Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

check_point.gaia.cp_gaia_user_facts error 500 General Exception #62

Open
chuegel opened this issue Feb 28, 2025 · 8 comments
Open

check_point.gaia.cp_gaia_user_facts error 500 General Exception #62

chuegel opened this issue Feb 28, 2025 · 8 comments

Comments

@chuegel
Copy link

chuegel commented Feb 28, 2025
edited
Loading

We are using this collection to query the users on gaia gateways

- name: Gather current Gaia users
  check_point.gaia.cp_gaia_user_facts:
  register: current_users
  tags:
    - always

- name: List of current Gaia users
  ansible.builtin.debug:
    msg: |
      Current users on the system:
      {% for user in current_users.ansible_facts.objects %}
      - Username: {{ user.name }} - (Role(s): {{ user.roles | join(', ') }})
      {% endfor %}
  tags:
    - debug

fails with following error:

[fatal: [fwinternet1]: FAILED! => changed=false 
  msg: 'Checkpoint device returned error 500 with message {''code'': ''generic_error'', ''errors'': ''1'', ''msg'': ''General Exception''}'](msg: 'Checkpoint device returned error 500 with message {''code'': ''generic_error'', ''errors'': ''1'', ''msg'': ''General Exception''}')

Other tasks are working fine.

Is this related to: #60 ?

Versions used:

check_point.gaia              5.0.1

ansible [core 2.15.12]
python version = 3.9.19 (main, May 16 2024, 08:45:40) [GCC 8.5.0 20210514 (Red Hat 8.5.0-22)]
jinja version = 3.1.4
libyaml = True

OS: Gaia R81.20
HW: QLS250
@duanetoler
Copy link
Contributor

Check your /var/log/gaia_api_server.log for internal details on this. The real error is in this log file. It's probably the same bug with Gaia API 1.7 and lower.

Likewise, make sure you have a recent Jumbo HFA which includes internal Gaia CONFD (Clish) fixes for running commands via Ansible. There was an issue dealing with the internal CONFD database lock between sessions via the Ansible Gaia modules. Similarly, there is an issue in older versions with inconsistency applying changes for both static routes and dynamic routing processes.

Your Gaia API module collection is also outdated. You should update that as well:

