SonarQube provides a built-in technical account with default credentials to make it simple for users to discover and evaluate it.
Starting SonarQube 8.6, administrators who want to keep this account are forced to change the default password when they want to use it. And if they don't use it, they get notified in different ways.
Still, at that point, administrators can miss this information and can continue using the product without noticing it later on.
We want to do an extra step to help administrators secure their instance.
Our Support team could recommend those users to change the default credentials based on the information they would receive.
But a better option is to solve the issue at the root. We should force the administrators to change the 'admin' credentials (before they even contact our support team).
- If the user is a system administrator, and not the "admin" user, redirect to a new page which prompts the user to take 1 of 2 possible actions:
- Change the admin user's password
Deactivate admin user (Add a warning about potential tokens used by admin)Edit: this is considered too risky, as it could fail existing pipelines. We'll only force to change the password.
- Once an action is successfully completed, a success message appears, with a link to continue to SonarQube.
- As long as SonarQube detects the default credentials are still in use, the system administrator cannot interact with the SonarQube UI. She has to take an action.
- This does not affect any non-sysadmin users.
- This does not affect "admin" herself, as she will be redirected to a different page (the change password form).