f5-ansible
f5-ansible copied to clipboard
F5Networks
bigip_snmp_community does not allow v3 usernames that begin with a number
COMPONENT NAME
bigip_snmp_community
Environment
ANSIBLE VERSION
ansible [core 2.14.9]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/xxxxx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.9/site-packages/ansible
ansible collection location = /home/xxxxx/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.9.18 (main, Jan 4 2024, 00:00:00) [GCC 11.4.1 20230605 (Red Hat 11.4.1-2)] (/usr/bin/python3)
jinja version = 3.1.2
libyaml = True
BIGIP VERSION
Sys::Version
Main Package
Product BIG-IP
Version 17.1.0.1
Build 0.0.4
Edition Point Release 1
Date Fri Apr 7 07:24:51 PDT 2023
CONFIGURATION
OS / ENVIRONMENT
SUMMARY
bigip_snmp_community does not work with usernames that begin with a number.
STEPS TO REPRODUCE
- name: Set SNMPv3 Settings
bigip_snmp_community:
provider: "{{ provider }}"
name: zabbix
version: v3
snmp_username: 123456
snmp_auth_protocol: sha
snmp_auth_password: authpa$$
snmp_privacy_protocol: aes
snmp_privacy_password: privpa$$
oid: .1
EXPECTED RESULTS
I expected that the module would decouple the object name from the snmpv3 username allowing me to enter a valid object name (beginning with a letter). This module sets the object name to the username you define, so this becomes invalid when your username begins with a number.
When creating a v3 user via TMSH, you explicitly define the object name separately from the username, ex:
modify /sys snmp users add { zabbix { auth-protocol sha auth-password authpa$$ privacy-protocol aes privacy-password privpa$$ security-level auth-privacy username 123456 oid-subset .1 } }.
When creating a v3 user via ConfigUtil, the object name created is based on the username but it is prefixed with an 'i' and appended with a '_1', so the tmsh output looks like this:
users {
i123456_1 {
auth-password $M$7hzoavbeLDN4drSXVGHTEA==
auth-password-encrypted "DQ1T284Q=BmKFj2P=4Q1\?@_]Op[Exl9nr`;PQYIHCaZ`Q0"
auth-protocol sha
oid-subset 0.1
privacy-password $M$MXBM1H3rjS23I8232Ox3GQ2w==
privacy-password-encrypted `9JRDDIse#l2357mcLKi3@398007H`P:]R@4P`Ugd8\?V>
privacy-protocol aes
username 123456
The same challenge would normally exist for the bigip_snmp_trap module since SNMP trap servers are IP addresses, but that module allows you to define a name parameter separately from the destination parameter.
ACTUAL RESULTS
FAILED! => {"changed": false, "msg": "01070088:3: The requested object name (/Common/123456) is invalid."}
