nxos_user: Module is not idempotent when AAA users are "cached"

[thomasbridge74]

SUMMARY

The nxos_user module will try to delete accounts which are known to the device via AAA "caching". As these accounts aren't in the running configuration, the no username <aaa_user> has no effect. But the next time the module is run against those devices, it attempts to remove them again.

(May be related to #107 which was closed for lack of information.

ISSUE TYPE

• Bug Report

COMPONENT NAME

nxos_user

ANSIBLE VERSION

ansible [core 2.14.1]
  config file = None
  configured module search path = ['/home/thomas.bridge/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/thomas.bridge/.cache/pypoetry/virtualenvs/compliance-5rXZBRZ5-py3.9/lib/python3.9/site-packages/ansible
  ansible collection location = /home/thomas.bridge/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/thomas.bridge/.cache/pypoetry/virtualenvs/compliance-5rXZBRZ5-py3.9/bin/ansible
  python version = 3.9.6 (default, Aug 11 2021, 06:39:25) [GCC 8.5.0 20210514 (Red Hat 8.5.0-3)] (/home/thomas.bridge/.cache/pypoetry/virtualenvs/compliance-5rXZBRZ5-py3.9/bin/python)
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

# /home/thomas.bridge/.cache/pypoetry/virtualenvs/compliance-5rXZBRZ5-py3.9/lib/python3.9/site-packages/ansible_collections
Collection Version
---------- -------
cisco.nxos 4.0.1

CONFIGURATION

CONFIG_FILE() = None

OS / ENVIRONMENT

Issue shows up when running the module against switches with version 7.0 and 9.3

STEPS TO REPRODUCE

1. Have a device using AAA for login.
2. Login using an account not configured as a local_user.
3. Run local_user module against the device twice and check the output of the commands variable.

EXPECTED RESULTS

I would expect the module to ignore/not attempt to delete a cached output.

ACTUAL RESULTS

A no username <aaa_user> command is attempted/executed on every run.

Comments

The issue appears to be that in the map_config_to_obj function the module is getting the configuration from the show user-account command. However, that command will show "cached" users learnt from AAA which aren't part of the device configuration (a sanitized output is shown below). The module will then calculate that a no username <aaa_user> should be executed as part of the change, but that doesn't change the device configuration and means that the next time the module is run it will again attempt to execute a change.

cisco.nxos/plugins/modules/nxos_user.py

Line 322 in fa98d2b

out = run_commands(module, [{"command": "show user-account", "output": "json"}])

user:admin
        this user account has no expiry date
        roles:network-admin 
user:local_user
        this user account has no expiry date
        roles:network-admin 
user:aaa_user1
        roles:network-admin 
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user account
Local login not possible