Changes from multiple administrator accounts are combined

[mrichardson03]

Describe the bug

Changes from multiple administrator accounts are getting combined together, resulting in unwanted behavior when trying to perform partial commits.

Sample code:

#!/usr/bin/env python3

from panos.base import PanDevice
from panos.objects import AddressObject


def create_object(fw, name, value):
    addr = AddressObject(name=name, value=value, type="ip-netmask")
    fw.add(addr)

    addr.create()


if __name__ == "__main__":
    admin_1 = PanDevice.create_from_device("fw", "admin", "P4loalto!")
    admin_2 = PanDevice.create_from_device("fw", "admin2", "P4loalto!")

    create_object(admin_1, "Test-1", "1.1.1.1")
    create_object(admin_2, "Test-2", "2.2.2.2")

    changes = admin_1.op("show config list changes", xml=True, cmd_xml=True)

    print(changes)

Expected behavior

Making this change should result in two different address objects being created by two different administrator accounts. Performing a partial commit for either admin should not contain the other's change.

This should be equivalent to the following XML-API commands (with appropriate authentication):

https://{{host}}/api/?type=config&action=edit&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address/entry[@name='Test-1']&element=<entry name='Test-1'><ip-netmask>1.1.1.1</ip-netmask></entry>

https://{{host}}/api/?type=config&action=edit&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/address/entry[@name='Test-2']&element=<entry name='Test-2'><ip-netmask>2.2.2.2</ip-netmask></entry>

These should result in the following changes (output of show config changes list):

<response status="success">
    <result>
        <journal>
            <entry>
                <xpath>/config/devices/entry[@name=&#39;localhost.localdomain&#39;]/vsys/entry[@name=&#39;vsys1&#39;]/address/entry[@name=&#39;Test-2&#39;]</xpath>
                <owner>admin2</owner>
                <action> EDIT</action>
                <admin-history>admin2</admin-history>
                <component-type>vsys</component-type>
            </entry>
            <entry>
                <xpath>/config/devices/entry[@name=&#39;localhost.localdomain&#39;]/vsys/entry[@name=&#39;vsys1&#39;]/address/entry[@name=&#39;Test-1&#39;]</xpath>
                <owner>admin</owner>
                <action> EDIT</action>
                <admin-history>admin</admin-history>
                <component-type>vsys</component-type>
            </entry>
        </journal>
    </result>
</response>

Two separate address objects created by two separate admins. Sending these two calls to PAN-OS work as expected.

Current behavior

Executing the sample code above results in the following single change:

<response status="success">
    <result>
        <journal>
            <entry>
                <xpath>/config/devices/entry[@name=\'localhost.localdomain\']/vsys/entry[@name=\'vsys1\']/address</xpath>
                <owner>admin2</owner>
                <action> EDIT</action>
                <admin-history>admin, admin2</admin-history>
                <component-type>vsys</component-type>
            </entry>
        </journal>
    </result>
</response>

Steps to reproduce

Run provided sample code.

Context

Bug filed against Ansible collection: https://github.com/PaloAltoNetworks/pan-os-ansible/issues/212

Your Environment

• Version used: pan-os-python 1.0.2, PAN-OS 10.0.4
• Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3): Python 3.9.4

[shinmog]

This seems to be a PAN-OS bug... If I change from set (create()) to edit (apply()) then it works as expected.