Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
marcyn
Collaborator
Collaborator
Jump to solution

Ansible with api-key

Hello CheckMates,

Because I haven't found an answer in google, and here using search .. I decided to ask you about this.
I was wondering if it's possible to use api-key authorization with ansible ?

As we all know configuration in file /etc/ansible/hosts looks like this:

[check_point]
10.0.0.1
[check_point:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_user=apiuser
ansible_password=s3cr3tp4$$word
ansible_network_os=check_point.mgmt.checkpoint

But....
How much prettier it would be if we could use instead of ansible_user + ansible_password ... something like ansible_api_key.

I haven't found that it is possible ... but maybe someone else thought about this aswell and ... just maybe there is a way ?

 

--
Best
Marcin

0 Kudos
1 Solution

Accepted Solutions
marcyn
Collaborator
Collaborator

Ok, it looks like mistery is solved !

Below I will write how to solve this issue.

Because I have debian 11 I used repository that is mentioned here:
https://docs.ansible.com/ansible/latest/installation_guide/installation_distros.html#installing-ansi...
And from that repository I installed ansible.

It was as you already saw on one of my previous posts version 2.12.9 (core), later I upgraded it to 2.12.10.

Because @StuartGreen mentioned version 2.13.3 and 2.13.4 ... which are no present in this repository I decided to uninstall completely ansible and to reinstall it via pip3.

So I ended up with this:
pip3 install ansible

And it gave me:
# ansible --version
ansible [core 2.13.5]

And with this version I have no issue at all with ansible_api_key:

# ansible-playbook playbook_add.yaml

PLAY [playbook] ********************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************
ok: [172.19.99.253]

TASK [add host] ********************************************************************************************************
changed: [172.19.99.253]

TASK [add host to group] ***********************************************************************************************
changed: [172.19.99.253]

TASK [publish] *********************************************************************************************************
changed: [172.19.99.253]

TASK [install policy] **************************************************************************************************
changed: [172.19.99.253]

PLAY RECAP *************************************************************************************************************
172.19.99.253              : ok=5    changed=4    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

# tail -n 10 /etc/ansible/hosts
[check_point]
172.19.99.253
[check_point:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_api_key=xj56ETO+ywCRwaoDgrFTQ==
ansible_network_os=check_point.mgmt.checkpoint

 

So case closed ... solution was extremely easy ... if you know that you have to use correct version 🙂
In Check Point's collection documentation it was only mentioned that ansible verstion have to be greater then 2.9.

So in case someone else has the same issue and is wondering how to solve it => use different version of ansible, in my case 2.13.5 did the trick.

Thanks @StuartGreen@Omer_Kleinstern and @PhoneBoy for your feedback.

--
Best
Marcin

View solution in original post

0 Kudos
8 Replies
Omer_Kleinstern
Employee
Employee

Hi @marcyn ,

 

Yes, it's possible to use api-key authorization with ansible.

Replace ansible_user + ansible_password with ansible_api_key.

 

Thanks,

Omer

0 Kudos
marcyn
Collaborator
Collaborator

Hi Omer,

Ah ... if that would be so easy... I already tried that, of course 🙂

[check_point]
10.0.0.1
[check_point:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
#ansible_user=apiuser
#ansible_password=qwerty123
ansible_api_key=yfD6ETO+ywCRwaoDxIUkTQ==
ansible_network_os=check_point.mgmt.checkpoint

And the result:

# ansible-playbook playbook_add.yaml
PLAY [playbook] ************************************************************************************************************************************
TASK [Gathering Facts] *****************************************************************************************************************************ok: [10.0.0.1]

TASK [add host] ************************************************************************************************************************************An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ansible.module_utils.connection.ConnectionError: 'Connection' object has no attribute '_session_uid'
(...)
PLAY RECAP *****************************************************************************************************************************************10.0.0.1
: ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

 

