Hi all, Just wanted to raise a potential security issue in case anyone else encounters it. We were previously on

v0.8.42

and upgraded to

v0.9.6

. After upgrading, our DataHub root user password got reset back to the default

datahub

. How did this happen? We were relying on the datahub-frontend containers

JAVA_OPTS

environment variable, to override the

java.security.auth.login.config

property to point to our own

jaas.conf

file, which would point to a

user.props

file with a non default password. Our org is using ECS so simply using a configmap to override the

user.props

file is not something that is possible, hence the need to override the

java.security.auth.login.config

property. It turns out that in v0.8.45, there was a change to the startup of the frontend container. A

start.sh

script was introduced, which exports

JAVA_OPTS

itself and sets the

java.security.auth.login.config

do the default location. The default location loads up the default

user.props

and thats how you get the root user password reset. I think there should be an environment variable exposed to override the location of the

jaas.conf

file since it isn’t as trivial to replace the

user.props

file in non K8 environments. We’ll have to resort to uglier solutions to this now because of the change above.

Hello, Thank you for the report, we’ll get back shortly. (cc. @bulky-soccer-26729)

Also using ECS and have not found a straightforward way of using a custom user.props file.