netapp.ontap icon indicating copy to clipboard operation
netapp.ontap copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

na_ontap_export_policy_rule module always returns changed "true"

Open AdrianBronder opened this issue 1 year ago • 5 comments

Summary

Re-running creation of an export rule with the same parameters always results into a change

Component Name

na_ontap_export_policy_rule

Ansible Version

$ ansible --version
ansible [core 2.11.10]
  python version = 3.6.8 (default, Nov 16 2020, 16:55:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
  jinja version = 3.0.3
  libyaml = True

ONTAP Collection Version

$ ansible-galaxy collection list
netapp.ontap 21.23.0

ONTAP Version

sridharc-vsim34::> version
NetApp Release 9.9.1P11: Tue Aug 02 19:12:28 UTC 2022

Playbook

- name: Apply export policy rules
    netapp.ontap.na_ontap_export_policy_rule:
      <<: *login
      state: present
      vserver: <svm_name>
      name: <export_policy_name>
      client_match: "172.30.0.0/24"
      protocol: "nfs"
      ro_rule: "sys"
      rule_index: 6543211
      rw_rule: "never"
      super_user_security: "never"
      use_rest: never # same problem for REST and ZAPI

Steps to Reproduce

  - name: Apply export policy rules
    netapp.ontap.na_ontap_export_policy_rule:
      <<: *login
      state: present
      vserver: <svm_name>
      name: <export_policy_name>
      client_match: "172.30.0.0/24"
      protocol: "nfs"
      ro_rule: "sys"
      rule_index: 6543211
      rw_rule: "never"
      super_user_security: "never"
      use_rest: never # same problem for REST and ZAPI

Expected Results

change on first execution (yellow): localhost | CHANGED => { "changed": true }

no change on second execution (green): localhost | CHANGED => { "changed": false }

Actual Results

Always:

localhost | CHANGED => {
    "changed": true
}

AdrianBronder avatar Sep 22 '22 11:09 AdrianBronder

Please check "super_user_security". Seems like "never" is changed to "none" automatically, resulting into an always "changed". Maybe something worth mentioning in the documentation rather than changing in the code

AdrianBronder avatar Sep 22 '22 11:09 AdrianBronder

never and none should be different:

none - Special authentication flavor for anonymization
never - Special authentication flavor to represent access denial

we'll check on this.

lonico avatar Sep 22 '22 16:09 lonico

Yeah, that's also what the ONTAP REST documentation states. However, when you are executing it with "never" on the CLI in ONTAP, it throws a notification, that "never" is not allowed on superuser and if you'd like to switch to "none" instead.

Probably also an issue with the ONTAP REST documentation.

AdrianBronder avatar Sep 22 '22 17:09 AdrianBronder

So never is flipped to none automatically?

If true, we could

  1. update the documentation in the module.
  2. issue a warning when never is used.

Alternatively, we could reject never and report an error.

I wonder if it would be better to not accept never.

lonico avatar Sep 22 '22 17:09 lonico

DEVOPS-6833

suhasbshekar avatar Apr 03 '24 19:04 suhasbshekar