paloaltonetworks.panos.panos_administrator module – Manage PAN-OS administrator user accounts.

Note

This module is part of the paloaltonetworks.panos collection (version 2.19.1).

To install it, use: ansible-galaxy collection install paloaltonetworks.panos. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: paloaltonetworks.panos.panos_administrator.

New in paloaltonetworks.panos 1.0.0

Synopsis

  • Manages PAN-OS administrator user accounts.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

admin_password

string

New plain text password for the admin_username user.

If this is not specified, then the password is left as-is.

Takes priority over admin_phash

admin_phash

string

New password hash for the admin_username user

If this is not specified, then the phash is left as-is.

admin_username

string

Admin name.

Default: :ansible-option-default:`"admin"`

api_key

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The API key to use instead of generating it using username / password.

authentication_profile

string

The authentication profile.

commit

boolean

Deprecated

Please use paloaltonetworks.panos.panos_commit_firewall, paloaltonetworks.panos.panos_commit_panorama, paloaltonetworks.panos.panos_commit_push instead.

Commit changes after creating object. If ip_address is a Panorama device, and device_group or template are also set, perform a commit to Panorama and a commit-all to the device group/template.

Choices:

device_admin

boolean

Admin type - device admin

Choices:

device_admin_read_only

boolean

Admin type - device admin, read only

Choices:

gathered_filter

string

When state=gathered.

An advanced filtering option to filter results returned from PAN-OS.

Refer to the guide discussing gathered_filter for more information.

ip_address

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The IP address or hostname of the PAN-OS device being configured.

panorama_admin

boolean

This is for Panorama only.

Make the user a Panorama admin only

Choices:

password

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The password to use for authentication. This is ignored if api_key is specified.

password_profile

string

The password profile for this user.

port

integer

Deprecated

Use provider to specify PAN-OS connectivity instead.

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

provider

dictionary

added in paloaltonetworks.panos 1.0.0

A dict object containing connection details.

api_key

string

The API key to use instead of generating it using username / password.

ip_address

string

The IP address or hostname of the PAN-OS device being configured.

password

string

The password to use for authentication. This is ignored if api_key is specified.

port

integer

The port number to connect to the PAN-OS device on.

Default: :ansible-option-default:`443`

serial_number

string

The serial number of a firewall to use for targeted commands. If ip_address is not a Panorama PAN-OS device, then this param is ignored.

username

string

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

role_profile

string

The role based profile.

ssh_public_key

string

Use public key authentication (ssh)

state

string

The state.

Choices:

superuser

boolean

Admin type - superuser

Choices:

superuser_read_only

boolean

Admin type - superuser, read only

Choices:

template

string

(Panorama only) The template this operation should target. Mutually exclusive with template_stack.

template_stack

string

(Panorama only) The template stack this operation should target. Mutually exclusive with template.

username

string

Deprecated

Use provider to specify PAN-OS connectivity instead.

The username to use for authentication. This is ignored if api_key is specified.

Default: :ansible-option-default:`"admin"`

vsys

list / elements=string

This is for multi-vsys physical firewalls only.

The list of vsys this admin should manage.

vsys_read_only

list / elements=string

This is for multi-vsys physical firewalls only.

The list of vsys this read only admin should manage.

web_client_cert_only

boolean

Use only client certificate authenciation (Web)

Choices:

Notes

Note

  • Checkmode is supported.

  • Panorama is supported.

  • Because “request password-hash” does not always generate the same hash with the same password every time, it isn’t possible to tell if the admin’s password is correct or not. Specifying check mode or state=present with admin_password specified will always report changed=True in the return value.

  • PAN-OS connectivity should be specified using provider or the classic PAN-OS connectivity params (ip_address, username, password, api_key, and port). If both are present, then the classic params are ignored.

  • If the PAN-OS to be configured is Panorama, either template or template_stack must be specified.

Examples

# Configure user "foo"
- name: configure foo administrator
  paloaltonetworks.panos.panos_administrator:
    provider: '{{ provider }}'
    admin_username: 'foo'
    admin_password: 'secret'
    superuser: true

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

status

string

success status

Returned: success

Sample: :ansible-rv-sample-value:`"done"`

Authors

  • Garfield Lee Freeman (@shinmog)