panorama_admin argument not being honored

[fypanw]

Setting panorama_admin

Describe the bug

When trying to use panos_administrator module to create a "panorama" administrator (and not one in a template, the panorama_admin argument being set to true doesn't seem to work and the administrator is still created in the template (template has to be specified as it is a required argument).

Expected behavior

There are 2 ways about this:
(a) template / template_stack should be optional if the panorama_admin is "yes" (true) since we only want to create an admin user for the panorama itself and not in any template/template stack.
(b) If they are not optional, they should be ignored and user should only be created in the panorama administrators (and not in the specified template/stack).

Current behavior

User is created in template even if panorama_admin argument is provided as "true" or "yes"

Possible solution

panorama_admin = True should not require template/template_stack to be specified if device is Panorama. Users operated on with this flag should be created in the Panorama administrators list rather than in a template/template_stack.

Steps to reproduce

1. My playbook:

  hosts: my-panorama
  connection: local
  gather_facts: False

  roles:
    - role: PaloAltoNetworks.paloaltonetworks

  tasks:
    - name: Grab the credentials from ansible-vault
      include_vars: "panorama-secrets.yml"
      no_log: "yes"

    - name: 'Make a new panorama administrator named "test"'
      panos_administrator:
        provider:
          username: "{{ username }}"
          ip_address: "{{ ip_address }}"
          password: "{{ password }}"
        admin_username: "test"
        admin_password: "blah_blah"
        panorama_admin: "yes"
        superuser: "yes"
        commit: false

Results in:
fatal: [my-panorama]: FAILED! => {"changed": false, "msg": "Specify either the template or the template stack."}

And specifying any template stack present in the panorama results in the user "test" being created in the administrators section of the "template" with profile "panorama_admin"

Context

My use case is just creating a simple administrator object in "panorama" itself not for a template to be applied on firewalls.

Your Environment

• Version used: Panoranam (Pan-OS 9.0.3)
• Environment name and version: ansible-pan 2.2.3, ansible 2.8.5, pandevice (0.11.1)

[shinmog]

Ok, so the issue here is that an administrator can be either an admin on Panorama or an admin inside a template on Panorama. The current code does not allow for creating an admin on Panorama and only allows creating admins that will be inside a template.

[pchiquit]

I'm having the same issue, but actually when trying to change a password using the following snippet:

- name: PanOS - change password
  panos_administrator:
    provider:
      ip_address: "{{ inventory_hostname}}"
      username: '{{ username }}'
      password: '{{ password }}'
    admin_username: '{{ username }}'
    admin_password: "{{ new_password }}"
    superuser: true
    commit: true
    panorama_admin: true

It works perfectly on firewalls but fails on Panorama with the error:

"msg": "Specify either the template or the template stack.",

I'm also trying to change the panorama admin password and not the one on a template.
Any idea when this will be fixed?
Thanks
P.S. I've added the panorama_admin: true to try to fix the issue but it made no difference.