one_template only returns templates owned by user but not by group membership

[skropf]

Summary

When I try to instantiate a VM by using a template which is not owned/created by my user, the execution fails by reporting that the template can not be found, although this is possible by using the web interface (thus the permissions/ACLs should be set correctly).

I think I have found the corresponding code lines:

# one_template.py
209    def get_template(self, predicate):
210       # -3 means "Resources belonging to the user"
211       # the other two parameters are used for pagination, -1 for both essentially means "return all"
212       pool = self.one.templatepool.info(-3, -1, -1)
213
214       for template in pool.VMTEMPLATE:
215           if predicate(template):
216               return template
217
218       return None

I can see here that it is intended to only return templates which are owned by the user.

So my question here is if that's how it should be, because I would like to get all templates which are usable by my user and group, so that I can create VMs by using templates where I have access according to groups/ACLs.

Beside the Ansible versions which are stated below the OpenNebula version is 6.8.2

Any help/input is appreciated! Thanks!

Issue Type

Bug Report

Component Name

one_template

Ansible Version

$ ansible --version
ansible [core 2.18.1]
  config file = None
  configured module search path = ['/home/skropf/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/skropf/Work/projects/ansible-playbooks/venv/lib/python3.11/site-packages/ansible
  ansible collection location = /home/skropf/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/skropf/Work/projects/ansible-playbooks/venv/bin/ansible
  python version = 3.11.2 (main, Sep 14 2024, 03:00:30) [GCC 12.2.0] (/home/skropf/Work/projects/ansible-playbooks/venv/bin/python3)
  jinja version = 3.1.4
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general

# /home/skropf/.ansible/collections/ansible_collections
Collection        Version
----------------- -------
community.general 10.1.0 

# /home/skropf/Work/projects/ansible-playbooks/venv/lib/python3.11/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 10.1.0

Configuration

$ ansible-config dump --only-changed
CONFIG_FILE() = None

GALAXY_SERVERS:

OS / Environment

Debian 12

Steps to Reproduce

---
- name: Minimal reproduction playbook
  hosts: localhost
  vars_prompt:
    - name: username
      prompt: Username
      private: no
    - name: password
      prompt: Password
      private: yes
  vars:
    instance: ion2
    domain: example.com
    template_id: 1
  tasks:
    - name: "[Check login] - OpenNebula login + template"
      community.general.one_template:
        api_url: "https://api.{{ instance }}.{{ domain }}"
        api_username: "{{ username }}"
        api_password: "{{ password }}"
        id: "{{ template_id }}"
        #name: "{{ template_name }}"
        template: ""
      check_mode: true # very important, otherwise the template will be overwritten
      changed_when: false

Expected Results

With a template which was created by my user:

[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
Username: skropf
Password: 

PLAY [Minimal reproduction playbook] *******************************************************************************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************************************************************************************
ok: [localhost]

TASK [[Check login] - OpenNebula login + template] *****************************************************************************************************************************************************************
ok: [localhost]

PLAY RECAP *********************************************************************************************************************************************************************************************************
localhost                  : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

Actual Results

With a template which was not created by my user but I have appropriate access according to the ACLs.

[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
Username: skropf
Password: 

PLAY [Minimal reproduction playbook] *******************************************************************************************************************************************************************************

TASK [Gathering Facts] *********************************************************************************************************************************************************************************************
ok: [localhost]

TASK [[Check login] - OpenNebula login + template] *****************************************************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "There is no template with id=1"}

PLAY RECAP *********************************************************************************************************************************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/modules/one_template.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @ilicmilan @meerkampdvv @nilsding @rsmontero @xorel
click here for bot help

[skropf]

After a bit more digging into the OpenNebula XML-RPC API docs I found the parameters for the templatepool.info function here.

Filter flag
    -4: Resources belonging to the user’s primary group
    -3: Resources belonging to the user
    -2: All resources
    -1: Resources belonging to the user and any of his groups
    >= 0: UID User’s Resources

Would it make sense to pass -1? I think that would resolve the issues I have, but I can imagine that there are unforeseen side effects into which I don't have insight. So I'm open to be enlightened! :)

Happy to provide a PR if there are no voices against this!

Edit: I just tested with the value of -1 and the Minimal reproduction playbook completed successfully.

[russoz]

Hi @skropf Thanks for reporting and for digging into it!

First of all, since the module's documentation does not claim to address that extended scope, this would be a Feature Idea rather than a Bug Report (the semantic difference being that bugfixes are backported to previous versions while features are not), so please adjust.

Maybe it would make sense to give the scope choice to the user of the module? Like, create a new parameter named scope (or whatever terminology makes more sense in the OpenNebula universe), set its default to the current scope, so that we do not change the default behaviour of the module, but allows you to choose what you want. If the -1 makes more sense as default, then we have to deprecate the current default behaviour and move to the new one.

See https://github.com/russoz-ansible/ansible-contrib-unofficial/blob/main/deprecations.md for how to do that.

[skropf]

@russoz Thanks for the feedback!

I will try to implement such a parameter.

In the meantime, as I saw that @nilsding maintains the module: Could you give some feedback or would you just rather be mentioned in a PR?

Regarding the label: I am not sure how I can change the label of the issue as there is no edit button showing. I also couldn't find bot commands or similar in the contributing guidelines. Please point it out to me, if I overlooked something, thanks!

[nilsding]

Hi @skropf, just mentioning me in a PR is fine (it's done automatically by @ansibullbot anyway).

Adding an extra parameter to specify the filter flag would be nice to have in all the one_* modules for sure. IIRC back when implementing it I just copied over what the other existing modules did, and that was good enough for most of our use cases ;-) ...