Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sap_swpm: Set DDIC password in SWPM if sap_swpm_ddic_000_password is defined #763

Closed
wants to merge 2 commits into from

Conversation

rob0d
Copy link
Contributor

@rob0d rob0d commented Jun 20, 2024

rather just when doing system copy as this parameter is relevant for both new installs and copies.

@sean-freeman sean-freeman changed the title Set DDIC password in SWPM if sap_swpm_ddic_000_password is defined sap_swpm: Set DDIC password in SWPM if sap_swpm_ddic_000_password is defined Jun 20, 2024
@sean-freeman
Copy link
Member

While it can be used, is this common to use in new installations and worth doing? The credentials block with master password, adm password etc. are the the usual candidates for change; the DDIC can be altered after initial login?

I'm flexible either way. Although if this is made generic:

  1. the section would be named credentials_ddic (and retaining the ## prettification so the end-user can see where it came from after generated),
  2. this would be moved upwards in the Jinja template and directly underneath the credentials block.

It's a breaking change, so we have to be purposeful here.

Side note: Please prefix the commits with the Ansible Role name you're changing, such as sap_swpm: set DDIC password in SWPM if sap_swpm_ddic_000_password is defined

@rob0d
Copy link
Contributor Author

rob0d commented Jun 23, 2024

Hi @sean-freeman,
This is a tentative pull request as I am not sure how do you typically handle changes to the jinja template. I will review your comments and update accordingly.
To answer your initial question - yes. Some customers have a very strict security policies. Sometimes I don't even know that the SAP* and DDIC passwords are as they are automatically generated and stored in a vault when executing the playbooks and the security people create user accounts before anyone can login. Having SAP* and DDIC password the same during install would mean an extra manual step that is not really necessary or productive.
The role defaults say that this can be used for new installs, so from my point of view the current behaviour is a bug.
This can potentially make credentials_syscopy obsolete as the only place this is used was in jinja template and this request changes that.
So I need some guidance regarding this one from you guys,

@sean-freeman
Copy link
Member

@rob0d To be verbose, to facilitate closing this PR I would like to see the following:

  • the code block in Jinja
  • appending the parameter in the YAML List (i.e. the default SWPM inifile.params generation list) in the defaults file so the variable is handled automatically if it exists

This breaking change would be noted in the Release Notes, but the following should fix your circumstance

templates/configfile.j2

{% if 'credentials_ddic_000' in sap_swpm_inifile_list %}
######
# credentials_ddic_000
######
# Are the passwords for the DDIC users different from the default value?
NW_DDIC_Password.needDDICPasswords = true
NW_DDIC_Password.ddic000Password = {{ sap_swpm_ddic_000_password | default(sap_swpm_master_password) }}
#NW_DDIC_Password.ddic001Password =
{% endif %}

defaults/main.yml

sap_swpm_inifile_list:
...
#  - credentials_hdbuserstore
  - credentials_ddic_000
  - db_config_hana
....

@sean-freeman
Copy link
Member

As described, PR was replaced by PR #874

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants