Openmetadata Basic Authentication does not allow to set the admin passwords since PR11463

[przemslys]

Affected module openmetadata-service UI

Describe the bug According to the documentation it is possible to setup a set of users and their passwords as a comma separated list as adminPrincipals in authorizerConfiguration (a note within https://docs.open-metadata.org/v1.4.x/deployment/security/basic-auth#authorizer-configuration claims that), however, instead of splitting the provided string by colon to get (admin_user_name, admin_user_password) pairs the entire string as passed as admin user name, with colon being the part of it. After digging in the source code I'm pretty confident the culprit is one of the PR introduced last year, namely https://github.com/open-metadata/OpenMetadata/pull/11463/files when any mention of COLON_DELIMITER within UserUtil class was removed.

To Reproduce The problem was noticed whie working on local minikube, so I'll provide the steps starting with the chart information, even if this error is not related to helm chart: 1) please use the helm chart below to deploy OMD on local minikube, please only build the helm chart by running 'kustomize build --enable-helm > .\your_manifests.yaml' `helmChartInflationGenerator:

• chartName: openmetadata chartVersion: 1.3.0 chartRepoUrl: https://helm.open-metadata.org/ releaseName: open-metadata values: ./values.yaml` 2) then please use kustomize to set value of key 'AUTHORIZER_ADMIN_PRINCIPALS' of k8s secret to a list of admins like presented in docuemtation note https://docs.open-metadata.org/v1.4.x/deployment/security/basic-auth#authorizer-configuration (or create/manipulate this secret manually in your_manifests.yaml). 3) please apply the your_manifests.yaml to minikube instance by running ' kubectl apply -f .\your_manifests.yaml' 4) observe the logs of the pod/tryto login with credentials provided in step 2. -> either the admins cannot login at all or those which can login have the same password.

Expected behavior The expectation was that the users would be created with the passwords specified in the config.

Version:

• OS: 5.15.133.1-microsoft-standard-WSL2 (I'm running OMD on minikube on Windows)
• Python version: N/A
• OpenMetadata version: 1.3.0
• OpenMetadata Ingestion package version: N/A
• helm chart: https://helm.open-metadata.org/, chart name: openmetadata, chart version: 1.3.0

Additional context

[harshach]

cc @akash-jain-10 @mohityadav766

[harshach]

@przemslys any reason you want to control this via config rather use the defautl admin/admin to reset the password through the UI?

[przemslys]

hi @harshach there are few reasons:

1. the documentation says I can set those passwords up in the envvar and I cannot find any release notes claiming this feature was intentionally removed;
2. working on k8s means that the Pods (think of them as of a brand new VMs with Openmetadata that do not have persitant memory between restarts) are constantly and randomly restarted, rendering any changes "clicked out" by the Openmetadata admin useless.
3. the currently running approach reqiures a close cooperation between DevOps that deploys the OMD and the admin of OMD, who must act quickily to change the password manually before other users figure the passwords out...
4. if the OMD worked as described in the documentation, we could store the contents of the envvar (so a list of pairs of admin user name and their passwords) as a k8s secret, allowing for a precise and secure way of passing the admin credentials from DevOps to OMD admin; Instead, everyone (all parties involved including DevOps, people that are supposed to work as OMD admins and simple users, even readers of this publicly hosted discussion) knows the admin password - I do not like that...

I mean we eventually will find some workaround for this bug but if the removal of the functionality was indeed done on purpose, please adjust the documentation so in the future such problems would be avoided. If it was removed accidently I humbly ask for the reimplementation of the functionality.

Kind Regards