Vh=kddlmZmZmZeZdZdZdZddl Z ddl Z ddl Z ddl m Z ddlmZddlmZdd lmZdd lmZdd lmZmZd Zd ZddZdZdZdZdZdZ dZ!dZ"dZ#dZ$dZ%dZ&dZ'dZ(e)dk(re(yy))absolute_importdivisionprint_functiona module: ios_user author: Trishna Guha (@trishnaguha) short_description: Module to manage the aggregates of local users. description: - This module provides declarative management of the local usernames configured on network devices. It allows playbooks to manage either individual usernames or the aggregate of usernames in the current running config. It also supports purging usernames from the configuration that are not explicitly defined. version_added: 1.0.0 notes: - Tested against Cisco IOSXE Version 17.3 on CML. - This module works with connection C(network_cli). See U(https://docs.ansible.com/ansible/latest/network/user_guide/platform_ios.html) options: aggregate: description: - The set of username objects to be configured on the remote Cisco IOS device. The list entries can either be the username or a hash of username and properties. This argument is mutually exclusive with the C(name) argument. aliases: - users - collection type: list elements: dict suboptions: name: description: - The username to be configured on the Cisco IOS device. This argument accepts a string value and is mutually exclusive with the C(aggregate) argument. Please note that this option is not same as C(provider username). type: str required: true configured_password: description: - The password to be configured on the Cisco IOS device. The password needs to be provided in clear and it will be encrypted on the device. Please note that this option is not same as C(provider password). type: str update_password: description: - Since passwords are encrypted in the device running config, this argument will instruct the module when to change the password. When set to C(always), the password will always be updated in the device and when set to C(on_create) the password will be updated only if the username is created. choices: - on_create - always type: str password_type: description: - This argument determines whether a 'password' or 'secret' will be configured. choices: - secret - password type: str hashed_password: description: - This option allows configuring hashed passwords on Cisco IOS devices. type: dict suboptions: type: description: - Specifies the type of hash (e.g., 5 for MD5, 8 for PBKDF2, etc.) - For this to work, the device needs to support the desired hash type type: int required: true value: description: - The actual hashed password to be configured on the device required: true type: str privilege: description: - The C(privilege) argument configures the privilege level of the user when logged into the system. This argument accepts integer values in the range of 1 to 15. type: int view: description: - Configures the view for the username in the device running configuration. The argument accepts a string value defining the view name. This argument does not check if the view has been configured on the device. aliases: - role type: str sshkey: description: - Specifies one or more SSH public key(s) to configure for the given username. - This argument accepts a valid SSH key value. type: list elements: str nopassword: description: - Defines the username without assigning a password. This will allow the user to login to the system without being authenticated by a password. type: bool state: description: - Configures the state of the username definition as it relates to the device operational configuration. When set to I(present), the username(s) should be configured in the device active configuration and when set to I(absent) the username(s) should not be in the device active configuration choices: - present - absent type: str name: description: - The username to be configured on the Cisco IOS device. This argument accepts a string value and is mutually exclusive with the C(aggregate) argument. Please note that this option is not same as C(provider username). type: str configured_password: description: - The password to be configured on the Cisco IOS device. The password needs to be provided in clear and it will be encrypted on the device. Please note that this option is not same as C(provider password). type: str update_password: description: - Since passwords are encrypted in the device running config, this argument will instruct the module when to change the password. When set to C(always), the password will always be updated in the device and when set to C(on_create) the password will be updated only if the username is created. default: always choices: - on_create - always type: str password_type: description: - This argument determines whether a 'password' or 'secret' will be configured. default: secret choices: - secret - password type: str hashed_password: description: - This option allows configuring hashed passwords on Cisco IOS devices. type: dict suboptions: type: description: - Specifies the type of hash (e.g., 5 for MD5, 8 for PBKDF2, etc.) - For this to work, the device needs to support the desired hash type type: int required: true value: description: - The actual hashed password to be configured on the device required: true type: str privilege: description: - The C(privilege) argument configures the privilege level of the user when logged into the system. This argument accepts integer values in the range of 1 to 15. type: int view: description: - Configures the view for the username in the device running configuration. The argument accepts a string value defining the view name. This argument does not check if the view has been configured on the device. aliases: - role type: str sshkey: description: - Specifies one or more SSH public key(s) to configure for the given username. - This argument accepts a valid SSH key value. type: list elements: str nopassword: description: - Defines the username without assigning a password. This will allow the user to login to the system without being authenticated by a password. type: bool purge: description: - Instructs the module to consider the resource definition absolute. It will remove any previously configured usernames on the device with the exception of the `admin` user (the current defined set of users). type: bool default: false state: description: - Configures the state of the username definition as it relates to the device operational configuration. When set to I(present), the username(s) should be configured in the device active configuration and when set to I(absent) the username(s) should not be in the device active configuration default: present choices: - present - absent type: str extends_documentation_fragment: - cisco.ios.ios aq # Using state: present # Before state: # ------------- # router-ios#show running-config | section ^username # username testuser privilege 15 password 0 password # Present state create a new user play: # ------------------------------------- - name: Create a new user cisco.ios.ios_user: name: ansible nopassword: true sshkey: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" state: present # Task Output # ----------- # commands: # - ip ssh pubkey-chain # - username ansible # - key-hash ssh-rsa 2ABB27BBC33ED53EF7D55037952ABB27 test@fedora # - exit # - exit # - username ansible nopassword # After state: # ------------ # router-ios#show running-config | section username # username testuser privilege 15 password 0 password # username ansible nopassword # username ansible # key-hash ssh-rsa 2ABB27BBC33ED53EF7D55037952ABB27 test@fedora # Using state: present # Before state: # ------------- # router-ios#show running-config | section ^username # username testuser privilege 15 password 0 password # Present state create a new user with multiple keys play: # -------------------------------------------------------- - name: Create a new user with multiple keys cisco.ios.ios_user: name: ansible sshkey: - "{{ lookup('file', '~/.ssh/id_rsa.pub') }}" - "{{ lookup('file', '~/path/to/public_key') }}" state: present # Task Output # ----------- # commands: # - ip ssh pubkey-chain # - username ansible # - key-hash ssh-rsa 2ABB27BBC33ED53EF7D55037952ABB27 test@fedora # - key-hash ssh-rsa 1985673DCF7FA9A0F374BB97DC2ABB27 test@fedora # - exit # - exit # After state: # ------------ # router-ios#show running-config | section username # username testuser privilege 15 password 0 password # username ansible # key-hash ssh-rsa 2ABB27BBC33ED53EF7D55037952ABB27 test@fedora # key-hash ssh-rsa 1985673DCF7FA9A0F374BB97DC2ABB27 test@fedora # Using Purge: true # Before state: # ------------- # router-ios#show running-config | section ^username # username admin privilege 15 password 0 password # username testuser privilege 15 password 0 password # username ansible nopassword # username ansible # key-hash ssh-rsa 2ABB27BBC33ED53EF7D55037952ABB27 test@fedora # Purge all users except admin play: # ---------------------------------- - name: Remove all users except admin cisco.ios.ios_user: purge: true # Task Output # ----------- # commands: # - no username testuser # - no username ansible # - ip ssh pubkey-chain # - no username ansible # - exit # After state: # ------------ # router-ios#show running-config | section username # username admin privilege 15 password 0 password # Using Purge: true # Before state: # ------------- # router-ios#show running-config | section ^username # username admin privilege 15 password 0 password # username testuser privilege 15 password 0 password1 # username testuser1 privilege 15 password 0 password2 # username ansible nopassword # Purge all users except admin and these listed users play: # --------------------------------------------------------- - name: Remove all users except admin and these listed users cisco.ios.ios_user: aggregate: - name: testuser - name: testuser1 purge: true # Task Output # ----------- # commands: # - no username ansible # After state: # ------------ # router-ios#show running-config | section username # username admin privilege 15 password 0 password # username testuser privilege 15 password 0 password1 # username testuser1 privilege 15 password 0 password2 # Using state: present # Before state: # ------------- # router-ios#show running-config | section ^username # username admin privilege 15 password 0 password # username netop password 0 password1 # username netend password 0 password2 # Present state set multiple users to privilege level 15 play: # ------------------------------------------------------------ - name: Set multiple users to privilege level 15 cisco.ios.ios_user: aggregate: - name: netop - name: netend privilege: 15 state: present # Task Output # ----------- # commands: # - username netop privilege 15 # - username netend privilege 15 # After state: # ------------ # router-ios#show running-config | section username # username admin privilege 15 password 0 password # username netop privilege 15 password 0 password1 # username netend privilege 15 password 0 password2 # Using state: present # Before state: # ------------- # router-ios#show running-config | section ^username # username admin privilege 15 password 0 password # username netop privilege 15 password 0 oldpassword # Present state Change Password for User netop play: # -------------------------------------------- - name: Change Password for User netop cisco.ios.ios_user: name: netop configured_password: "newpassword" password_type: password update_password: always state: present # Task Output # ----------- # commands: # - username netop password newpassword # After state: # ------------ # router-ios#show running-config | section username # username admin privilege 15 password 0 password # username netop privilege 15 password 0 newpassword # Using state: present # Before state: # ------------- # router-ios#show running-config | section ^username # username admin privilege 15 password 0 password # username netop privilege 15 password 0 password # username netend privilege 15 password 0 password # Present state set user view/role for users play: # -------------------------------------------- - name: Set user view/role for users cisco.ios.ios_user: aggregate: - name: netop - name: netend view: network-admin state: present # Task Output # ----------- # commands: # - username netop view network-admin # - username netend view network-admin # After state: # ------------ # router-ios#show running-config | section username # username admin privilege 15 password 0 password # username netop privilege 15 view network-admin password 0 password # username netend privilege 15 view network-admin password 0 password # Using state: present # Before state: # ------------- # router-ios#show running-config | section ^username # username admin privilege 15 password 0 password # Present state create a new user with hashed password play: # -------------------------------------------------------------- - name: Create a new user with hashed password cisco.ios.ios_user: name: ansibletest5 hashed_password: type: 9 value: "thiswillbereplacedwithhashedpassword" state: present # Task Output # ----------- # commands: # - username ansibletest5 secret 9 thiswillbereplacedwithhashedpassword # After state: # ------------ # router-ios#show running-config | section username # username admin privilege 15 password 0 password # username ansibletest5 secret 9 thiswillbereplacedwithhashedpassword # Using state: absent # Before state: # ------------- # router-ios#show running-config | section ^username # username admin privilege 15 password 0 password # username ansibletest1 password 0 password # username ansibletest2 secret 9 thiswillbereplacedwithhashedpassword # username ansibletest3 password 5 thistoowillbereplacedwithhashedpassword # Absent state remove multiple users play: # ---------------------------------------- - name: Delete users with aggregate cisco.ios.ios_user: aggregate: - name: ansibletest1 - name: ansibletest2 - name: ansibletest3 state: absent # Task Output # ----------- # commands: # - no username ansibletest1 # - no username ansibletest2 # - no username ansibletest3 # After state: # ------------ # router-ios#show running-config | section username # username admin privilege 15 password 0 password z commands: description: The list of configuration mode commands to send to the device returned: always type: list sample: - username ansible secret password - username admin secret admin N)deepcopy)partial) AnsibleModule) iteritems)remove_default_spec) get_config load_configcP|r$d|cxkrdksn|jd|zyyy)Nz*privilege must be between 1 and 15, got %smsg) fail_json)valuemodules f/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/cisco/ios/plugins/modules/ios_user.pyvalidate_privileger<s/ Q%%2%IEQR&ucd|zddddS)Nno username %szMThis operation will remove all username related configurations with same nameyF)commandpromptanswernewline)usernames r user_del_cmdr!As#h.a  rc|jd|rD|jd|dz|D]}|jd|z|jdn|jd|dz|jdy)Nzip ssh pubkey-chainz username %snamez key-hash %sexitrappend)rwantxitems radd_sshr*Jsu NN()}tF|34 1D NN=4/ 0 1v'$v,67 NN6rcv|syd|vrl|jd}tjtj|dj j |d<dj|Sdtjtj|j j zS)N rz ssh-rsa %s)splithashlibmd5base64 b64decode hexdigestupperjoin)sshkeykeypartss rsshkey_fingerprintr7Vs  f}<<$kk&"2"28A;"?