If you are wondering if this api-key is valid ... here, take a look:

mgmt_cli --api-key "yfD6ETO+ywCRwaoDxIUkTQ==" -m 10.0.0.1 login
uid: "96259ea1-d710-422f-ba2f-b02bbe196489"
sid: "nF4D-VqA1h7J4vUIeM1gwSAARt7lQI52kdnvr6whesg"
url: "https://10.0.0.1:443/web_api"
session-timeout: 600
last-login-was-at:
  posix: 1666349488319
  iso-8601: "2022-10-21T12:51+0200"
api-server-version: "1.8"
user-name: "api"
user-uid: "dc0b1c70-5b38-4443-9e8c-0c42850c468d"

So yes ... it's valid 🙂

 

So again .. if it would be so easy ... I wouldn't probably ask.
But maybe I'm doing something wrong ?

--
Best
Marcin

0 Kudos
StuartGreen
Employee
Employee

It's definitely supported and works fine. Which module version are you using? You can see it mentioned in the plugin here:

https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection/blob/a05cb3f66ca703234db64ff1898e042...

 

Make sure you're not sending a username and password somewhere else in your play as an additional variable as that will cause the plugin to ignore the API key.

0 Kudos
marcyn
Collaborator
Collaborator

Hi Stuart,

Yes, I've already seen this site that you just mentioned... and it looks as if it should be supported ... but it doesn't work for me.
I have the newest ansible and the newest checkpoint module:

 

# ansible --version
ansible [core 2.12.9]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110]
  jinja version = 2.11.3
  libyaml = True

# head .ansible/collections/ansible_collections/check_point/mgmt/CHANGELOG.rst
==============================
Check_Point.Mgmt Release Notes
==============================
.. contents:: Topics

v4.0.0
======

 

 

And of course when I change /etc/ansible/hosts to use ansible_api_key ... I also comment out/remove ansible_user + ansible_password

What's funny is that when I have this ansible_api_key in /etc/ansible/hosts it works "strange" because ansible starts with "logout" command 🙂

 

# tail -f $FWDIR/log/api.elg
2022-11-02 17:00:58,049  INFO org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp1587849480-90] - Inbound Message
----------------------------
ID: 12199
Address: http://127.0.0.1:65456/web_api/logout
Encoding: UTF-8
Http-Method: POST
Content-Type: application/json
Headers: {accept-encoding=[identity], connection=[keep-alive], Content-Length=[2], content-type=[application/json], Host=[127.0.0.1:65456], User-Agent=[Ansible], X-Forwarded-For=[172.19.99.100], X-Forwarded-Host=[172.19.99.253:443], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[172.19.99.253]}
Payload: {}
--------------------------------------
2022-11-02 17:00:58,049 ERROR com.checkpoint.management.web_api.core.cxf.interceptor.WebApiInInterceptorSessionValidator.handleMessage:31 [qtp1587849480-90] - Session validation has failed
(...)
ID: 12199
Response-Code: 400
Content-Type: application/json
Headers: {Content-Type=[application/json], Date=[Wed, 02 Nov 2022 16:00:58 GMT]}
Payload: {
  "code" : "generic_err_missing_required_header",
  "message" : "Missing header: [X-chkp-sid]"
}

 

no login ... first ... so it's not strange that logout doesn't have session_id 🙂
And no entry at all into $FWDIR/log/api.csv...
But with ansible_user + ansible_password:

 

