orasw_meta: Removed default passwords from default_dbpass and dbpassw…

…ords
oravirt · Feb 12, 2024 · cb4e9e9 · cb4e9e9
1 parent 922936d
commit cb4e9e9
Show file tree

Hide file tree

Showing 4 changed files with 103 additions and 25 deletions.
diff --git a/changelogs/fragments/default_dbpass.yml b/changelogs/fragments/default_dbpass.yml
@@ -0,0 +1,5 @@
+---
+breaking_changes:
+  - "orasw_meta: Removed default passwords from default_dbpass and dbpasswords (oravirt#409)"
+security_fixes:
+  - "orasw_meta: Removed default passwords from default_dbpass and dbpasswords (oravirt#409)"
diff --git a/roles/orasw_meta/README.md b/roles/orasw_meta/README.md
@@ -172,25 +172,66 @@ dbenvdir: '{{ oracle_user_home }}/dbenv'
 
 ### dbpasswords
 
+Define the passwords for DB-Users in nonCDB, CDB and PDBs.
+
 #### Default value
 
 ```YAML
+dbpasswords: {}
+```
+
+#### Example usage
+
+```YAML
+
+nonCDB with db_name: orcl
+
+dbpasswords:
+  <db_name>:
+    <db_user>: <db_password>
+
+dbpasswords:
+  orcl:
+    SYS: Oracle_456
+    SYSTEM: Oracle_456
+    DBSNMP: Oracle_456
+
+CDB with `db_name: orcl` and `PDB: orclpdb`
+
+dbpasswords:
+  <CDB db_name>:
+    <CDB db_user>: <db_password>
+    <PDB name>:
+      <PDB db_user>: <db_password>
+
 dbpasswords:
   orcl:
-    sys: Oracle_456
-    system: Oracle_456
-    dbsnmp: Oracle_456
-    pdbadmin: Oracle_456
+    SYS: Oracle_456
+    SYSTEM: Oracle_456
+    DBSNMP: Oracle_456
+    ORCLPDB:
+      PDBADMIN: Oracle_789
 ```
 
 ### default_dbpass
 
+Set the default password for all DB-Users not defined in `dbpasswords`.
+
 #### Default value
 
 ```YAML
-default_dbpass: '{% if item is defined and item.oracle_db_passwd is defined %}{{ item.oracle_db_passwd
-  }}{%- elif dbh is defined and dbh.oracle_db_passwd is defined %}{{ dbh.oracle_db_passwd
-  }}{%- else %}Oracle123{%- endif %}'
+default_dbpass: >-
+  {% if item is defined and item.oracle_db_passwd is defined %}{{ item.oracle_db_passwd
+  -}}
+  {%- elif dbh is defined and dbh.oracle_db_passwd is defined %}{{ dbh.oracle_db_passwd
+  -}}
+  {%- endif %}
+```
+
+#### Example usage
+
+```YAML
+default_dbpass: topeS3cr§t
 ```
 
 ### deploy_ocenv
@@ -876,8 +917,6 @@ shell_ps1: "'[$LOGNAME'@'$ORACLE_SID `basename $PWD`]$'"
 - (information): db_homes_installed not used for a long time...
 - (information): variable description is missing
 - (information): variable description is missing
-- (information): variable description is missing
-- (information): variable description is missing
 - (todo): Remove variable _www_download_bin
 
 ## Dependencies

diff --git a/roles/orasw_meta/defaults/main.yml b/roles/orasw_meta/defaults/main.yml
@@ -554,16 +554,48 @@ oracle_ee_options_213:
 #       - {name: temp, size: 10M, autoextend: true, next: 50M, maxsize: 4G, content: permanent, state: present, bigfile: false}
 # @end
 
-# @todo information: variable description is missing
-default_dbpass: "{% if item is defined and item.oracle_db_passwd is defined %}{{ item.oracle_db_passwd }}\
-                 {%- elif dbh is defined and dbh.oracle_db_passwd is defined %}{{ dbh.oracle_db_passwd }}\
-                 {%- else %}Oracle123\
-                 {%- endif %}"
+# @var default_dbpass:description: >
+# Set the default password for all DB-Users not defined in `dbpasswords`.
+# @end
+# @var default_dbpass:example: >
+# default_dbpass: topeS3cr§t
+# @end
+default_dbpass: >-
+  {% if item is defined and item.oracle_db_passwd is defined %}{{ item.oracle_db_passwd -}}
+  {%- elif dbh is defined and dbh.oracle_db_passwd is defined %}{{ dbh.oracle_db_passwd -}}
+  {%- endif %}
 
-# @todo information: variable description is missing
-dbpasswords:
-  orcl:
-    sys: Oracle_456
-    system: Oracle_456
-    dbsnmp: Oracle_456
-    pdbadmin: Oracle_456
+# @var dbpasswords:description: >
+# Define the passwords for DB-Users in nonCDB, CDB and PDBs.
+# @end
+# @var dbpasswords:example: >
+#
+# nonCDB with db_name: orcl
+#
+# dbpasswords:
+#   <db_name>:
+#     <db_user>: <db_password>
+#
+# dbpasswords:
+#   orcl:
+#     SYS: Oracle_456
+#     SYSTEM: Oracle_456
+#     DBSNMP: Oracle_456
+#
+# CDB with `db_name: orcl` and `PDB: orclpdb`
+#
+# dbpasswords:
+#   <CDB db_name>:
+#     <CDB db_user>: <db_password>
+#     <PDB name>:
+#       <PDB db_user>: <db_password>
+#
+# dbpasswords:
+#   orcl:
+#     SYS: Oracle_456
+#     SYSTEM: Oracle_456
+#     DBSNMP: Oracle_456
+#     ORCLPDB:
+#       PDBADMIN: Oracle_789
+# @end
+dbpasswords: {}
diff --git a/roles/orasw_meta_internal/defaults/main.yml b/roles/orasw_meta_internal/defaults/main.yml
@@ -5,17 +5,19 @@
 # Do not set it in inventory!
 # @end
 # @var _db_password_cdb: $ "_internal_used_"
-_db_password_cdb: "{{ dbpasswords[odb.0.oracle_db_name][db_user] | \
-                      default(default_dbpass) }}"
+_db_password_cdb: >-
+  {{ dbpasswords[odb.0.oracle_db_name][db_user]
+     | default(default_dbpass | mandatory) }}
 
 # @var _db_password_pdb:description: >
 # The variable is internal used only.
 #
 # Do not set it in inventory!
 # @end
 # @var _db_password_pdb: $ "_internal_used_"
-_db_password_pdb: "{{ dbpasswords[opdb[0]['cdb']][opdb[0]['pdb_name']][db_user] | \
-                      default(default_dbpass) }}"
+_db_password_pdb: >-
+  {{ dbpasswords[opdb[0]['cdb']][opdb[0]['pdb_name']][db_user]
+     | default(default_dbpass | mandatory) }}
 
 # @var _db_service_name:description: >
 # The variable is internal used only.