What were you trying to do that didn't work?

Reviewing ansible-pcp package security configuration. The Grafana role ships a hardcoded default admin password (__grafana_password: admin) in role defaults rather than requiring explicit configuration. Deployments using this role without overriding the variable result in a Grafana instance with known default credentials accessible over the network.

What is the impact of this issue to you?

Any system deployed using the ansible-pcp Grafana role with default variables will have a Grafana instance accessible with known credentials (admin:admin). Since Grafana binds to a network port, this creates a remotely exploitable authentication bypass. Attackers with network access can log into Grafana, view monitoring data, modify dashboards, and potentially pivot further depending on the environment.

Please provide the package NVR for which the bug is seen:

ansible-pcp-2.4.2-1.el10.noarch

How reproducible is this bug?:

Always

Steps to reproduce

1. rpm2cpio ansible-pcp-2.4.2-1.el10.noarch.rpm | cpio -i --to-stdout "*grafana*main.yml" 2>/dev/null | grep -i password
2. Observe __grafana_password: admin
3. Deploy the grafana role without overriding the variable

Expected results

Role should require explicit password configuration or generate a random password

Actual results

Grafana deployed with known default credentials (admin:admin)

Leave everything else as default/None.