https://galaxy.ansible.com/ui/repo/published/check_point/gaia

@chuegel
Copy link
Author

chuegel commented Mar 3, 2025
edited
Loading 

03/03/25 07:59:54: MainThread: infra.pipeline: INFO: Handling output
03/03/25 07:59:54: MainThread: infra.utils: INFO: Server IP initialized for the first time
03/03/25 07:59:54: MainThread: objects.sessions: INFO: Remote authentication succeed for user:ansible_user
03/03/25 07:59:54: MainThread: infra.utils: INFO: Server Port initialized for the first time
03/03/25 07:59:54: MainThread: server_util.udsListener: INFO: Request for endpoint /login [method: POST], for source 172.xxx.xxx.xxx, SUCCEEDED [duration 200ms]
03/03/25 07:59:54: MainThread: server_util.udsListener: INFO: remote_addr IP = 172.xxx.xxx.xxx
03/03/25 07:59:54: MainThread: infra.urlGeneratorIS: INFO: Handle request: <class 'requests.sessions.LogoutRequest'>
03/03/25 07:59:54: MainThread: infra.urlGeneratorIS: INFO: Execute validators
03/03/25 07:59:54: MainThread: infra.urlGeneratorIS: INFO: Verify permissions
03/03/25 07:59:54: MainThread: infra.pipeline: INFO: Execute commit function for class <class 'requests.sessions.LogoutRequest'>
03/03/25 07:59:54: MainThread: server_util.udsListener: INFO: Request for endpoint /logout [method: POST], for source 172.xxx.xxx.xxx, SUCCEEDED [duration 1ms]
03/03/25 08:01:26: MainThread: server_util.udsListener: INFO: remote_addr IP = 172.xxx.xxx.xxx
03/03/25 08:01:26: MainThread: infra.urlGeneratorIS: INFO: Handle request: <class 'requests.sessions.LoginRequest'>
03/03/25 08:01:26: MainThread: infra.urlGeneratorIS: INFO: Execute validators
03/03/25 08:01:26: MainThread: infra.urlGeneratorIS: INFO: Verify permissions
03/03/25 08:01:26: MainThread: infra.pipeline: INFO: Execute commit function for class <class 'requests.sessions.LoginRequest'>
03/03/25 08:01:27: MainThread: infra.pipeline: INFO: Handling output
03/03/25 08:01:27: MainThread: objects.sessions: INFO: Remote authentication succeed for user:ansible_user
03/03/25 08:01:27: MainThread: server_util.udsListener: INFO: Request for endpoint /login [method: POST], for source 172.xxx.xxx.xxx SUCCEEDED [duration 180ms]
03/03/25 08:01:27: MainThread: server_util.udsListener: INFO: remote_addr IP = 172.xxx.xxx.xxx
03/03/25 08:01:27: MainThread: infra.urlGeneratorIS: INFO: Handle request: <class 'requests.users.ShowUsers'>
03/03/25 08:01:27: MainThread: infra.urlGeneratorIS: INFO: Execute validators
03/03/25 08:01:27: MainThread: infra.urlGeneratorIS: INFO: Verify permissions
03/03/25 08:01:27: MainThread: objects.users: INFO: Collecting users data from the system
03/03/25 08:01:27: MainThread: objects.users: INFO: Processing users data from the system
03/03/25 08:01:32: MainThread: objects.users: INFO: Information collected and processed successfully
03/03/25 08:01:32: MainThread: objects.users: INFO: Collecting users data from the system
03/03/25 08:01:32: MainThread: objects.users: INFO: Processing users data from the system
03/03/25 08:01:37: MainThread: objects.users: INFO: Information collected and processed successfully
03/03/25 08:01:37: MainThread: objects.users: INFO: Collecting users data from the system
03/03/25 08:01:38: MainThread: objects.users: INFO: Processing users data from the system
03/03/25 08:01:42: MainThread: objects.users: INFO: Information collected and processed successfully
03/03/25 08:01:43: MainThread: objects.users: INFO: Collecting users data from the system
03/03/25 08:01:43: MainThread: objects.users: INFO: Processing users data from the system
03/03/25 08:01:48: MainThread: objects.users: INFO: Information collected and processed successfully
03/03/25 08:01:48: MainThread: objects.users: INFO: Collecting users data from the system
03/03/25 08:01:48: MainThread: objects.users: INFO: Processing users data from the system
03/03/25 08:01:53: MainThread: objects.users: INFO: Information collected and processed successfully
03/03/25 08:01:53: MainThread: objects.users: INFO: Collecting users data from the system
03/03/25 08:01:54: MainThread: objects.users: INFO: Processing users data from the system
03/03/25 08:01:58: MainThread: infra.pipeline: ERROR: Failed to handle request, reason: '1'
03/03/25 08:01:58: MainThread: infra.pipeline: ERROR: 1
Traceback (most recent call last):
  File "/rest_api/ckp/infra/urlGeneratorIS.py", line 67, in actor
    res = execute(inst, requestData)
  File "/rest_api/ckp/infra/pipeline.py", line 262, in execute
    ret = inst.Handler_RESPONSE().serialize()
  File "/rest_api/ckp/objects/users.py", line 560, in __init__
