CheckPointSW
unable to change admin user password with cp_gaia_user module
It's not possible to change admin user password with cp_gaia_user module, it works for other users
The playbook fails with the error: "msg": "Checkpoint device returned error 400 with message {'code': 'err_validation_failed', 'errors': 'Cannot change this attribute of user admin', 'msg': 'Validation Error'}"
The playbook:
- name: gaia_test
hosts: cmgtl
gather_facts: false
connection: httpapi
tasks:
- name: set test user password
check_point.gaia.cp_gaia_user:
name: test
password: Test123456
- name: set admin password
check_point.gaia.cp_gaia_user:
name: admin
password: Test123456
Logs for test user from /var/log/gaia_api_server.log:
13/10/25 16:45:35: MainThread: server_util.udsListener: INFO: remote_addr IP = 1 72.29.8.37
13/10/25 16:45:35: MainThread: infra.urlGeneratorIS: INFO: Handle request: <clas s 'requests.users.ShowUser_V18'>
13/10/25 16:45:35: MainThread: infra.urlGeneratorIS: INFO: Execute validators
13/10/25 16:45:35: MainThread: infra.urlGeneratorIS: INFO: Verify permissions
13/10/25 16:45:35: MainThread: infra.pipeline: INFO: Handling output
13/10/25 16:45:36: MainThread: objects.users: INFO: Collecting users data from t he system
13/10/25 16:45:36: MainThread: objects.users: INFO: Processing users data from t he system
13/10/25 16:45:36: MainThread: objects.users: INFO: Information collected and pr ocessed successfully
13/10/25 16:45:37: MainThread: objects.users: INFO: Collecting users data from t he system
13/10/25 16:45:37: MainThread: objects.users: INFO: Processing users data from t he system
13/10/25 16:45:37: MainThread: objects.users: INFO: Information collected and pr ocessed successfully
13/10/25 16:45:37: MainThread: server_util.udsListener: INFO: Request for endpoi nt /show-user [method: POST], for source 172.29.8.37, SUCCEEDED [duration 1760ms ]
Logs for admin user:
13/10/25 16:45:37: MainThread: server_util.udsListener: INFO: remote_addr IP = 1 72.29.8.37
13/10/25 16:45:37: MainThread: infra.urlGeneratorIS: INFO: Handle request: <clas s 'requests.users.SetUserV18'>
13/10/25 16:45:37: MainThread: infra.urlGeneratorIS: INFO: Execute validators
13/10/25 16:45:37: MainThread: infra.urlGeneratorIS: INFO: Verify permissions
13/10/25 16:45:37: MainThread: infra.pipeline: INFO: Execute commit function for class <class 'requests.users.SetUserV18'>
13/10/25 16:45:37: MainThread: requests.users: ERROR: Cannot change this attribu te of user admin
13/10/25 16:45:37: MainThread: infra.pipeline: ERROR: Failed to handle request, reason: 'Cannot change this attribute of user admin'
13/10/25 16:45:37: MainThread: infra.pipeline: ERROR: Cannot change this attribu te of user admin
Traceback (most recent call last):
File "/rest_api/ckp/infra/urlGeneratorIS.py", line 67, in actor
res = execute(inst, requestData)
File "/rest_api/ckp/infra/pipeline.py", line 214, in execute
res = doCommit(inst, inst.CommitHandler, requestData)
File "/rest_api/ckp/infra/pipeline.py", line 175, in doCommit
res, buf = method(requestData)
File "/rest_api/ckp/requests/users.py", line 829, in commit
SetUser.commit(self, data)
File "/rest_api/ckp/requests/users.py", line 672, in commit
raise ValidationException("Cannot change this attribute of user admin")
genericException.ValidationException: Cannot change this attribute of user admin
It's possible to change the password with api request:
PS C:\Program Files (x86)\CheckPoint\SmartConsole\R81.20\PROGRAM> .\mgmt_cli.exe -m 172.27.129.198 set user name 'admin' password 'Test123456' --context gaia_api
Username: admin
Password:
PS C:\Program Files (x86)\CheckPoint\SmartConsole\R81.20\PROGRAM>
For Gaia API 1.7 and lower:
I believe this to be correct behavior. 'admin' can't change its own password because that will break the Gaia API session. Gaia API has no 'publish' option like the management API, nor does it have the option to login with an API key, so changes are immediate. For this reason, 'password' is one of the forbidden fields for the 'admin' user.
You will need a second user with RBA role adminRole (and allowed access to Gaia API) to change the 'admin' user. In this case, your secondary admin user also cannot change its own password, either, for the same reasons. You will need to apply some conditional in your playbook such as when: not user_name == ansible_user, assuming user_name is a variable that contains the name of the CLISH user you are modifying.
You'll then need to re-run the task in a separate play (or playbook run), authenticated as the other admin, to change the opposite admin user's password. This is what I do for my deployment playbooks when working with my customer systems. It's annoying, but it's necessary.
For Gaia API 1.8: (and at least R81.20 Jumbo HFA 118 and R82 Jumbo HFA 39; don't know about lower)
However, in Gaia API 1.8, this now seems to be supported. I re-tested this just now and it worked; this is indeed changed behavior. Have you been able to re-test this recently?
I'm using radius account with admin role to change the local admin password.
api says it's in 1.9.1 version
[[email protected]:0]# mgmt_cli show api-versions -f json
Username:
Password:
{
"current-version" : "1.9.1",
"supported-versions" : [ "1", "1.1", "1.2", "1.3", "1.4", "1.5", "1.6", "1.6.1", "1.7", "1.7.1", "1.8", "1.8.1", "1.9", "1.9.1" ]
}
I just checked it again and nothing changed. I'm running the playbook with -u and --ask-pass options to define ssh user, the local user is defined in playbook. It works for 'test' user but not for 'admin' user.
This output is from the management API, not Gaia API. If you are asking to change the Gaia admin user, then you need to add --context gaia_api to your command and re-run it. Be sure to authenticate with the Gaia admin user and not a management administrator (as you would for SmartConsole). Of course, I assume your management administrator authentication method is not set to "OS Password".
I'm using radius account with admin role to change the local admin password.
api says it's in 1.9.1 version
[[email protected]:0]# mgmt_cli show api-versions -f json Username: Password: { "current-version" : "1.9.1", "supported-versions" : [ "1", "1.1", "1.2", "1.3", "1.4", "1.5", "1.6", "1.6.1", "1.7", "1.7.1", "1.8", "1.8.1", "1.9", "1.9.1" ] }I just checked it again and nothing changed. I'm running the playbook with -u and --ask-pass options to define ssh user, the local user is defined in playbook. It works for 'test' user but not for 'admin' user.
I'm not trying to change password with mgmt API, I'm trying to change password for gaia admin with playbook. I just wanted to confirm what api version is running on the server, I wasn't aware there are separate APIs for mgmt and gaia.
Yep, they're distinct and separate APIs. Management API is only for changes to the management server policy and objects (aka: SmartConsole-equivalent changes). Gaia API is for OS and host changes (aka: Gaia web portal or CLISH). The management servers run both Gaia API and the Management API. The gateways only run the Gaia API.
Be sure to check out the API reference guide for both. Make sure you select the correct API version for your host at the top of each page:
- Gaia API: https://sc1.checkpoint.com/documents/latest/GaiaAPIs/#introduction~v1.8
- Management API: https://sc1.checkpoint.com/documents/latest/APIs/#introduction~v2.0.1
You'll also need the Ansible module documentation for each, because the Ansible modules don't yet have all of the parameters and capabilities of the raw APIs:
- Gaia API Ansible modules: https://galaxy.ansible.com/ui/repo/published/check_point/gaia/docs/
- Management API Ansible modules: https://galaxy.ansible.com/ui/repo/published/check_point/mgmt/docs/