Solved: Ansible with api-key

marcyn · ‎2022-11-02

Hello CheckMates,

Because I haven't found an answer in google, and here using search .. I decided to ask you about this.
I was wondering if it's possible to use api-key authorization with ansible ?

As we all know configuration in file /etc/ansible/hosts looks like this:

[check_point]
10.0.0.1
[check_point:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_user=apiuser
ansible_password=s3cr3tp4$$word
ansible_network_os=check_point.mgmt.checkpoint

But....
How much prettier it would be if we could use instead of ansible_user + ansible_password ... something like ansible_api_key.

I haven't found that it is possible ... but maybe someone else thought about this aswell and ... just maybe there is a way ?

--
Best
Marcin

marcyn · ‎2022-11-04

Ok, it looks like mistery is solved !

Below I will write how to solve this issue.

Because I have debian 11 I used repository that is mentioned here:
https://docs.ansible.com/ansible/latest/installation_guide/installation_distros.html#installing-ansi...
And from that repository I installed ansible.

It was as you already saw on one of my previous posts version 2.12.9 (core), later I upgraded it to 2.12.10.

Because @StuartGreen mentioned version 2.13.3 and 2.13.4 ... which are no present in this repository I decided to uninstall completely ansible and to reinstall it via pip3.

So I ended up with this:
pip3 install ansible

And it gave me:
# ansible --version
ansible [core 2.13.5]

And with this version I have no issue at all with ansible_api_key:

# ansible-playbook playbook_add.yaml

PLAY [playbook] ********************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************
ok: [172.19.99.253]

TASK [add host] ********************************************************************************************************
changed: [172.19.99.253]

TASK [add host to group] ***********************************************************************************************
changed: [172.19.99.253]

TASK [publish] *********************************************************************************************************
changed: [172.19.99.253]

TASK [install policy] **************************************************************************************************
changed: [172.19.99.253]

PLAY RECAP *************************************************************************************************************
172.19.99.253              : ok=5    changed=4    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

# tail -n 10 /etc/ansible/hosts
[check_point]
172.19.99.253
[check_point:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_api_key=xj56ETO+ywCRwaoDgrFTQ==
ansible_network_os=check_point.mgmt.checkpoint

So case closed ... solution was extremely easy ... if you know that you have to use correct version 🙂
In Check Point's collection documentation it was only mentioned that ansible verstion have to be greater then 2.9.

So in case someone else has the same issue and is wondering how to solve it => use different version of ansible, in my case 2.13.5 did the trick.

Thanks @StuartGreen, @Omer_Kleinstern and @PhoneBoy for your feedback.

--
Best
Marcin

View solution in original post

Omer_Kleinstern · ‎2022-11-02

Hi @marcyn ,

Yes, it's possible to use api-key authorization with ansible.

Replace ansible_user + ansible_password with ansible_api_key.

Thanks,

Omer

marcyn · ‎2022-11-02

Hi Omer,

Ah ... if that would be so easy... I already tried that, of course 🙂

[check_point]
10.0.0.1
[check_point:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
#ansible_user=apiuser
#ansible_password=qwerty123
ansible_api_key=yfD6ETO+ywCRwaoDxIUkTQ==
ansible_network_os=check_point.mgmt.checkpoint

And the result:

# ansible-playbook playbook_add.yaml
PLAY [playbook] ************************************************************************************************************************************
TASK [Gathering Facts] *****************************************************************************************************************************ok: [10.0.0.1]

TASK [add host] ************************************************************************************************************************************An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ansible.module_utils.connection.ConnectionError: 'Connection' object has no attribute '_session_uid'
(...)
PLAY RECAP *****************************************************************************************************************************************10.0.0.1
: ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

If you are wondering if this api-key is valid ... here, take a look:

mgmt_cli --api-key "yfD6ETO+ywCRwaoDxIUkTQ==" -m 10.0.0.1 login
uid: "96259ea1-d710-422f-ba2f-b02bbe196489"
sid: "nF4D-VqA1h7J4vUIeM1gwSAARt7lQI52kdnvr6whesg"
url: "https://10.0.0.1:443/web_api"
session-timeout: 600
last-login-was-at:
  posix: 1666349488319
  iso-8601: "2022-10-21T12:51+0200"
api-server-version: "1.8"
user-name: "api"
user-uid: "dc0b1c70-5b38-4443-9e8c-0c42850c468d"

So yes ... it's valid 🙂

So again .. if it would be so easy ... I wouldn't probably ask.
But maybe I'm doing something wrong ?

--
Best
Marcin

StuartGreen · ‎2022-11-02

It's definitely supported and works fine. Which module version are you using? You can see it mentioned in the plugin here:

https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection/blob/a05cb3f66ca703234db64ff1898e042...

Make sure you're not sending a username and password somewhere else in your play as an additional variable as that will cause the plugin to ignore the API key.

marcyn · ‎2022-11-02

Hi Stuart,

Yes, I've already seen this site that you just mentioned... and it looks as if it should be supported ... but it doesn't work for me.
I have the newest ansible and the newest checkpoint module:

# ansible --version
ansible [core 2.12.9]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110]
  jinja version = 2.11.3
  libyaml = True

# head .ansible/collections/ansible_collections/check_point/mgmt/CHANGELOG.rst
==============================
Check_Point.Mgmt Release Notes
==============================
.. contents:: Topics

v4.0.0
======

And of course when I change /etc/ansible/hosts to use ansible_api_key ... I also comment out/remove ansible_user + ansible_password

What's funny is that when I have this ansible_api_key in /etc/ansible/hosts it works "strange" because ansible starts with "logout" command 🙂

# tail -f $FWDIR/log/api.elg
2022-11-02 17:00:58,049  INFO org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp1587849480-90] - Inbound Message
----------------------------
ID: 12199
Address: http://127.0.0.1:65456/web_api/logout
Encoding: UTF-8
Http-Method: POST
Content-Type: application/json
Headers: {accept-encoding=[identity], connection=[keep-alive], Content-Length=[2], content-type=[application/json], Host=[127.0.0.1:65456], User-Agent=[Ansible], X-Forwarded-For=[172.19.99.100], X-Forwarded-Host=[172.19.99.253:443], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[172.19.99.253]}
Payload: {}
--------------------------------------
2022-11-02 17:00:58,049 ERROR com.checkpoint.management.web_api.core.cxf.interceptor.WebApiInInterceptorSessionValidator.handleMessage:31 [qtp1587849480-90] - Session validation has failed
(...)
ID: 12199
Response-Code: 400
Content-Type: application/json
Headers: {Content-Type=[application/json], Date=[Wed, 02 Nov 2022 16:00:58 GMT]}
Payload: {
  "code" : "generic_err_missing_required_header",
  "message" : "Missing header: [X-chkp-sid]"
}

no login ... first ... so it's not strange that logout doesn't have session_id 🙂
And no entry at all into $FWDIR/log/api.csv...
But with ansible_user + ansible_password:

2022-11-02 17:04:59,426 DEBUG com.checkpoint.management.web_api.core.cxf.interceptor.WebApiInInterceptorLoginValidator.handleMessage:32 [qtp1587849480-88] - Validating 'login' command of the version: [1.8]
2022-11-02 17:04:59,426  INFO org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp1587849480-88] - Inbound Message
----------------------------
ID: 12203
Address: http://127.0.0.1:65456/web_api/login
Encoding: UTF-8
Http-Method: POST
Content-Type: application/json
Headers: {accept-encoding=[identity], Authorization=[Basic YWRtaW46MXFhekBXU1g=], connection=[keep-alive], Content-Length=[41], content-type=[application/json], Host=[127.0.0.1:65456], User-Agent=[Ansible], X-Forwarded-For=[172.19.99.100], X-Forwarded-Host=[172.19.99.253:443], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[172.19.99.253]}
(...)
ID: 12203
Response-Code: 200
Content-Type: application/json
Headers: {Content-Type=[application/json], Date=[Wed, 02 Nov 2022 16:05:00 GMT]}
Payload: {
  "uid" : "2d35b5f9-2b61-4b75-9e6d-8ac8656d195f",
  "sid" : "ad05d22ae40bc55426980e0a93b82433",
  "url" : "https://172.19.99.253:443/web_api",
  "session-timeout" : 600,
  "last-login-was-at" : {
    "posix" : 1667378605905,
    "iso-8601" : "2022-11-02T09:43+0100"
  },
  "api-server-version" : "1.8",
  "user-name" : "admin",
  "user-uid" : "33efce7f-77bb-4874-859b-793b83190f48"
}

No issues at all 😉

And of course in $FWDIR/log/api.csv I see:
2022-11-02,17:07:06 +0100,"Ansible","172.19.99.100","172.19.99.253:443",login,PASSED,855

--
Best
Marcin

StuartGreen · ‎2022-11-03

this feels a little like a weird problem I encountered recently where ansible wasn't sending the domain parameter in the login request. The 'solution' (which I'm not 100% convinced is actually addressing the root of the problem) was to roll back to the previous version of ansible-core (2.13.3 worked for me, 2.13.4 did not - but with a completely different user on the same Ubuntu host both versions worked).

PhoneBoy · ‎2022-11-03

What version/JHF is the management?

marcyn · ‎2022-11-04

Hi Stuart and PhoneBoy,

I will try older version of ansible .... it would be strange if that will fix the issue ... but I will give it a try.

Regarding SMS - it's R81.10 Take66 but I can update it (it's lab env.) to Take78 and take a look.

--
Best
m.

marcyn · ‎2022-11-04

Ok, it looks like mistery is solved !

Below I will write how to solve this issue.

Because I have debian 11 I used repository that is mentioned here:
https://docs.ansible.com/ansible/latest/installation_guide/installation_distros.html#installing-ansi...
And from that repository I installed ansible.

It was as you already saw on one of my previous posts version 2.12.9 (core), later I upgraded it to 2.12.10.

Because @StuartGreen mentioned version 2.13.3 and 2.13.4 ... which are no present in this repository I decided to uninstall completely ansible and to reinstall it via pip3.

So I ended up with this:
pip3 install ansible

And it gave me:
# ansible --version
ansible [core 2.13.5]

And with this version I have no issue at all with ansible_api_key:

# ansible-playbook playbook_add.yaml

PLAY [playbook] ********************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************
ok: [172.19.99.253]

TASK [add host] ********************************************************************************************************
changed: [172.19.99.253]

TASK [add host to group] ***********************************************************************************************
changed: [172.19.99.253]

TASK [publish] *********************************************************************************************************
changed: [172.19.99.253]

TASK [install policy] **************************************************************************************************
changed: [172.19.99.253]

PLAY RECAP *************************************************************************************************************
172.19.99.253              : ok=5    changed=4    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

# tail -n 10 /etc/ansible/hosts
[check_point]
172.19.99.253
[check_point:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_api_key=xj56ETO+ywCRwaoDgrFTQ==
ansible_network_os=check_point.mgmt.checkpoint

So case closed ... solution was extremely easy ... if you know that you have to use correct version 🙂
In Check Point's collection documentation it was only mentioned that ansible verstion have to be greater then 2.9.

So in case someone else has the same issue and is wondering how to solve it => use different version of ansible, in my case 2.13.5 did the trick.

Thanks @StuartGreen, @Omer_Kleinstern and @PhoneBoy for your feedback.

--
Best
Marcin

Are you a member of CheckMates?

Ansible with api-key