02 Nov 2022 15:35:12 GMT

Hi Omer,

Ah ... if that would be so easy... I already tried that, of course 🙂

[check_point] 10.0.0.1 [check_point:vars] ansible_httpapi_use_ssl=True ansible_httpapi_validate_certs=False #ansible_user=apiuser #ansible_password=qwerty123 ansible_api_key=yfD6ETO+ywCRwaoDxIUkTQ== ansible_network_os=check_point.mgmt.checkpoint

And the result:

# ansible-playbook playbook_add.yaml PLAY [playbook] ************************************************************************************************************************************ TASK [Gathering Facts] *****************************************************************************************************************************ok: [10.0.0.1] TASK [add host] ************************************************************************************************************************************An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ansible.module_utils.connection.ConnectionError: 'Connection' object has no attribute '_session_uid' (...) PLAY RECAP *****************************************************************************************************************************************10.0.0.1 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

If you are wondering if this api-key is valid ... here, take a look:

mgmt_cli --api-key "yfD6ETO+ywCRwaoDxIUkTQ==" -m 10.0.0.1 login uid: "96259ea1-d710-422f-ba2f-b02bbe196489" sid: "nF4D-VqA1h7J4vUIeM1gwSAARt7lQI52kdnvr6whesg" url: "https://10.0.0.1:443/web_api" session-timeout: 600 last-login-was-at: posix: 1666349488319 iso-8601: "2022-10-21T12:51+0200" api-server-version: "1.8" user-name: "api" user-uid: "dc0b1c70-5b38-4443-9e8c-0c42850c468d"

So yes ... it's valid 🙂

So again .. if it would be so easy ... I wouldn't probably ask.
But maybe I'm doing something wrong ?

--
Best
Marcin

Re: Ansible with api-key

StuartGreen — Wed, 02 Nov 2022 15:48:36 GMT

It's definitely supported and works fine. Which module version are you using? You can see it mentioned in the plugin here:

https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection/blob/a05cb3f66ca703234db64ff1898e0422b9f4297f/plugins/httpapi/checkpoint.py#L24

Make sure you're not sending a username and password somewhere else in your play as an additional variable as that will cause the plugin to ignore the API key.

Re: Ansible with api-key

marcyn — Wed, 02 Nov 2022 16:09:17 GMT

Hi Stuart,

Yes, I've already seen this site that you just mentioned... and it looks as if it should be supported ... but it doesn't work for me.
I have the newest ansible and the newest checkpoint module:

# ansible --version ansible [core 2.12.9] config file = /etc/ansible/ansible.cfg configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python3/dist-packages/ansible ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections executable location = /usr/bin/ansible python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] jinja version = 2.11.3 libyaml = True # head .ansible/collections/ansible_collections/check_point/mgmt/CHANGELOG.rst ============================== Check_Point.Mgmt Release Notes ============================== .. contents:: Topics v4.0.0 ======

And of course when I change /etc/ansible/hosts to use ansible_api_key ... I also comment out/remove ansible_user + ansible_password

What's funny is that when I have this ansible_api_key in /etc/ansible/hosts it works "strange" because ansible starts with "logout" command 🙂

# tail -f $FWDIR/log/api.elg 2022-11-02 17:00:58,049 INFO org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp1587849480-90] - Inbound Message ---------------------------- ID: 12199 Address: http://127.0.0.1:65456/web_api/logout Encoding: UTF-8 Http-Method: POST Content-Type: application/json Headers: {accept-encoding=[identity], connection=[keep-alive], Content-Length=[2], content-type=[application/json], Host=[127.0.0.1:65456], User-Agent=[Ansible], X-Forwarded-For=[172.19.99.100], X-Forwarded-Host=[172.19.99.253:443], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[172.19.99.253]} Payload: {} -------------------------------------- 2022-11-02 17:00:58,049 ERROR com.checkpoint.management.web_api.core.cxf.interceptor.WebApiInInterceptorSessionValidator.handleMessage:31 [qtp1587849480-90] - Session validation has failed (...) ID: 12199 Response-Code: 400 Content-Type: application/json Headers: {Content-Type=[application/json], Date=[Wed, 02 Nov 2022 16:00:58 GMT]} Payload: { "code" : "generic_err_missing_required_header", "message" : "Missing header: [X-chkp-sid]" }

no login ... first ... so it's not strange that logout doesn't have session_id 🙂
And no entry at all into $FWDIR/log/api.csv...
But with ansible_user + ansible_password:

2022-11-02 17:04:59,426 DEBUG com.checkpoint.management.web_api.core.cxf.interceptor.WebApiInInterceptorLoginValidator.handleMessage:32 [qtp1587849480-88] - Validating 'login' command of the version: [1.8] 2022-11-02 17:04:59,426 INFO org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp1587849480-88] - Inbound Message ---------------------------- ID: 12203 Address: http://127.0.0.1:65456/web_api/login Encoding: UTF-8 Http-Method: POST Content-Type: application/json Headers: {accept-encoding=[identity], Authorization=[Basic YWRtaW46MXFhekBXU1g=], connection=[keep-alive], Content-Length=[41], content-type=[application/json], Host=[127.0.0.1:65456], User-Agent=[Ansible], X-Forwarded-For=[172.19.99.100], X-Forwarded-Host=[172.19.99.253:443], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[172.19.99.253]} (...) ID: 12203 Response-Code: 200 Content-Type: application/json Headers: {Content-Type=[application/json], Date=[Wed, 02 Nov 2022 16:05:00 GMT]} Payload: { "uid" : "2d35b5f9-2b61-4b75-9e6d-8ac8656d195f", "sid" : "ad05d22ae40bc55426980e0a93b82433", "url" : "https://172.19.99.253:443/web_api", "session-timeout" : 600, "last-login-was-at" : { "posix" : 1667378605905, "iso-8601" : "2022-11-02T09:43+0100" }, "api-server-version" : "1.8", "user-name" : "admin", "user-uid" : "33efce7f-77bb-4874-859b-793b83190f48" }

No issues at all 😉

And of course in $FWDIR/log/api.csv I see:
2022-11-02,17:07:06 +0100,"Ansible","172.19.99.100","172.19.99.253:443",login,PASSED,855

--
Best
Marcin

Re: Ansible with api-key

StuartGreen — Thu, 03 Nov 2022 15:40:13 GMT

this feels a little like a weird problem I encountered recently where ansible wasn't sending the domain parameter in the login request. The 'solution' (which I'm not 100% convinced is actually addressing the root of the problem) was to roll back to the previous version of ansible-core (2.13.3 worked for me, 2.13.4 did not - but with a completely different user on the same Ubuntu host both versions worked).

Re: Ansible with api-key

PhoneBoy — Thu, 03 Nov 2022 18:13:16 GMT

What version/JHF is the management?

Re: Ansible with api-key

marcyn — Fri, 04 Nov 2022 08:05:02 GMT

Hi Stuart and PhoneBoy,

I will try older version of ansible .... it would be strange if that will fix the issue ... but I will give it a try.

Regarding SMS - it's R81.10 Take66 but I can update it (it's lab env.) to Take78 and take a look.

--
Best
m.

Re: Ansible with api-key

marcyn — Fri, 04 Nov 2022 10:04:45 GMT

Ok, it looks like mistery is solved !

Below I will write how to solve this issue.

Because I have debian 11 I used repository that is mentioned here:
https://docs.ansible.com/ansible/latest/installation_guide/installation_distros.html#installing-ansible-on-debian
And from that repository I installed ansible.

It was as you already saw on one of my previous posts version 2.12.9 (core), later I upgraded it to 2.12.10.

Because @StuartGreen mentioned version 2.13.3 and 2.13.4 ... which are no present in this repository I decided to uninstall completely ansible and to reinstall it via pip3.

So I ended up with this:
pip3 install ansible

And it gave me:
# ansible --version
ansible [core 2.13.5]

And with this version I have no issue at all with ansible_api_key:

# ansible-playbook playbook_add.yaml PLAY [playbook] ******************************************************************************************************** TASK [Gathering Facts] ************************************************************************************************* ok: [172.19.99.253] TASK [add host] ******************************************************************************************************** changed: [172.19.99.253] TASK [add host to group] *********************************************************************************************** changed: [172.19.99.253] TASK [publish] ********************************************************************************************************* changed: [172.19.99.253] TASK [install policy] ************************************************************************************************** changed: [172.19.99.253] PLAY RECAP ************************************************************************************************************* 172.19.99.253 : ok=5 changed=4 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 # tail -n 10 /etc/ansible/hosts [check_point] 172.19.99.253 [check_point:vars] ansible_httpapi_use_ssl=True ansible_httpapi_validate_certs=False ansible_api_key=xj56ETO+ywCRwaoDgrFTQ== ansible_network_os=check_point.mgmt.checkpoint

So case closed ... solution was extremely easy ... if you know that you have to use correct version 🙂
In Check Point's collection documentation it was only mentioned that ansible verstion have to be greater then 2.9.

So in case someone else has the same issue and is wondering how to solve it => use different version of ansible, in my case 2.13.5 did the trick.

Thanks @StuartGreen, @Omer_Kleinstern and @PhoneBoy for your feedback.

--
Best
Marcin