diff --git a/changelogs/fragments/default_dbpass.yml b/changelogs/fragments/default_dbpass.yml new file mode 100644 index 000000000..6de7ac2d5 --- /dev/null +++ b/changelogs/fragments/default_dbpass.yml @@ -0,0 +1,5 @@ +--- +breaking_changes: + - "orasw_meta: Removed default passwords from default_dbpass and dbpasswords (oravirt#409)" +security_fixes: + - "orasw_meta: Removed default passwords from default_dbpass and dbpasswords (oravirt#409)" diff --git a/roles/orasw_meta/README.md b/roles/orasw_meta/README.md index 43aadc24b..0a9f6cd0f 100644 --- a/roles/orasw_meta/README.md +++ b/roles/orasw_meta/README.md @@ -172,25 +172,66 @@ dbenvdir: '{{ oracle_user_home }}/dbenv' ### dbpasswords +Define the passwords for DB-Users in nonCDB, CDB and PDBs. + #### Default value ```YAML +dbpasswords: {} +``` + +#### Example usage + +```YAML + +nonCDB with db_name: orcl + +dbpasswords: + : + : + +dbpasswords: + orcl: + SYS: Oracle_456 + SYSTEM: Oracle_456 + DBSNMP: Oracle_456 + +CDB with `db_name: orcl` and `PDB: orclpdb` + +dbpasswords: + : + : + : + : + dbpasswords: orcl: - sys: Oracle_456 - system: Oracle_456 - dbsnmp: Oracle_456 - pdbadmin: Oracle_456 + SYS: Oracle_456 + SYSTEM: Oracle_456 + DBSNMP: Oracle_456 + ORCLPDB: + PDBADMIN: Oracle_789 ``` ### default_dbpass +Set the default password for all DB-Users not defined in `dbpasswords`. + #### Default value ```YAML -default_dbpass: '{% if item is defined and item.oracle_db_passwd is defined %}{{ item.oracle_db_passwd - }}{%- elif dbh is defined and dbh.oracle_db_passwd is defined %}{{ dbh.oracle_db_passwd - }}{%- else %}Oracle123{%- endif %}' +default_dbpass: >- + {% if item is defined and item.oracle_db_passwd is defined %}{{ item.oracle_db_passwd + -}} + {%- elif dbh is defined and dbh.oracle_db_passwd is defined %}{{ dbh.oracle_db_passwd + -}} + {%- endif %} +``` + +#### Example usage + +```YAML +default_dbpass: topeS3cr§t ``` ### deploy_ocenv @@ -876,8 +917,6 @@ shell_ps1: "'[$LOGNAME'@'$ORACLE_SID `basename $PWD`]$'" - (information): db_homes_installed not used for a long time... - (information): variable description is missing - (information): variable description is missing -- (information): variable description is missing -- (information): variable description is missing - (todo): Remove variable _www_download_bin ## Dependencies diff --git a/roles/orasw_meta/defaults/main.yml b/roles/orasw_meta/defaults/main.yml index 9229aa294..875cafad4 100644 --- a/roles/orasw_meta/defaults/main.yml +++ b/roles/orasw_meta/defaults/main.yml @@ -554,16 +554,48 @@ oracle_ee_options_213: # - {name: temp, size: 10M, autoextend: true, next: 50M, maxsize: 4G, content: permanent, state: present, bigfile: false} # @end -# @todo information: variable description is missing -default_dbpass: "{% if item is defined and item.oracle_db_passwd is defined %}{{ item.oracle_db_passwd }}\ - {%- elif dbh is defined and dbh.oracle_db_passwd is defined %}{{ dbh.oracle_db_passwd }}\ - {%- else %}Oracle123\ - {%- endif %}" +# @var default_dbpass:description: > +# Set the default password for all DB-Users not defined in `dbpasswords`. +# @end +# @var default_dbpass:example: > +# default_dbpass: topeS3cr§t +# @end +default_dbpass: >- + {% if item is defined and item.oracle_db_passwd is defined %}{{ item.oracle_db_passwd -}} + {%- elif dbh is defined and dbh.oracle_db_passwd is defined %}{{ dbh.oracle_db_passwd -}} + {%- endif %} -# @todo information: variable description is missing -dbpasswords: - orcl: - sys: Oracle_456 - system: Oracle_456 - dbsnmp: Oracle_456 - pdbadmin: Oracle_456 +# @var dbpasswords:description: > +# Define the passwords for DB-Users in nonCDB, CDB and PDBs. +# @end +# @var dbpasswords:example: > +# +# nonCDB with db_name: orcl +# +# dbpasswords: +# : +# : +# +# dbpasswords: +# orcl: +# SYS: Oracle_456 +# SYSTEM: Oracle_456 +# DBSNMP: Oracle_456 +# +# CDB with `db_name: orcl` and `PDB: orclpdb` +# +# dbpasswords: +# : +# : +# : +# : +# +# dbpasswords: +# orcl: +# SYS: Oracle_456 +# SYSTEM: Oracle_456 +# DBSNMP: Oracle_456 +# ORCLPDB: +# PDBADMIN: Oracle_789 +# @end +dbpasswords: {} diff --git a/roles/orasw_meta_internal/defaults/main.yml b/roles/orasw_meta_internal/defaults/main.yml index 77cc205d3..f2243b2a8 100644 --- a/roles/orasw_meta_internal/defaults/main.yml +++ b/roles/orasw_meta_internal/defaults/main.yml @@ -5,8 +5,9 @@ # Do not set it in inventory! # @end # @var _db_password_cdb: $ "_internal_used_" -_db_password_cdb: "{{ dbpasswords[odb.0.oracle_db_name][db_user] | \ - default(default_dbpass) }}" +_db_password_cdb: >- + {{ dbpasswords[odb.0.oracle_db_name][db_user] + | default(default_dbpass | mandatory) }} # @var _db_password_pdb:description: > # The variable is internal used only. @@ -14,8 +15,9 @@ _db_password_cdb: "{{ dbpasswords[odb.0.oracle_db_name][db_user] | \ # Do not set it in inventory! # @end # @var _db_password_pdb: $ "_internal_used_" -_db_password_pdb: "{{ dbpasswords[opdb[0]['cdb']][opdb[0]['pdb_name']][db_user] | \ - default(default_dbpass) }}" +_db_password_pdb: >- + {{ dbpasswords[opdb[0]['cdb']][opdb[0]['pdb_name']][db_user] + | default(default_dbpass | mandatory) }} # @var _db_service_name:description: > # The variable is internal used only.