    self.populate()
  File "/rest_api/ckp/objects/users.py", line 577, in populate
    self.users.append(UserV18().populate(userDict.get(NAME)))
  File "/rest_api/ckp/objects/users.py", line 770, in populate
    User.populateFromUserFactory(self, name)
  File "/rest_api/ckp/objects/users.py", line 708, in populateFromUserFactory
    self.userFactory = UserFactory()
  File "/rest_api/ckp/objects/users.py", line 171, in __init__
    self.processData()
  File "/rest_api/ckp/objects/users.py", line 479, in processData
    XMLResult = clish.runClish("show user {} lock-out".format(user), lock, clish.outXml, False)
  File "/rest_api/libs/clish.py", line 177, in runClish
    returnCode, output, error = command_factory.execFactoryExecutor(clishCmd, ws.get_user_env())
  File "/rest_api/libs/command_factory.py", line 89, in execFactoryExecutor
    tup = p.communicate()
  File "/opt/CPsuite-R81.20/fw1/Python/lib/python3.7/subprocess.py", line 964, in communicate
    stdout, stderr = self._communicate(input, endtime, timeout)
  File "/opt/CPsuite-R81.20/fw1/Python/lib/python3.7/subprocess.py", line 1715, in _communicate
    ready = selector.select(timeout)
  File "/opt/CPsuite-R81.20/fw1/Python/lib/python3.7/selectors.py", line 415, in select
    fd_event_list = self._selector.poll(timeout)
  File "/opt/CPsuite-R81.20/fw1/Python/lib/python3.7/site-packages/gunicorn/workers/base.py", line 192, in handle_abort
    sys.exit(1)
SystemExit: 1
03/03/25 08:01:58: MainThread: server_util.udsListener: INFO: Request for endpoint /show-users [method: POST], for source 172.xxx.xxx.xxx, FAILED [duration 30946ms]
03/03/25 08:01:58 [ INFO] MainThread:__init__(): **********************     Init Gaia API Logger - New Run     **********************
03/03/25 08:01:58: MainThread: infra.vsnext_utils: INFO: VSNext status: off
03/03/25 08:01:58: MainThread: infra.vsnext_utils: INFO: VSNext status: off
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.4/run-reboot, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.5/run-reboot, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.6/run-reboot, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.7/run-reboot, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.8/run-reboot, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting none version End-Point for URL: /run-reboot
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting Permissions for system
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.1/set-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.2/set-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.3/set-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.4/set-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.5/set-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.6/set-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.7/set-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting Permissions for aaa
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.8/set-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting none version End-Point for URL: /set-radius
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1/show-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.1/show-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.2/show-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.3/show-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.4/show-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.5/show-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.6/show-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.7/show-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.8/show-radius, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting none version End-Point for URL: /show-radius
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1/set-tacacs, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.1/set-tacacs, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.2/set-tacacs, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.3/set-tacacs, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.4/set-tacacs, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.5/set-tacacs, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.6/set-tacacs, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.7/set-tacacs, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting End-Point for URL: /v1.8/set-tacacs, methods: ['POST']
03/03/25 08:01:58: MainThread: infra.annotations: INFO: Setting none version End-Point for URL: /set-tacacs

--snip--
03/03/25 08:02:01: MainThread: server_util.udsListener: INFO: Generate Post reboot tasks
03/03/25 08:02:01: MainThread: postRebootHandler: INFO: Loading all tasks
03/03/25 08:02:01: MainThread: postRebootHandler: INFO: Clear tasks cache
03/03/25 08:02:01: MainThread: server_util.udsListener: INFO: Start server...
03/03/25 08:02:01: Thread-1: server_util.udsListener: INFO: Setting UDS for requests
03/03/25 08:02:01: Thread-1: server_util.udsListener: INFO: Start listening to UDS connections
03/03/25 08:02:01: MainThread: server_util.udsListener: INFO: remote_addr IP = 172.xxx.xxx.xxx
03/03/25 08:02:01: MainThread: sessions_manager: WARNING: Got unauthorized sid, remote ip:172.xxx.xxx.xxx.
03/03/25 08:02:01: MainThread: server_util.udsListener: INFO: Request for endpoint /logout [method: POST], for source 172.xxx.xxx.xxx, FAILED [duration 1ms]
03/03/25 08:02:01: MainThread: server_util.udsListener: INFO: remote_addr IP = 172.xxx.xxx.xxx
03/03/25 08:02:01: MainThread: infra.urlGeneratorIS: INFO: Handle request: <class 'requests.sessions.LoginRequest'>
03/03/25 08:02:01: MainThread: infra.urlGeneratorIS: INFO: Execute validators
03/03/25 08:02:01: MainThread: infra.urlGeneratorIS: INFO: Verify permissions
03/03/25 08:02:01: MainThread: infra.pipeline: INFO: Execute commit function for class <class 'requests.sessions.LoginRequest'>
03/03/25 08:02:02: MainThread: infra.pipeline: INFO: Handling output
03/03/25 08:02:02: MainThread: infra.utils: INFO: Server IP initialized for the first time
03/03/25 08:02:02: MainThread: objects.sessions: INFO: Remote authentication succeed for user:ansible_user
03/03/25 08:02:02: MainThread: infra.utils: INFO: Server Port initialized for the first time
03/03/25 08:02:02: MainThread: server_util.udsListener: INFO: Request for endpoint /login [method: POST], for source 172.xxx.xxx.xxx, SUCCEEDED [duration 198ms]
03/03/25 08:02:02: MainThread: server_util.udsListener: INFO: remote_addr IP = 172.xxx.xxx.xxx
03/03/25 08:02:02: MainThread: infra.urlGeneratorIS: INFO: Handle request: <class 'requests.sessions.LogoutRequest'>
03/03/25 08:02:02: MainThread: infra.urlGeneratorIS: INFO: Execute validators
03/03/25 08:02:02: MainThread: infra.urlGeneratorIS: INFO: Verify permissions
03/03/25 08:02:02: MainThread: infra.pipeline: INFO: Execute commit function for class <class 'requests.sessions.LogoutRequest'>
03/03/25 08:02:02: MainThread: server_util.udsListener: INFO: Request for endpoint /logout [method: POST], for source 172.xxx.xxx.xxx, SUCCEEDED [duration 1ms]
```

We will upgrade the gateways asap.
The Ansible Collections have also been upgraded but the error remains

@chuegel
Copy link
Author

chuegel commented Mar 3, 2025
edited
Loading

The error above is from a R81.10 Jumbo Hotfix Take 172 so it's the last recommended from 81.10

 gaia_api status

API Status:
---------------------
Build: cp991255275
Uptime: 0:37:48
Current Sessions: 0
Latest Version: 1.8

Processes:

Name           State        PID
---------------------------------
GAIA_API       Started      22860
GAIA_API_DOCS  Started      22848
APACHE         Started      7376
CONFD          Started      7373
CLISHD         Started      7463 5149
CELERY         Started      22847
REDIS          Started      7473

Port Details:
-------------------
APACHE Gaia Port:         443

--------------------------------------------
Overall API Status: Started
--------------------------------------------



 cat /rest_api/rest-api-server.conf
# This file holds the gunicorn configuration setting
import gunicorn
import os
#Note: For gunicorn versions upper than 20.1.0 you need to rename the variable to gunicorn.SERVER instead of gunicorn.SERVER_SOFTWARE
gunicorn.SERVER_SOFTWARE = 'CPWS'

pidfile = '/tmp/gaia_api.pid'
#errorlog = '/var/tmp/gaiaRestServer.log'
loglevel = 'info'
bind = '127.0.0.1:9092'
#threads = 2
group = 'config'
if os.path.isfile('/etc/.scalable_platform') or os.path.isfile('/etc/.scalable_platform_mho'):
        timeout = 300

Whats weird is:

03/03/25 08:01:58: MainThread: infra.pipeline: ERROR: Failed to handle request, reason: '1'
03/03/25 08:01:58: MainThread: infra.pipeline: ERROR: 1
Traceback (most recent call last):
  File "/rest_api/ckp/infra/urlGeneratorIS.py", line 67, in actor
    res = execute(inst, requestData)
  File "/rest_api/ckp/infra/pipeline.py", line 262, in execute
    ret = inst.Handler_RESPONSE().serialize()
  File "/rest_api/ckp/objects/users.py", line 560, in __init__
    self.populate()
  File "/rest_api/ckp/objects/users.py", line 577, in populate
    self.users.append(UserV18().populate(userDict.get(NAME)))
  File "/rest_api/ckp/objects/users.py", line 770, in populate
    User.populateFromUserFactory(self, name)
  File "/rest_api/ckp/objects/users.py", line 708, in populateFromUserFactory
    self.userFactory = UserFactory()
  File "/rest_api/ckp/objects/users.py", line 171, in __init__
    self.processData()
  File "/rest_api/ckp/objects/users.py", line 479, in processData
    XMLResult = clish.runClish("show user {} lock-out".format(user), lock, clish.outXml, False)
  File "/rest_api/libs/clish.py", line 177, in runClish
    returnCode, output, error = command_factory.execFactoryExecutor(clishCmd, ws.get_user_env())
  File "/rest_api/libs/command_factory.py", line 89, in execFactoryExecutor
    tup = p.communicate()
  File "/opt/CPsuite-R81.20/fw1/Python/lib/python3.7/subprocess.py", line 964, in communicate
    stdout, stderr = self._communicate(input, endtime, timeout)
  File "/opt/CPsuite-R81.20/fw1/Python/lib/python3.7/subprocess.py", line 1715, in _communicate
    ready = selector.select(timeout)
  File "/opt/CPsuite-R81.20/fw1/Python/lib/python3.7/selectors.py", line 415, in select
    fd_event_list = self._selector.poll(timeout)
  File "/opt/CPsuite-R81.20/fw1/Python/lib/python3.7/site-packages/gunicorn/workers/base.py", line 192, in handle_abort
    sys.exit(1)
SystemExit: 1
03/03/25 08:01:58: MainThread: server_util.udsListener: INFO: Request for endpoint /show-users [method: POST], for source 172.xxx.xxx.xxx, FAILED [duration 30946ms]
03/03/25 08:01:58 [ INFO] MainThread:__init__(): **********************     Init Gaia API Logger - New Run     **********************

@duanetoler
Copy link
Contributor

Yeah that's interesting. It died on running the CLISH command "show user lock-out" for the list of users. This command is being ran so that Gaia API can return a bunch of useful information for each of the users since you did "cp_gaia_user_facts" to get a list of all the users. (you probably knew this already)

You can run these commands manually yourself to "follow the trail", and you might be able to find the missing piece. Login to the gateway, go to CLISH, then run "show users". For each of your users, run "show user lock-out".

I looked over the R81.10 JHF notes and didn't see anything interesting in Take 173 that might've already been fixed, either.

@chuegel
Copy link
Author

chuegel commented Mar 3, 2025

As a workaround:

---
- name: Gather current Gaia users
  check_point.gaia.cp_gaia_user_facts:
    version: 1.7
  register: current_users
  tags:
    - always

specifying the lower version (1.7 in this case) worked. So there must be something fishy in the 1.8 version.

@duanetoler
Copy link
Contributor

Indeed, or at least v1.8 on R81.10. You still might want to check /config/active and still run the CLISH commands manually to see if you can find it before you open a TAC case.

Another point to consider: I saw your Ansible playbook is using the username "ansible_user" (perfectly fine), but does this "ansible_user" have read-write and adminRole permissions? I wonder if there's something odd in the RBA configuration when this user runs these commands, versus "admin" (for example).

Either way, you have found some sort of issue, and it warrants additional review by TAC, since it works on API v1.7 and not v1.8.
"Congrats!" :)

@chuegel
Copy link
Author

chuegel commented Mar 4, 2025

@duanetoler yes, that user has the adminRole (I just redacted the name)
Should I open a TAC?

@duanetoler
Copy link
Contributor

Ok, good, just wanted to be sure; TAC will ask you about that. :) You're welcome to do a TAC case, as R81.10 still supported. However, be aware that R81.10 is going EoL in July 2025 so you'll be better served updating to R81.20 if you can.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chuegel @duanetoler