2022-11-02 17:04:59,426 DEBUG com.checkpoint.management.web_api.core.cxf.interceptor.WebApiInInterceptorLoginValidator.handleMessage:32 [qtp1587849480-88] - Validating 'login' command of the version: [1.8]
2022-11-02 17:04:59,426  INFO org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp1587849480-88] - Inbound Message
----------------------------
ID: 12203
Address: http://127.0.0.1:65456/web_api/login
Encoding: UTF-8
Http-Method: POST
Content-Type: application/json
Headers: {accept-encoding=[identity], Authorization=[Basic YWRtaW46MXFhekBXU1g=], connection=[keep-alive], Content-Length=[41], content-type=[application/json], Host=[127.0.0.1:65456], User-Agent=[Ansible], X-Forwarded-For=[172.19.99.100], X-Forwarded-Host=[172.19.99.253:443], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[172.19.99.253]}
(...)
ID: 12203
Response-Code: 200
Content-Type: application/json
Headers: {Content-Type=[application/json], Date=[Wed, 02 Nov 2022 16:05:00 GMT]}
Payload: {
  "uid" : "2d35b5f9-2b61-4b75-9e6d-8ac8656d195f",
  "sid" : "ad05d22ae40bc55426980e0a93b82433",
  "url" : "https://172.19.99.253:443/web_api",
  "session-timeout" : 600,
  "last-login-was-at" : {
    "posix" : 1667378605905,
    "iso-8601" : "2022-11-02T09:43+0100"
  },
  "api-server-version" : "1.8",
  "user-name" : "admin",
  "user-uid" : "33efce7f-77bb-4874-859b-793b83190f48"
}

 

No issues at all 😉

And of course in $FWDIR/log/api.csv I see:
2022-11-02,17:07:06 +0100,"Ansible","172.19.99.100","172.19.99.253:443",login,PASSED,855

--
Best
Marcin

0 Kudos
StuartGreen
Employee
Employee

this feels a little like a weird problem I encountered recently where ansible wasn't sending the domain parameter in the login request. The 'solution' (which I'm not 100% convinced is actually addressing the root of the problem) was to roll back to the previous version of ansible-core (2.13.3 worked for me, 2.13.4 did not - but with a completely different user on the same Ubuntu host both versions worked).

PhoneBoy
Admin
Admin

What version/JHF is the management?

0 Kudos
marcyn
Collaborator
Collaborator

Hi Stuart and PhoneBoy,

I will try older version of ansible .... it would be strange if that will fix the issue ... but I will give it a try.

Regarding SMS - it's R81.10 Take66 but I can update it (it's lab env.) to Take78 and take a look.

--
Best
m.

0 Kudos
marcyn
Collaborator
Collaborator

Ok, it looks like mistery is solved !

Below I will write how to solve this issue.

Because I have debian 11 I used repository that is mentioned here:
https://docs.ansible.com/ansible/latest/installation_guide/installation_distros.html#installing-ansi...
And from that repository I installed ansible.

It was as you already saw on one of my previous posts version 2.12.9 (core), later I upgraded it to 2.12.10.

Because @StuartGreen mentioned version 2.13.3 and 2.13.4 ... which are no present in this repository I decided to uninstall completely ansible and to reinstall it via pip3.

So I ended up with this:
pip3 install ansible

And it gave me:
# ansible --version
ansible [core 2.13.5]

And with this version I have no issue at all with ansible_api_key:

# ansible-playbook playbook_add.yaml

PLAY [playbook] ********************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************
ok: [172.19.99.253]

TASK [add host] ********************************************************************************************************
changed: [172.19.99.253]

TASK [add host to group] ***********************************************************************************************
changed: [172.19.99.253]

TASK [publish] *********************************************************************************************************
changed: [172.19.99.253]

TASK [install policy] **************************************************************************************************
changed: [172.19.99.253]

PLAY RECAP *************************************************************************************************************
172.19.99.253              : ok=5    changed=4    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

# tail -n 10 /etc/ansible/hosts
[check_point]
172.19.99.253
[check_point:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_api_key=xj56ETO+ywCRwaoDgrFTQ==
ansible_network_os=check_point.mgmt.checkpoint

 

So case closed ... solution was extremely easy ... if you know that you have to use correct version 🙂
In Check Point's collection documentation it was only mentioned that ansible verstion have to be greater then 2.9.

So in case someone else has the same issue and is wondering how to solve it => use different version of ansible, in my case 2.13.5 did the trick.

Thanks @StuartGreen@Omer_Kleinstern and @PhoneBoy for your feedback.

--
Best
Marcin

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events