netapp.ontap
netapp.ontap copied to clipboard
na_ontap_export_policy_rule module always returns changed "true"
Summary
Re-running creation of an export rule with the same parameters always results into a change
Component Name
na_ontap_export_policy_rule
Ansible Version
$ ansible --version
ansible [core 2.11.10]
python version = 3.6.8 (default, Nov 16 2020, 16:55:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
jinja version = 3.0.3
libyaml = True
ONTAP Collection Version
$ ansible-galaxy collection list
netapp.ontap 21.23.0
ONTAP Version
sridharc-vsim34::> version
NetApp Release 9.9.1P11: Tue Aug 02 19:12:28 UTC 2022
Playbook
- name: Apply export policy rules
netapp.ontap.na_ontap_export_policy_rule:
<<: *login
state: present
vserver: <svm_name>
name: <export_policy_name>
client_match: "172.30.0.0/24"
protocol: "nfs"
ro_rule: "sys"
rule_index: 6543211
rw_rule: "never"
super_user_security: "never"
use_rest: never # same problem for REST and ZAPI
Steps to Reproduce
- name: Apply export policy rules
netapp.ontap.na_ontap_export_policy_rule:
<<: *login
state: present
vserver: <svm_name>
name: <export_policy_name>
client_match: "172.30.0.0/24"
protocol: "nfs"
ro_rule: "sys"
rule_index: 6543211
rw_rule: "never"
super_user_security: "never"
use_rest: never # same problem for REST and ZAPI
Expected Results
change on first execution (yellow): localhost | CHANGED => { "changed": true }
no change on second execution (green): localhost | CHANGED => { "changed": false }
Actual Results
Always:
localhost | CHANGED => {
"changed": true
}
Please check "super_user_security". Seems like "never" is changed to "none" automatically, resulting into an always "changed". Maybe something worth mentioning in the documentation rather than changing in the code
never and none should be different:
none - Special authentication flavor for anonymization
never - Special authentication flavor to represent access denial
we'll check on this.
Yeah, that's also what the ONTAP REST documentation states. However, when you are executing it with "never" on the CLI in ONTAP, it throws a notification, that "never" is not allowed on superuser and if you'd like to switch to "none" instead.
Probably also an issue with the ONTAP REST documentation.
So never is flipped to none automatically?
If true, we could
- update the documentation in the module.
- issue a warning when never is used.
Alternatively, we could reject never and report an error.
I wonder if it would be better to not accept never.
DEVOPS-6833