Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-14320

Unable to start SQ when switching admin account from SSO to local

    XMLWordPrintable

    Details

    • Edition:
      Community
    • Production Notes:
      None

      Description

      During authentication of the "admin" user, if using SSO, their record in users table is updated with new authentication method and the crypted_password column is nullified in DB. Now, if the instance switches back to local authentication, the SonarQube startup will fail with an NPE on the "default admin password" check as the password is null.

      The only way to correct this situation back is to use the script provided [here|https://docs.sonarqube.org/latest/instance-administration/security/, under the Reinstating Admin Access section.

      Problem
      This only applies to BCrypt, and is mitigated by the fact that users will now automatically be migrated to PBKDF2 when they log in. Still, if:

      • An instance was using a version of SQ where BCrypt was the default hashing algo
      • And then switched to any SSO method
      • And then switched back to local authentication

      Then the NPE will occur. And because it will fail at startup, the "admin" user can also not log in to have their hashing algo migrated to PBKDF2.

      Solution

      Do the same as we do for SHA1 and PBKDF2: handle NULL passwords as an incorrect password, which will enable SQ to start normally. This will disable logging in for the "admin" user, but this is normal, as there is no hash to check agains (the only solution here is to reinstate access, as per the docs)

        Attachments

          Activity

            People

            Assignee:
            wouter.admiraal Wouter Admiraal
            Reporter:
            jacek.poreda Jacek Poreda
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Due:
              Created:
              Updated:
              Resolved: