Uploaded image for project: 'Product Roadmaps'
  1. Product Roadmaps
  2. MMF-2303

SonarQube prompts administrators to change the default credentials

    XMLWordPrintable

    Details

    • Type: MMF
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Labels:
      None

      Description

      WHY

      SonarQube provides a built-in technical account with default credentials to make it simple forĀ  users to discover and evaluate it.
      Starting SonarQube 8.6, administrators who want to keep this account are forced to change the default password when they want to use it. And if they don't use it, they get notified in different ways.
      Still, at that point, administrators can miss this information and can continue using the product without noticing it later on.

      We want to do an extra step to help administrators secure their instance.

      WHAT

      Our Support team could recommend those users to change the default credentials based on the information they would receive.
      But a better option is to solve the issue at the root. We should force the administrators to change the 'admin' credentials (before they even contact our support team).

      HOW

      • If the user is a system administrator, and not the "admin" user, redirect to a new page which prompts the user to take 1 of 2 possible actions:
        • Change the admin user's password
        • Deactivate admin user (Add a warning about potential tokens used by admin) Edit: this is considered too risky, as it could fail existing pipelines. We'll only force to change the password.
      • Once an action is successfully completed, a success message appears, with a link to continue to SonarQube.
      • As long as SonarQube detects the default credentials are still in use, the system administrator cannot interact with the SonarQube UI. She has to take an action.
      • This does not affect any non-sysadmin users.
      • This does not affect "admin" herself, as she will be redirected to a different page (the change password form).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              christophe.levis Christophe Levis
              Reporter:
              christophe.levis Christophe Levis
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: