Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rene_Dreher
Contributor

WebAPI "add-access-role": invalid parameter for [users]

Jump to solution

I'm trying to create an acces role. with the parameter "users" : "any" it works without problems. but if i want to add an AD Group i always run into an error. does anyone have an idea

https://sc1.checkpoint.com/documents/latest/APIs/?#web/add-access-role~v1.5%20

 

R80.30 T217

 

Postman:

{
  "name" : "MyRole1112",
  "networks" : "any",
  "users": [
        {
            "source""qa.mydom.com__AD",
            "selection""my-ad-group",
            "base_dn""qa.mydom.com/my/Base/DN/"
        }
    ],
  "machines" : "all identified",
  "remote-access-clients" : "any"
 
 
Status 400 Bad Request
 
{
    "code""generic_err_invalid_parameter",
    "message""Invalid parameter for [users]. Invalid value"
}
 
 
Ansible Error (WebAPI] :

 

    - nameADD-Access-Role
      uri:
         url"https://1.2.3.4/web_api/add-access-role"
         validate_certsfalse
         methodPOST
         body_formatjson
         headers:
          X-chkp-sid"{{ loginoutput.json.sid }}"
         body
          name"MyRole1112"
          networks"any"
          users
            source"qa.mydom.com__AD"     
            selection"my-ad-group"
            base_dn"qa.mydom.com/my/Base/DN/"
          machines"all identified"
          remote-access-clients"any"
      registerrole_response

 

TASK [ADD-Access-Role] ***************************************************************************************************************************
fatal: [1.2.3.4]: FAILED! => {"changed": false, "connection": "close", "content": "{\n \"code\" : \"generic_err_invalid_parameter\",\n \"message\" : \"Invalid parameter for [users]. The invalid value [source=\\\"qa.mydom.com__AD\\\" selection=\\\"my-ad-group\\\" base_dn=\\\"my/Base/DN/\\\"] should be replaced by one of the following values: [any, all identified]\"\n}", "content_type": "application/json",

 

 

 
0 Kudos
1 Solution

Accepted Solutions
Jim_Oqvist
Employee
Employee

Hi Rene,

Your postman example is missing a closing bracket in the end "}"

Why not use the official module from the Check Point collection for Ansible for this?
https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_access_role_module.html...
Latest collection is available here: https://galaxy.ansible.com/check_point/mgmt

Your base_dn is not correct.
Please note that base_dn is only required if selection is not a unique name in active directory
Also note that base_dn is a unique identifier, the API is not really looking for the base DN it is looking for the CN of the object in LDAP, that parameter is a bit misleading

Here is a working example where the domain is darkness.local

 

---
- name: playbook name
  hosts: localhost
  gather_facts: false
  connection: local
  tasks:
    - name: ADD-Access-Role
      uri:
         url: "https://192.168.233.70/web_api/add-access-role"
         validate_certs: false
         method: POST
         body_format: json
         headers:
          X-chkp-sid: "{{ loginoutput.json.sid }}"
         body: 
          name: "Ansible_Role2"
          networks: "any"
          users: 
            source: "darkness.local__AD"     
            selection: "Domain Admins"
            base-dn: "CN=Domain Admins,DC=darkness,DC=local"
          machines: "all identified"
          remote-access-clients: "any"
      register: role_response

 

 

I think your example should look something like this.

 

---
- name: playbook name
  hosts: localhost
  gather_facts: false
  connection: local
  tasks:
    - name: ADD-Access-Role
      uri:
         url: "https://1.2.3.4/web_api/add-access-role"
         validate_certs: false
         method: POST
         body_format: json
         headers:
          X-chkp-sid: "{{ loginoutput.json.sid }}"
         body: 
          name: "MyRole1112"
          networks: "any"
          users: 
            source: "qa.mydom.com__AD"     
            selection: "Domain Admins"
            base-dn: "CN=Domain Admins,CN=Users,DC=qa,DC=mydom,DC=com"
          machines: "all identified"
          remote-access-clients: "any"
      register: role_response

 

 

View solution in original post

9 Replies
Jim_Oqvist
Employee
Employee

Hi Rene,

Your postman example is missing a closing bracket in the end "}"

Why not use the official module from the Check Point collection for Ansible for this?
https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_access_role_module.html...
Latest collection is available here: https://galaxy.ansible.com/check_point/mgmt

Your base_dn is not correct.
Please note that base_dn is only required if selection is not a unique name in active directory
Also note that base_dn is a unique identifier, the API is not really looking for the base DN it is looking for the CN of the object in LDAP, that parameter is a bit misleading

Here is a working example where the domain is darkness.local

 

---
- name: playbook name
  hosts: localhost
  gather_facts: false
  connection: local
  tasks:
    - name: ADD-Access-Role
      uri:
         url: "https://192.168.233.70/web_api/add-access-role"
         validate_certs: false
         method: POST
         body_format: json
         headers:
          X-chkp-sid: "{{ loginoutput.json.sid }}"
         body: 
          name: "Ansible_Role2"
          networks: "any"
          users: 
            source: "darkness.local__AD"     
            selection: "Domain Admins"
            base-dn: "CN=Domain Admins,DC=darkness,DC=local"
          machines: "all identified"
          remote-access-clients: "any"
      register: role_response

 

 

I think your example should look something like this.

 

---
- name: playbook name
  hosts: localhost
  gather_facts: false
  connection: local
  tasks:
    - name: ADD-Access-Role
      uri:
         url: "https://1.2.3.4/web_api/add-access-role"
         validate_certs: false
         method: POST
         body_format: json
         headers:
          X-chkp-sid: "{{ loginoutput.json.sid }}"
         body: 
          name: "MyRole1112"
          networks: "any"
          users: 
            source: "qa.mydom.com__AD"     
            selection: "Domain Admins"
            base-dn: "CN=Domain Admins,CN=Users,DC=qa,DC=mydom,DC=com"
          machines: "all identified"
          remote-access-clients: "any"
      register: role_response

 

 

View solution in original post

Rene_Dreher
Contributor

Hi Jim,

thank you very much for your support. You are absolutely right, the Base DN is faulty. I have commented this one out and it works. Unfortunately the correct format is not described in the API documentation.

I copied the Base DN from an old script which uses the old Ansible module. https://github.com/CheckPointSW/cpAnsible with the old module the BaseDN worked in this format.

I have looked at the Ansible Galaxy ChekPoint module in version 2 and started with it. But I had two problems for my use case:
- set-group: I cannot add a single host to a group. I have to read the group, save the result and then add all hosts again.
-add-access-rule -> position: Can I add the rule to a specific rule number or to the top or bottom of the rule set. Unfortunately I cannot assign it to a section like this example:
{
"layer" : "network",
"position" : {
"bottom" : "My Access Section"
},
"name" : "Last rule in the section"
}
This also still worked in the "old" Ansible module.


So I'm testing everything to decide later if I want to do everything in Ansible or via the WebAPI.

 

Best greetings from Hamburg Germany

Rene

0 Kudos
Jim_Oqvist
Employee
Employee

Hi Rene, thanks for your feedback. 

  1. With the current cp_mgmt_access_rule, you are indeed correct. It is not possible to place it in top or bottom of a specific section identified by uid or name or before and after specific section/rule identified by uid or name.
    As you say you can only place it in the top, bottom or at a specific rule number.
  2. For the cp_mgmt_group you are actually able to remove and add objects in a group. The only thing that does not work is when you try to remove all objects from the group, since the module will at that moment not take the "members" information of the group object into account when comparing your code in the playbook with the reality.

I do recommend you to open two issues at https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection/issues for 1 and 2 in order to get the modules improved.

Here is a working example where you can try to add and remove host objects from an existing group. just uncomment the re comment the different members between your playbook runs.

cp_mgmt_group.yml

 

 

---
# To Run
# ansible-playbook cp_mgmt_group.yml -e "target=192.168.233.70" -i 192.168.233.70,
#
- name: Build Ansible demo policy automation_policy on Check Point management server {{ target }}
  hosts: "{{ target }}"
  connection: httpapi
  vars:
      # Credentials for cp_mgmt* modules and Settings for the Check Point httpapi plugin that provides methods to connect to Checkpoint devices over a HTTP(S)-based api.
      ansible_httpapi_use_ssl: True
      ansible_httpapi_validate_certs: False
      ansible_network_os: check_point.mgmt.checkpoint #Using Galaxy https://galaxy.ansible.com/check_point collection
      # ansible_checkpoint_domain: SMC User # Default domain for a SMS (SmartCenter), you only need to set the domain variable when connecting to a MDS
      ansible_user: api_user # Change to your Check Point management admin user
      ansible_ssh_pass: vpn123 # Change to your Check Point management admin password
      #ansible_api_key: xxxxxxxxxx # Optionally you can use API key instead of username and password
  gather_facts: no
  tasks:

    - name: add-group, set or delete Check Point group object
      check_point.mgmt.cp_mgmt_group:
        members:
#        - Mail server
#        - Web server
#        - DB server
        state: present
        name: Ansible Group
        color: forest green

    - name: Add, set or delete Check Point host object
      check_point.mgmt.cp_mgmt_host:
        state: present
        name: Mail server
        ip_address: 192.168.1.1
        color: red
        comments: my mail server host objects

    - name: Add, set or delete Check Point host object
      check_point.mgmt.cp_mgmt_host:
        state: present
        name: Web server
        ip_address: 10.1.1.55
        color: yellow
        comments: my blue jump host object

    - name: Add, set or delete Check Point host object
      check_point.mgmt.cp_mgmt_host:
        state: present
        name: DB server
        ip_address: 10.1.2.55
        color: red
        comments: my ubuntu host object

    - name: present
      cp_mgmt_publish:

 

 

 

Rene_Dreher
Contributor

Yes, but you must specify each "member" individually in the group.

- name: add-group
  cp_mgmt_group:
    members:
      - host1
      - host2
      - ..........
      - host150
      - NewHost1
      - NewHost2
    name: MyGroup
    state: present

 

If you have an existing group with e.g. 150 objects and want to assign an existing host to this group. There is no "add" only the new member to group. i have a workaround for this but i don't know if this is a nice way to do it in production. here the groups are also much bigger.

 

- name: Playbook Add Host to Group
  hosts: check_point
  #connection: httpapi
  vars_files:
    - my_vars.yml

  tasks:
    - name: add host
      cp_mgmt_host:
        ipv4_address: "{{ ip_addr }}"
        name: "host_{{ ip_addr }}"
        state: present
        color: black

    - name: Read greoup content
      cp_mgmt_group_facts:
        name: "{{ group }}"
        details_level: standard
      register: groupcontent

    - name: create group list
      set_fact:
        memberlist: "{{ memberlist|default([]) + [ item ] }}"
      with_items: "{{ groupcontent.ansible_facts.group.members | json_query(jmesquery) }}"   #var: jmesquery: "[*].name"

    - name: add new host to list
      set_fact:
        memberlist: "{{ memberlist|default([]) + [ hostname ] }}"

    - name: add list 2 the group
      cp_mgmt_group:
        members: "{{ memberlist }}"
        name: "{{ group }}"
        state: present

    - name: Publish
      cp_mgmt_publish:


another way is to use the "cp_mgmt_host" here you can create a host and assign it to a group. this works fine even if the host did not exist before. if the host exists before the script runs but ignores the "groups" and does not assign the host to the group. is it also a bug of the ansible module ?

 

  tasks:
    - name: create a host and add to group
      cp_mgmt_host:
        ipv4_address: "{{ ip_addr }}"
        name: "host_{{ ip_addr }}"
        groups: "{{ group }}"
        state: present
        color: black

 

 

0 Kudos
Jim_Oqvist
Employee
Employee

Hi Rene,

yes it seems to be a issue in the equals API endpoint used by the Check Point collection for Ansible to verify if there is any diff between the reality and the code. where the equals API endpoint is not checking the value of the group membership on the object.

Thanks for reporting this. I will notify our developers.

You can work around this issue by changing for example the comment of the object at the same time as you change the group. this will force the equals process to understand that there is a diff and execute the set-host API endpoint, in order to update the host object with the new comment including the updated group membership.

Please note, in order to remove a a host from all groups you need to send a empty (and update the comment section) list like this.

 

- name: Add, set or delete Check Point host object
  check_point.mgmt.cp_mgmt_host:
    state: present
    name: DB server
    groups: []
    ip_address: 10.1.2.55
    color: red
    comments: 2 my ubuntu host object

 

0 Kudos
Jim_Oqvist
Employee
Employee

Just to update. The issue with the equals API is in plans of being fixed in next jumbo HF for R80.20 - R80.40 and R81. Once the fix is in place there should not be any need for the suggested W/A of updating the comment.

0 Kudos
Rene_Dreher
Contributor

thx mate

i will wait for the hf and watch the changelog. for the topic "policy position" i will create a issue on github 

0 Kudos
Rene_Dreher
Contributor
0 Kudos
Rene_Dreher
Contributor

chkp-orso commented 7 days ago

Hi, Thanks for reaching us. We intentionally removed the first three options because it damages one of Ansible requirements for idempotency. Thanks, Or

CHKP-orso chkp-orso closed this 7 days ago

0 Kudos