Cannot Authenticate Using Username and Password in Ansible 10 + core 2.17

[andrewlass]

Hello,
It seems that in the newest releases of Ansible (10.x) and ansible-core (2.17.x), token authentication is being enforced. We are using username and password for our authentication. Is this enforcement behavior expected? Still working on figuring out which specific version of ansible-core introduced this. It appears to be 2.17.0 based on this Google groups page -- https://groups.google.com/g/ansible-project/c/y7esQZvQUCc?pli=1

See attached file for auth example since formatting is gross inline. Notice that I'm storing the username into built-in "ansible_user" and password into built-in "ansible_password".
auth-example.yaml.txt

See below for versioning output:

Pip freeze

ansible==10.0.1
ansible-core==2.17.0
argcomplete==3.3.0
cffi==1.16.0
cryptography==42.0.8
Jinja2==3.1.4
MarkupSafe==2.1.5
packaging==24.0
pycparser==2.22
PyYAML==6.0.1
resolvelib==1.0.1

ansible --version

ansible [core 2.17.0]
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /root/.local/lib/python3.10/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /root/.local/bin/ansible
python version = 3.10.13 (main, Jun 7 2024, 17:37:25) [GCC 8.5.0 20210514 (Red Hat 8.5.0-22)] (/root/.pyenv/versions/3.10.13/bin/python3)
jinja version = 3.1.4
libyaml = True

[andrewlass]

Error example:

TASK [Configure IPv4/IPv6 policies -- General ingress blocks.] **************************************************************************************************************************************************** An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ansible.module_utils.connection.ConnectionError: Requested entry (plugin_type: connection plugin: ansible_collections.ansible.netcommon.plugins.connection.httpapi setting: access_token ) was not defined in configuration. fatal: [primary]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/root/.ansible/tmp/ansible-local-110128n0j7ag06/ansible-tmp-1718047868.2388742-110331-27790019923505/AnsiballZ_fortios_firewall_policy.py\", line 107, in <module>\n _ansiballz_main()\n File \"/root/.ansible/tmp/ansible-local-110128n0j7ag06/ansible-tmp-1718047868.2388742-110331-27790019923505/AnsiballZ_fortios_firewall_policy.py\", line 99, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/root/.ansible/tmp/ansible-local-110128n0j7ag06/ansible-tmp-1718047868.2388742-110331-27790019923505/AnsiballZ_fortios_firewall_policy.py\", line 47, in invoke_module\n runpy.run_module(mod_name='ansible_collections.fortinet.fortios.plugins.modules.fortios_firewall_policy', init_globals=dict(_module_fqn='ansible_collections.fortinet.fortios.plugins.modules.fortios_firewall_policy', _modlib_path=modlib_path),\n File \"/root/.pyenv/versions/3.10.13/lib/python3.10/runpy.py\", line 224, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/root/.pyenv/versions/3.10.13/lib/python3.10/runpy.py\", line 96, in _run_module_code\n _run_code(code, mod_globals, init_globals,\n File \"/root/.pyenv/versions/3.10.13/lib/python3.10/runpy.py\", line 86, in _run_code\n exec(code, run_globals)\n File \"/root/writable-tmp/ansible_fortios_firewall_policy_payload_ag4sm_l3/ansible_fortios_firewall_policy_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_firewall_policy.py\", line 3469, in <module>\n File \"/root/writable-tmp/ansible_fortios_firewall_policy_payload_ag4sm_l3/ansible_fortios_firewall_policy_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_firewall_policy.py\", line 3424, in main\n File \"/root/writable-tmp/ansible_fortios_firewall_policy_payload_ag4sm_l3/ansible_fortios_firewall_policy_payload.zip/ansible/module_utils/connection.py\", line 199, in __rpc__\nansible.module_utils.connection.ConnectionError: Requested entry (plugin_type: connection plugin: ansible_collections.ansible.netcommon.plugins.connection.httpapi setting: access_token ) was not defined in configuration.\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

[andrewlass]

I was able to get username and password auth to work by reverting back to the latest and greatest of ansible 9 and ansible-core 2.16. See below for versioning:

pip freeze

ansible==9.6.1
ansible-core==2.16.7
argcomplete==3.3.0
cffi==1.16.0
cryptography==42.0.8
Jinja2==3.1.4
MarkupSafe==2.1.5
packaging==24.1
pycparser==2.22
PyYAML==6.0.1
resolvelib==1.0.1

ansible --version

ansible [core 2.16.7]
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /root/.local/lib/python3.10/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /root/.local/bin/ansible
python version = 3.10.14 (main, Jun 10 2024, 20:01:29) [GCC 8.5.0 20210514 (Red Hat 8.5.0-22)] (/root/.pyenv/versions/3.10.14/bin/python3)
jinja version = 3.1.4
libyaml = True

[MaxxLiu22]

Hi @andrewlass ,

Thank you for raising this issue. I have been able to reproduce it and noticed that it has also been reproduced in our other Fortinet Ansible collection. I have notified the development team for further investigation. In the meantime, please consider using an older version of Ansible Core as a temporary solution.

Thanks,
Maxx

[fanttazio]

@andrewlass I'm facing the same issue even though I'm running an old version of Ansible.
So API token auth works, user/pass auth fails. However, the firewall is running on fortios 7.2.8.
Do you mind telling what's the fortios version you're running? I have a suspicion that new fortios versions enforce only token auth for API.

[andrewlass]

@fanttazio we're running 7.2.8 everywhere. Did you downgrade both Ansible and ansible-core? Maybe post a pip freeze so we can compare environments.

[fanttazio]

@andrewlass hmm, I don't know what I'm missing. My Ansible and Python versions are ancient:

❯ pip freeze
ansible==2.10.7
ansible-base==2.10.10
cffi==1.14.5
cryptography==3.4.7
Jinja2==3.0.1
jmespath==1.0.1
MarkupSafe==2.0.1
netaddr==0.8.0
packaging==20.9
pycparser==2.20
pyparsing==2.4.7
PyYAML==5.4.1

❯ python --version
Python 3.8.10

and I get this err for :
"module_stderr": "Traceback (most recent call last):\n File \"/home/fanttazio/.ansible/tmp/ansible-local-2845005vd0lstox/ansible-tmp-1719419405.3563452-2845156-52512648879061/AnsiballZ_fortios_system_interface.py\", line 102, in <module>\n _ansiballz_main()\n File \"/home/fanttazio/.ansible/tmp/ansible-local-2845005vd0lstox/ansible-tmp-1719419405.3563452-2845156-52512648879061/AnsiballZ_fortios_system_interface.py\", line 94, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/fanttazio/.ansible/tmp/ansible-local-2845005vd0lstox/ansible-tmp-1719419405.3563452-2845156-52512648879061/AnsiballZ_fortios_system_interface.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible_collections.fortinet.fortios.plugins.modules.fortios_system_interface', init_globals=None, run_name='__main__', alter_sys=True)\n File \"/usr/lib/python2.7/runpy.py\", line 188, in run_module\n fname, loader, pkg_name)\n File \"/usr/lib/python2.7/runpy.py\", line 82, in _run_module_code\n mod_name, mod_fname, mod_loader, pkg_name)\n File \"/usr/lib/python2.7/runpy.py\", line 72, in _run_code\n exec code in run_globals\n File \"/tmp/ansible_fortios_system_interface_payload_satpil/ansible_fortios_system_interface_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_interface.py\", line 12242, in <module>\n File \"/tmp/ansible_fortios_system_interface_payload_satpil/ansible_fortios_system_interface_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_interface.py\", line 12219, in main\n File \"/tmp/ansible_fortios_system_interface_payload_satpil/ansible_fortios_system_interface_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/fortios.py\", line 248, in check_schema_versioning\n File \"/tmp/ansible_fortios_system_interface_payload_satpil/ansible_fortios_system_interface_payload.zip/ansible/module_utils/connection.py\", line 195, in __rpc__\nansible.module_utils.connection.ConnectionError: Method not found\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1 }

but if I use access token, it just works fine.

[andrewlass]

Ah, this particular error you're getting is unrelated to the topic of this issue. Perhaps you can open a new issue and post a scrubbed version of your inventory and playbook?

[MaxxLiu22]

Hi @andrewlass

We just released Ansible FOS 2.3.7. This issue should be fixed, so you could upgrade to it and give it a try at your convenience.

ansible-galaxy collection install fortinet.fortios:2.3.7

Thanks,
Maxx

[andrewlass]

Woohoo! Thanks @MaxxLiu22 , I appreciate the follow up. We can all use some good news now and again.

I'll get this tested and report back.