From 129ce1ca50eddb97d7f0bc0943f6ac9f8ce28154 Mon Sep 17 00:00:00 2001 From: krauthosting <69597449+krauthosting@users.noreply.github.com> Date: Sat, 18 Nov 2023 11:28:59 +0100 Subject: [PATCH 1/4] Readd support for secure PostgreSQL password hashes (#1074) --- roles/zabbix_proxy/tasks/postgresql.yml | 4 ++-- roles/zabbix_server/tasks/postgresql.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/zabbix_proxy/tasks/postgresql.yml b/roles/zabbix_proxy/tasks/postgresql.yml index 291052455..e71af9aba 100644 --- a/roles/zabbix_proxy/tasks/postgresql.yml +++ b/roles/zabbix_proxy/tasks/postgresql.yml @@ -29,7 +29,7 @@ community.postgresql.postgresql_user: db: "{{ zabbix_proxy_dbname }}" name: "{{ zabbix_proxy_dbuser }}" - password: "md5{{ (zabbix_proxy_dbpassword + zabbix_proxy_dbuser)|hash('md5') }}" + password: "{{ ('md5' + (zabbix_proxy_dbpassword + zabbix_proxy_dbuser)|hash('md5')) if zabbix_proxy_dbpassword_hash_method == 'md5' else zabbix_proxy_dbpassword }}" port: "{{ zabbix_proxy_dbport }}" priv: ALL state: present @@ -61,7 +61,7 @@ login_password: "{{ zabbix_proxy_pgsql_login_password | default(omit) }}" db: "{{ zabbix_proxy_dbname }}" name: "{{ zabbix_proxy_dbuser }}" - password: "md5{{ (zabbix_proxy_dbpassword + zabbix_proxy_dbuser)|hash('md5') }}" + password: "{{ ('md5' + (zabbix_proxy_dbpassword + zabbix_proxy_dbuser)|hash('md5')) if zabbix_proxy_dbpassword_hash_method == 'md5' else zabbix_proxy_dbpassword }}" port: "{{ zabbix_proxy_dbport }}" priv: ALL state: present diff --git a/roles/zabbix_server/tasks/postgresql.yml b/roles/zabbix_server/tasks/postgresql.yml index 947a73462..5177a55be 100644 --- a/roles/zabbix_server/tasks/postgresql.yml +++ b/roles/zabbix_server/tasks/postgresql.yml @@ -29,7 +29,7 @@ community.postgresql.postgresql_user: db: "{{ zabbix_server_dbname }}" name: "{{ zabbix_server_dbuser }}" - password: "md5{{ (zabbix_server_dbpassword + zabbix_server_dbuser)|hash('md5') }}" + password: "{{ ('md5' + (zabbix_server_dbpassword + zabbix_server_dbuser)|hash('md5')) if zabbix_server_dbpassword_hash_method == 'md5' else zabbix_server_dbpassword }}" port: "{{ zabbix_server_dbport }}" priv: ALL state: present @@ -68,7 +68,7 @@ login_password: "{{ zabbix_server_pgsql_login_password | default(omit) }}" db: "{{ zabbix_server_dbname }}" name: "{{ zabbix_server_dbuser }}" - password: "md5{{ (zabbix_server_dbpassword + zabbix_server_dbuser)|hash('md5') }}" + password: "{{ ('md5' + (zabbix_server_dbpassword + zabbix_server_dbuser)|hash('md5')) if zabbix_server_dbpassword_hash_method == 'md5' else zabbix_server_dbpassword }}" port: "{{ zabbix_server_dbport }}" priv: ALL state: present From 622a5dc50bf0a2baa0c20c614e5ac86006d1d6ea Mon Sep 17 00:00:00 2001 From: krauthosting <69597449+krauthosting@users.noreply.github.com> Date: Thu, 7 Dec 2023 10:33:19 +0100 Subject: [PATCH 2/4] Readd support for secure PostgreSQL password hashes (#1074) --- roles/zabbix_server/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/zabbix_server/defaults/main.yml b/roles/zabbix_server/defaults/main.yml index d54f92e9a..6aec202dd 100644 --- a/roles/zabbix_server/defaults/main.yml +++ b/roles/zabbix_server/defaults/main.yml @@ -17,6 +17,7 @@ zabbix_server_dbcollation: utf8_bin zabbix_server_dbschema: zabbix_server_dbuser: zabbix-server zabbix_server_dbpassword: zabbix-server +zabbix_server_dbpassword_hash_method: md5 zabbix_server_dbsocket: zabbix_server_dbport: 5432 zabbix_server_dbhost_run_install: true From 783a6cd8de0243e38320c5327b3c7ab53e6b3819 Mon Sep 17 00:00:00 2001 From: krauthosting <69597449+krauthosting@users.noreply.github.com> Date: Thu, 7 Dec 2023 18:12:53 +0100 Subject: [PATCH 3/4] Readd support for secure PostgreSQL password hashes (#1074) --- roles/zabbix_proxy/defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/zabbix_proxy/defaults/main.yml b/roles/zabbix_proxy/defaults/main.yml index 5eded372c..f46c9c64e 100644 --- a/roles/zabbix_proxy/defaults/main.yml +++ b/roles/zabbix_proxy/defaults/main.yml @@ -20,6 +20,7 @@ zabbix_proxy_dbencoding: utf8 zabbix_proxy_dbhost: localhost zabbix_proxy_dbname: zabbix_proxy zabbix_proxy_dbpassword: zabbix_proxy +zabbix_proxy_dbpassword_hash_method: md5 zabbix_proxy_dbuser: zabbix_proxy zabbix_proxy_install_database_client: true From eef2707c4bc741debfd2ddb8103924f4fe309402 Mon Sep 17 00:00:00 2001 From: krauthosting <69597449+krauthosting@users.noreply.github.com> Date: Fri, 8 Dec 2023 14:22:04 +0100 Subject: [PATCH 4/4] Readd support for secure PostgreSQL password hashes (#1074) --- changelogs/fragments/1136.yml | 3 +++ docs/ZABBIX_PROXY_ROLE.md | 1 + docs/ZABBIX_SERVER_ROLE.md | 1 + 3 files changed, 5 insertions(+) create mode 100644 changelogs/fragments/1136.yml diff --git a/changelogs/fragments/1136.yml b/changelogs/fragments/1136.yml new file mode 100644 index 000000000..901a1f716 --- /dev/null +++ b/changelogs/fragments/1136.yml @@ -0,0 +1,3 @@ +minor_changes: + - zabbix_server role - Add variable zabbix_server_dbpassword_hash_method to control whether you want postgresql user password to be hashed with md5 or want to use db default. When zabbix_server_dbpassword_hash_method is set to anything other than md5 then do not hash the password with md5 so you could use postgresql scram-sha-256 hashing method. + - zabbix_proxy role - Add variable zabbix_proxy_dbpassword_hash_method to control whether you want postgresql user password to be hashed with md5 or want to use db default. When zabbix_proxy_dbpassword_hash_method is set to anything other than md5 then do not hash the password with md5 so you could use postgresql scram-sha-256 hashing method. diff --git a/docs/ZABBIX_PROXY_ROLE.md b/docs/ZABBIX_PROXY_ROLE.md index 13706a8a3..baec42155 100644 --- a/docs/ZABBIX_PROXY_ROLE.md +++ b/docs/ZABBIX_PROXY_ROLE.md @@ -115,6 +115,7 @@ The following is an overview of all available configuration default for this rol * `zabbix_proxy_dbname`: Default: zabbix_proxy. The database name which is used by the Zabbix Proxy. * `zabbix_proxy_dbuser`: Default: zabbix_proxy. The database username which is used by the Zabbix Proxy. Will be ignored when `sqlite3` is used as database. * `zabbix_proxy_dbpassword`: Default: zabbix_proxy. The database user password which is used by the Zabbix Proxy. Will be ignored when `sqlite3` is used as database. +* `zabbix_proxy_dbpassword_hash_method`: Default: `md5`. Allow switching postgresql user password creation to `scram-sha-256`, when anything other than `md5` is used then ansible won't hash the password with `md5`. * `zabbix_proxy_dbport`: The database port which is used by the Zabbix Proxy. Will be ignored when `sqlite3` is used as database. * `zabbix_proxy_database_creation`: Default: `True`. When you don't want to create the database including user, you can set it to False. * `zabbix_proxy_install_database_client`: Default: `True`. False does not install database client. Default true diff --git a/docs/ZABBIX_SERVER_ROLE.md b/docs/ZABBIX_SERVER_ROLE.md index 7953d1eb7..f154f4951 100644 --- a/docs/ZABBIX_SERVER_ROLE.md +++ b/docs/ZABBIX_SERVER_ROLE.md @@ -133,6 +133,7 @@ The following is an overview of all available configuration default for this rol * `zabbix_server_dbname`: The database name which is used by the Zabbix Server. * `zabbix_server_dbuser`: The database username which is used by the Zabbix Server. * `zabbix_server_dbpassword`: The database user password which is used by the Zabbix Server. +* `zabbix_server_dbpassword_hash_method`: Default: `md5`. Allow switching postgresql user password creation to `scram-sha-256`, when anything other than `md5` is used then ansible won't hash the password with `md5`. * `zabbix_server_dbport`: The database port which is used by the Zabbix Server. * `zabbix_server_dbpassword_hash_method`: Default: `md5`. Allow switching postgresql user password creation to `scram-sha-256`, when anything other than `md5` is used then ansible won't hash the password with `md5`. * `zabbix_server_database_creation`: Default: `True`. When you don't want to create the database including user, you can set it to False.