@JJLRRT xx!!gkk&*:*:6*BCMMOUUWWWrc t}|jd}|jd}d}d}d}|D]}|\} } | ddk(r/| dr t|| n|jt | d || | d r||| d | d z|| | d r||| d | d z|| | drt|| | d|| | dr:|dk(s| s3| r| dr|| dk7r|j d||| |d| d|| | dr||| | d||| | ds| dr ||| d||| t | d |S)Nupdate_password password_typecn|j|xr#|j||j|k7SN)get)r'haver(s r needs_updatez)map_obj_to_commands..needs_updateks*xx{9txx{dhhqk99rc8|jd|dd|y)N username r#r,r%)rr'r(s raddz map_obj_to_commands..addns4<;.add_hashed_passwordqs3&*6lM155=RSRWRWX_R` a rstateabsentr5r#viewzview %s privilegez privilege %sconfigured_passwordalwayszTCan not have both a user password and a user secret. Please choose one or the other.rr,hashed_password nopassword)listparamsr*r&r!r) updatesrcommandsr9r:r?rBrEupdater'r>s rmap_obj_to_commandsrSfsvHmm$56OMM/2M:= @ d =H $H~$' T&\ :; dF + $ DL 8 9 dK 0 $k1B B C dH - HdDN 3 d$9 :(*$D1mtOG\6\$$=%Hd}dCX>Y$Z[ d$5 6 $5F0G W dL 1L!HdL1HdLf$>?7@8 Orcttjd|tj}|r|jdSy)Nz view (\S+)r)researchMgroupdatamatchs r parse_viewr\s. IImT244 0E {{1~ rcd|z}tj||tj}g}|r7tjd|j tj}|r|}|S)Nzusername %s(\n\s+key-hash .+$)+zkey-hash (\S+ \S+(?: .+)?)$)rUrVrWfindallrX)rZusersshregexsshcfgkey_listr[s r parse_sshkeyrcsT2T9H YYxrtt ,FH  :FLLNBDDQ H Orctjd|tj}|rt|j dSy)Nzprivilege (\S+)r)rUrVrWintrXrYs rparse_privilegerfs4 II($ 5E 5;;q>"" rc^d}|r(|jddvr|jd}|S)N)passwordsecret)r-)rZrDs rparse_password_typerks2 D  R $::zz|B Krct|dg}tjd|tj}|s t St }t |D]}d|z}tj||tj}dj |}t||}|dd|vddt|||jr|rdnd |jr|gk(rd ndt|t|d }|j||S) Nz| section username)flagsz(?:^(?:u|\s{2}u))sername (\S+)zusername %s .+$ presentrMFT) r#rFrMrJrLr:r5is_only_ssh_useris_only_normal_userrIrH) r rUr^rWrNsetr4rcrkstriprfr\r&) rrZr[ instancesr_regexcfg ssh_key_listobjs rmap_config_to_objrys f%9$: ;D JJ94 FE v IE !D(jjbdd+iin#D$/ &#-#'#05"),4+.99;<2;M4SX(-sO   %& rc(|j|s|j|}n>|j|jdd}|j|}|||||}t jd|z}t ||fr ||||S)NrDstrz validate_%s)r=rO argument_spec _CHECK_ARGUMENT_TYPES_DISPATCHERglobalsall)keyr)rr value_type type_checker validators rget_param_valuers 88C= c"))#.2265A >>zJ T#YS  mc12I E9 % Lrc|jd}|s]|jds|jdr tS|jds|jdnpd|jdig}n]t}|D]N}t|ts|j d|i'd|vr|jd>|j |Pt}D]{}t t||}|d|d<|d |d <|d |d <|d |d <|d |d <t|d |d <|d|d<|j |}|S)N aggregater#purgezusername is requiredrzname is required)r)rrJrLrMrIrHr5rF) rOrNr isinstancedictr&rrrender_key_list)rusersrr)objects get_values rmap_params_to_objrsg MM+ &E }}V$w)?6Mv&   !7  8 &--"789IF  'DdD)  &$0t#  %7 8  &  'fG O$vF &/0E&F "#"+,="> &|4\%k2[ (V (8)<=X!'*W t  NrcPg}|r!|D]}|jt||Sr<)r&r7)ssh_keysrbr)s rrrs0H 6D OO.t4 5 6 Orct}|D]utfd|Dd}t|duddk(fr|jifA|sDt D]$\}}|s |||k7s|j|f&w|S)Nc3:K|]}|ddk(s|yw)r#Nr).0ientrys r z!update_objects.. s C1& U6](BQCsrFro)rNnextrr&r )r'r>rPr)rrrs @rupdate_objectsrsfG2CCTJ  eGn 9: ; NNE2; ' '. 2 UUd3i/NNE4=1 2 2 Nrc|Dcgc]}|| }}|Dcgc]}|| }}t|j|}|Dcgc] }|||vs |}}|Scc}wcc}wcc}wr<)rr difference) list1list2rr( want_users have_users setdifferencer)results rfind_set_differencersr"'(Q!C&(J("'(Q!C&(J( O..z:M$ CtS ](Bd CF C M )( Cs A A A"A"cDttddtdd}tttdtdd|td td d d g tdddg td tdgtdddtdddg  }t|}td|d<t|ttdd|ddgtd d}|j|d d!g}t ||d"}t }d|d#}t |}t|} tt|| |} |jd$rt|| d} | D]w} | dd%k7s | d&r t| | | d'r| jt| d| d'dusG| d&dusOt| | | jt| dy| |d(<| r|js t!|| d|d)<|j"d+i|y*),z%main entry point for module executionreT)rDrequired)no_logr)rDr)rr)rrDoptionsbool)rDrK on_create)defaultchoicesrjrirole)aliasesrNr{F)rDelementsrrorG) r#rJrLrMr9r:rIrHr5rF)rr#r collection)rDrrr)rDr)rr)r#r)rMrLrJ)r|mutually_exclusivesupports_check_mode)changedwarningsradminrprqrQrNr)rrr rRrrNrryrSrrOrr*r&r! check_moder exit_json) hashed_password_spec element_specaggregate_specr|rrrrr'r>rQrr)s rmainrs; ut ,$. V -Dv?STV$X X7NO8h 5KLE" 6( #%>9y(.CD Ll+N!40N6'"l+  .M&@#- F vHH 5F V $D V $D">$#=vFH }}W+D$? ! @DF|w&*+Hd+-.OOLf$>?-.%7DAS? @"F:   ) yFvr__main__r<)* __future__rrrrD __metaclass__ DOCUMENTATIONEXAMPLESRETURNr0r.rUcopyr functoolsransible.module_utils.basicransible.module_utils.sixr Oansible_collections.ansible.netcommon.plugins.module_utils.network.common.utilsr Bansible_collections.cisco.ios.plugins.module_utils.network.ios.iosr r rr!r*r7rSr\rcrfrkryrrrrrr__name__rrrrs$A@ E N@ D   4. S   X ,^ # 8"@ ?D zFr