topic Re: User role elevation with ansible in Automation/API Discussions

User role elevation with ansible

Matthew_Gee — Tue, 04 Jan 2022 18:29:09 GMT

I am looking for a playbook to change a users role to a different group and make them a super user on Panorama. Has anyone accomplished this before?

Re: User role elevation with ansible

JimmyHolland — Wed, 05 Jan 2022 12:39:36 GMT

@Matthew_Gee Hope this helps. The user needs to exist already per your original ask.

--- # # Ansible playbook to make an existing administrator in Panorama a superuser # # Example usage: ansible-playbook -i inventory make-admin-superuser.yml -e "admin_user=alice" # - hosts: '{{ target | default("panorama") }}' connection: local vars: device: ip_address: "{{ ip_address }}" username: "{{ username | default(omit) }}" password: "{{ password | default(omit) }}" api_key: "{{ api_key | default(omit) }}" tasks: - name: Change administrator to superuser paloaltonetworks.panos.panos_administrator: provider: '{{ device }}' admin_username: '{{ admin_user }}' superuser: true - name: Commit paloaltonetworks.panos.panos_commit_panorama: provider: "{{ device }}" register: results - debug: msg: "Commit with Job ID: {{ results.jobid }} had output: {{ results.details }}"

Re: User role elevation with ansible

Matthew_Gee — Wed, 05 Jan 2022 13:52:59 GMT

It definitely helps, is there a way to see what custom role and profile the user is before making the change and store it as a variable?

Re: User role elevation with ansible

JimmyHolland — Wed, 05 Jan 2022 16:27:15 GMT

@Matthew_Gee You could do something like that with these tasks at the start of the playbook, before changing the administrator to a superuser:

- name: Get admin user role details, and register the response paloaltonetworks.panos.panos_op: provider: "{{ device }}" cmd: '<show><config><running><xpath>mgt-config/users/entry[@name="{{ admin_user }}"]/permissions/role-based</xpath></running></config></show>' cmd_is_xml: true register: adminresult - name: Parse out role from XML response community.general.xml: xmlstring: "{{ adminresult.stdout_xml }}" xpath: /response[@status='success']/result/role-based/custom/profile content: text register: therole - debug: msg: "{{ therole.matches[0].profile }}"

Re: User role elevation with ansible

Matthew_Gee — Wed, 05 Jan 2022 19:08:53 GMT

That is 100% what I needed! Thank you sooooo much for saving me a TON of time. I would like to know more about the generating and parsing of the XML so if you have any guides or know of any good training on this please let me know.

Re: User role elevation with ansible

JimmyHolland — Thu, 06 Jan 2022 16:36:13 GMT

@Matthew_Gee For panos_op, I find it is easiest to debug the CLI. Find the CLI command for the thing you're trying to do then "debug cli on" and copy the XML syntax there. The CLI uses the same API which Ansible does (via pan-os-python under the hood). More details on this approach here: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/explore-the-api/use-the-cli-to-find-xml-api-syntax.html

To parse the XML, check the output from the CLI command you executed and then work out the xpath down the XML which you need for your variable. Then I used the XML module here to parse it: https://docs.ansible.com/ansible/latest/collections/community/general/xml_module.html

Hope that helps!