The 'datahub' root user is created for you by default. This user is controlled via a user.props file which JaaS Authentication is configured to use:
By default, the credential file looks like this for each and every self-hosted DataHub deployment:
// default user.props
datahub:datahub
Obviously, this is not ideal from a security perspective. It is highly recommended that this file is changed prior to deploying DataHub to production at your organization.
:::warning
Please note that deleting the Data Hub user in the UI WILL NOT disable the default user.
You will still be able to log in using the default 'datahub:datahub' credentials.
To safely delete the default credentials, please follow the guide provided below.
:::
The method for changing the default user depends on how DataHub is deployed.
You'll need to create a Kubernetes secret, then mount the file as a volume to the datahub-frontend pod.
Create a new version user.props which defines the updated password for the datahub user.
To remove the user 'datahub' from the new file, simply omit the username. Please note that you can also choose to leave the file empty. For example, to change the password for the DataHub root user to 'newpassword', your file would contain the following:
// new user.props
datahub:newpassword
Create a secret from your local user.props file.
kubectl create secret generic datahub-users-secret --from-file=user.props=./<path-to-your-user.props>Configure your values.yaml to add the volume to the datahub-frontend container.
datahub-frontend:
...
extraVolumes:
- name: datahub-users
secret:
defaultMode: 0444
secretName: datahub-users-secret
extraVolumeMounts:
- name: datahub-users
mountPath: /datahub-frontend/conf/user.props
subPath: user.propsRestart the DataHub containers or pods to pick up the new configs. For example, you could run the following command to upgrade the current helm deployment.
helm upgrade datahub datahub/datahub --values <path_to_values.yaml>Note that if you update the secret you will need to restart the datahub-frontend pods so the changes are reflected. To update the secret in-place you can run something like this.
kubectl create secret generic datahub-users-secret --from-file=user.props=./<path-to-your-user.props> -o yaml --dry-run=client | kubectl apply -f -
Modify user.props which defines the updated password for the datahub user.
To remove the user 'datahub' from the new file, simply omit the username. Please note that you can also choose to leave the file empty. For example, to change the password for the DataHub root user to 'newpassword', your file would contain the following:
// new user.props
datahub:newpassword
Change the docker-compose.yaml to mount an updated user.props file to the following location inside the datahub-frontend-react container using a volume:/datahub-frontend/conf/user.props
datahub-frontend-react:
...
volumes:
...
- <absolute_path_to_your_custom_user_props_file>:/datahub-frontend/conf/user.propsRestart the DataHub containers or pods to pick up the new configs.
Modify user.props which defines the updated password for the datahub user.
To remove the user 'datahub' from the new file, simply omit the username. Please note that you can also choose to leave the file empty. For example, to change the password for the DataHub root user to 'newpassword', your file would contain the following:
// new user.props
datahub:newpassword
In docker-compose file used in quickstart. Modify the datahub-frontend-react block to contain the extra volume mount.
datahub-frontend-react:
...
volumes:
...
- <absolute_path_to_your_custom_user_props_file>:/datahub-frontend/conf/user.propsRun the following command.
datahub docker quickstart --quickstart-compose-file <your-modified-compose>.yml