panos_administrator – Manage PAN-OS administrator user accounts¶
New in version 2.8.
Requirements¶
The below requirements are needed on the host that executes this module.
pan-python can be obtained from PyPI https://pypi.python.org/pypi/pan-python
pandevice can be obtained from PyPI https://pypi.python.org/pypi/pandevice
Parameters¶
Parameter | Choices/Defaults | Comments | |
---|---|---|---|
admin_password
-
|
New plain text password for the admin_username user.
If this is not specified, then the password is left as-is.
Takes priority over admin_phash
|
||
admin_phash
-
|
New password hash for the admin_username user
If this is not specified, then the phash is left as-is.
|
||
admin_username
-
|
Default: admin
|
Admin name.
|
|
api_key
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The API key to use instead of generating it using username / password.
|
||
authentication_profile
-
|
The authentication profile.
|
||
commit
boolean
|
|
Commit configuration if changed.
|
|
device_admin
boolean
|
|
Admin type - device admin
|
|
device_admin_read_only
boolean
|
|
Admin type - device admin, read only
|
|
ip_address
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The IP address or hostname of the PAN-OS device being configured.
|
||
panorama_admin
boolean
|
|
This is for Panorama only.
Make the user a Panorama admin only
|
|
password
string
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The password to use for authentication. This is ignored if api_key is specified.
|
||
password_profile
-
|
The password profile for this user.
|
||
port
integer
|
Default: 443
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The port number to connect to the PAN-OS device on.
|
|
provider
-
added in 2.8 |
A dict object containing connection details.
|
||
api_key
string
|
The API key to use instead of generating it using username / password.
|
||
ip_address
string
|
The IP address or hostname of the PAN-OS device being configured.
|
||
password
string
|
The password to use for authentication. This is ignored if api_key is specified.
|
||
port
integer
|
Default: 443
|
The port number to connect to the PAN-OS device on.
|
|
serial_number
string
|
The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.
|
||
username
string
|
Default: admin
|
The username to use for authentication. This is ignored if api_key is specified.
|
|
role_profile
-
|
The role based profile.
|
||
ssh_public_key
-
|
Use public key authentication (ssh)
|
||
state
string
|
|
The state.
|
|
superuser
boolean
|
|
Admin type - superuser
|
|
superuser_read_only
boolean
|
|
Admin type - superuser, read only
|
|
template
string
|
(Panorama only) The template this operation should target. Mutually exclusive with template_stack.
|
||
template_stack
string
|
(Panorama only) The template stack this operation should target. Mutually exclusive with template.
|
||
username
string
|
Default: admin
|
Deprecated
Use provider to specify PAN-OS connectivity instead.
The username to use for authentication. This is ignored if api_key is specified.
|
|
vsys
list
|
This is for multi-vsys physical firewalls only.
The list of vsys this admin should manage.
|
||
vsys_read_only
list
|
This is for multi-vsys physical firewalls only.
The list of vsys this read only admin should manage.
|
||
web_client_cert_only
boolean
|
|
Use only client certificate authenciation (Web)
|
Notes¶
Note
Checkmode is supported.
Panorama is supported.
Because “request password-hash” does not always generate the same hash with the same password every time, it isn’t possible to tell if the admin’s password is correct or not. Specifying check mode or state=present with admin_password specified will always report changed=True in the return value.
PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.
If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.
Examples¶
# Configure user "foo"
# Doesn't commit the candidate config
- name: configure foo administrator
panos_administrator:
provider: '{{ provider }}'
admin_username: 'foo'
admin_password: 'secret'
superuser: true
commit: false
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
status
string
|
success |
success status
Sample:
done
|
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community.
Authors¶
Luigi Mori (@jtschichold), Ivan Bojer (@ivanbojer)