panos_administrator – Manage PAN-OS administrator user accounts

New in version 2.8.

Synopsis

  • Manages PAN-OS administrator user accounts.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter Choices/Defaults Comments
admin_password
-
New plain text password for the admin_username user.
If this is not specified, then the password is left as-is.
Takes priority over admin_phash
admin_phash
-
New password hash for the admin_username user
If this is not specified, then the phash is left as-is.
admin_username
-
Default:
admin
Admin name.
api_key
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.
authentication_profile
-
The authentication profile.
commit
boolean
    Choices:
  • no
  • yes ←
Commit configuration if changed.
device_admin
boolean
    Choices:
  • no
  • yes
Admin type - device admin
device_admin_read_only
boolean
    Choices:
  • no
  • yes
Admin type - device admin, read only
ip_address
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.
panorama_admin
boolean
    Choices:
  • no
  • yes
This is for Panorama only.
Make the user a Panorama admin only
password
string
Deprecated
Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.
password_profile
-
The password profile for this user.
port
integer
Default:
443
Deprecated
Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.
provider
-
added in 2.8
A dict object containing connection details.
api_key
string
The API key to use instead of generating it using username / password.
ip_address
string
The IP address or hostname of the PAN-OS device being configured.
password
string
The password to use for authentication. This is ignored if api_key is specified.
port
integer
Default:
443
The port number to connect to the PAN-OS device on.
serial_number
string
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
username
string
Default:
admin
The username to use for authentication. This is ignored if api_key is specified.
role_profile
-
The role based profile.
ssh_public_key
-
Use public key authentication (ssh)
state
string
    Choices:
  • present ←
  • absent
The state.
superuser
boolean
    Choices:
  • no
  • yes
Admin type - superuser
superuser_read_only
boolean
    Choices:
  • no
  • yes
Admin type - superuser, read only
template
string
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
template_stack
string
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
username
string
Default:
admin
Deprecated
Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.
vsys
list
This is for multi-vsys physical firewalls only.
The list of vsys this admin should manage.
vsys_read_only
list
This is for multi-vsys physical firewalls only.
The list of vsys this read only admin should manage.
web_client_cert_only
boolean
    Choices:
  • no
  • yes
Use only client certificate authenciation (Web)

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • Because “request password-hash” does not always generate the same hash with the same password every time, it isn’t possible to tell if the admin’s password is correct or not. Specifying check mode or state=present with admin_password specified will always report changed=True in the return value.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples

# Configure user "foo"
# Doesn't commit the candidate config
  - name: configure foo administrator
    panos_administrator:
      provider: '{{ provider }}'
      admin_username: 'foo'
      admin_password: 'secret'
      superuser: true
      commit: false

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
status
string
success
success status

Sample:
done


Status

Authors

  • Luigi Mori (@jtschichold), Ivan Bojer (@ivanbojer)