User role elevation with ansible

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User role elevation with ansible

L1 Bithead

I am looking for a playbook to change a users role to a different group and make them a super user on Panorama. Has anyone accomplished this before? 

2 accepted solutions

Accepted Solutions

@Matthew_Gee You could do something like that with these tasks at the start of the playbook, before changing the administrator to a superuser:

 

    - name: Get admin user role details, and register the response
      paloaltonetworks.panos.panos_op:
        provider: "{{ device }}"
        cmd: '<show><config><running><xpath>mgt-config/users/entry[@name="{{ admin_user }}"]/permissions/role-based</xpath></running></config></show>'
        cmd_is_xml: true
      register: adminresult

    - name: Parse out role from XML response
      community.general.xml:
        xmlstring: "{{ adminresult.stdout_xml }}"
        xpath: /response[@status='success']/result/role-based/custom/profile
        content: text
      register: therole

    - debug:
        msg: "{{ therole.matches[0].profile }}"

 

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

@Matthew_Gee For panos_op, I find it is easiest to debug the CLI. Find the CLI command for the thing you're trying to do then "debug cli on" and copy the XML syntax there. The CLI uses the same API which Ansible does (via pan-os-python under the hood). More details on this approach here: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-ap...

 

To parse the XML, check the output from the CLI command you executed and then work out the xpath down the XML which you need for your variable. Then I used the XML module here to parse it: https://docs.ansible.com/ansible/latest/collections/community/general/xml_module.html

 

Hope that helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

5 REPLIES 5

L5 Sessionator

@Matthew_Gee Hope this helps. The user needs to exist already per your original ask.

 

---
#
# Ansible playbook to make an existing administrator in Panorama a superuser
#
# Example usage: ansible-playbook -i inventory make-admin-superuser.yml -e "admin_user=alice"
#


- hosts: '{{ target | default("panorama") }}'
  connection: local

  vars:
    device:
      ip_address: "{{ ip_address }}"
      username: "{{ username | default(omit) }}"
      password: "{{ password | default(omit) }}"
      api_key: "{{ api_key | default(omit) }}"

  tasks:
    - name: Change administrator to superuser
      paloaltonetworks.panos.panos_administrator:
        provider: '{{ device }}'
        admin_username: '{{ admin_user }}'
        superuser: true

    - name: Commit
      paloaltonetworks.panos.panos_commit_panorama:
        provider: "{{ device }}"
      register: results

    - debug:
        msg: "Commit with Job ID: {{ results.jobid }} had output: {{ results.details }}"

 

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

It definitely helps, is there a way to see what custom role and profile the user is before making the change and store it as a variable? 

@Matthew_Gee You could do something like that with these tasks at the start of the playbook, before changing the administrator to a superuser:

 

    - name: Get admin user role details, and register the response
      paloaltonetworks.panos.panos_op:
        provider: "{{ device }}"
        cmd: '<show><config><running><xpath>mgt-config/users/entry[@name="{{ admin_user }}"]/permissions/role-based</xpath></running></config></show>'
        cmd_is_xml: true
      register: adminresult

    - name: Parse out role from XML response
      community.general.xml:
        xmlstring: "{{ adminresult.stdout_xml }}"
        xpath: /response[@status='success']/result/role-based/custom/profile
        content: text
      register: therole

    - debug:
        msg: "{{ therole.matches[0].profile }}"

 

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

That is 100% what I needed! Thank you sooooo much for saving me a TON of time. I would like to know more about the generating and parsing of the XML so if you have any guides or know of any good training on this please let me know. 

@Matthew_Gee For panos_op, I find it is easiest to debug the CLI. Find the CLI command for the thing you're trying to do then "debug cli on" and copy the XML syntax there. The CLI uses the same API which Ansible does (via pan-os-python under the hood). More details on this approach here: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-panorama-api/get-started-with-the-pan-os-xml-ap...

 

To parse the XML, check the output from the CLI command you executed and then work out the xpath down the XML which you need for your variable. Then I used the XML module here to parse it: https://docs.ansible.com/ansible/latest/collections/community/general/xml_module.html

 

Hope that helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂
  • 2 accepted solutions
  • 4168 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!