diff --git a/CHANGELOG.md b/CHANGELOG.md
index 939b48b4..d204cc37 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -31,6 +31,7 @@ All notable changes to this project will be documented in this file.
 - Enable [Docker build checks](https://docs.docker.com/build/checks/) ([#872]).
 - java: migrate to temurin jdk/jre ([#894]).
 - tools: bump kubectl to `1.31.1` and jq to `1.7.1` ([#896]).
+- Make username, user id, group id configurable, use numeric ids everywhere, change group of all files to 0 ([#849], [#890]).
 
 ### Removed
 
@@ -66,6 +67,7 @@ All notable changes to this project will be documented in this file.
 [#822]: https://github.com/stackabletech/docker-images/pull/822
 [#846]: https://github.com/stackabletech/docker-images/pull/846
 [#848]: https://github.com/stackabletech/docker-images/pull/848
+[#849]: https://github.com/stackabletech/docker-images/pull/849
 [#851]: https://github.com/stackabletech/docker-images/pull/851
 [#852]: https://github.com/stackabletech/docker-images/pull/852
 [#853]: https://github.com/stackabletech/docker-images/pull/853
@@ -80,6 +82,7 @@ All notable changes to this project will be documented in this file.
 [#880]: https://github.com/stackabletech/docker-images/pull/880
 [#881]: https://github.com/stackabletech/docker-images/pull/881
 [#882]: https://github.com/stackabletech/docker-images/pull/882
+[#890]: https://github.com/stackabletech/docker-images/pull/890
 [#894]: https://github.com/stackabletech/docker-images/pull/894
 [#896]: https://github.com/stackabletech/docker-images/pull/896
 
diff --git a/druid/Dockerfile b/druid/Dockerfile
index 104597bd..a294ac55 100644
--- a/druid/Dockerfile
+++ b/druid/Dockerfile
@@ -120,8 +120,8 @@ ln -s /stackable/apache-druid-${PRODUCT} /stackable/druid
 # Force to overwrite the existing 'run-druid'
 ln -sf /stackable/bin/run-druid /stackable/druid/bin/run-druid
 
-# All files and folders owned by root to support running as arbitrary users
-# This is best practice as all container users will belong to the root group (0)
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
 chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
diff --git a/hadoop/Dockerfile b/hadoop/Dockerfile
index a0ecc328..124a7abc 100644
--- a/hadoop/Dockerfile
+++ b/hadoop/Dockerfile
@@ -169,8 +169,8 @@ find . -name 'hadoop-*tests.jar' -type f -delete
 # It is so non-root users (as we are) can mount a FUSE device and let other users access it
 echo "user_allow_other" > /etc/fuse.conf
 
-# All files and folders owned by root to support running as arbitrary users
-# This is best practice as all container users will belong to the root group (0)
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
 chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
diff --git a/hbase/Dockerfile b/hbase/Dockerfile
index 31e5cc47..a8228dec 100644
--- a/hbase/Dockerfile
+++ b/hbase/Dockerfile
@@ -354,8 +354,8 @@ ln --symbolic --logical --verbose "/stackable/hbase-${PRODUCT}" /stackable/hbase
 ln --symbolic --logical --verbose "/stackable/hbase-operator-tools-${HBASE_OPERATOR_TOOLS}" /stackable/hbase-operator-tools
 ln --symbolic --logical --verbose "/stackable/phoenix/phoenix-server-hbase-${HBASE_PROFILE}.jar" "/stackable/hbase/lib/phoenix-server-hbase-${HBASE_PROFILE}.jar"
 
-# All files and folders owned by root to support running as arbitrary users
-# This is best practice as all container users will belong to the root group (0)
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
 chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
diff --git a/hello-world/Dockerfile b/hello-world/Dockerfile
index 89caabf0..9680043b 100644
--- a/hello-world/Dockerfile
+++ b/hello-world/Dockerfile
@@ -22,8 +22,8 @@ rm -rf /var/cache/yum
 
 curl "https://repo.stackable.tech/repository/packages/hello-world/hello-world-${PRODUCT}.jar" -o /stackable/hello-world.jar
 
-# All files and folders owned by root to support running as arbitrary users
-# This is best practice as all container users will belong to the root group (0)
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
 chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
diff --git a/hive/Dockerfile b/hive/Dockerfile
index af7555d6..794faef6 100644
--- a/hive/Dockerfile
+++ b/hive/Dockerfile
@@ -103,40 +103,47 @@ LABEL io.openshift.tags="ubi9,stackable,hive,sdp"
 LABEL io.k8s.description="${DESCRIPTION}"
 LABEL io.k8s.display-name="${NAME}"
 
-RUN <<EOF
-microdnf update
-microdnf clean all
-rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" | sort > /stackable/package_manifest.txt
-rm -rf /var/cache/yum
-EOF
-
-USER ${STACKABLE_USER_UID}
 WORKDIR /stackable
 
 COPY --chown=${STACKABLE_USER_UID}:0 --from=hive-builder /stackable/apache-hive-metastore-${PRODUCT}-bin /stackable/apache-hive-metastore-${PRODUCT}-bin
-RUN ln -s /stackable/apache-hive-metastore-${PRODUCT}-bin /stackable/hive-metastore
 
 # It is useful to see which version of Hadoop is used at a glance
 # Therefore the use of the full name here
 # TODO: Do we really need all of Hadoop in here?
 COPY --chown=${STACKABLE_USER_UID}:0 --from=hadoop-builder /stackable/hadoop /stackable/hadoop-${HADOOP}
-RUN ln -s /stackable/hadoop-${HADOOP} /stackable/hadoop
+
+RUN <<EOF
+microdnf update
+microdnf clean all
+rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" | sort > /stackable/package_manifest.txt
+rm -rf /var/cache/yum
+
+ln -s /stackable/apache-hive-metastore-${PRODUCT}-bin /stackable/hive-metastore
+ln -s /stackable/hadoop-${HADOOP} /stackable/hadoop
 
 # The next two sections for S3 and Azure use hardcoded version numbers on purpose instead of wildcards
 # This way the build will fail should one of the files not be available anymore in a later Hadoop version!
 
 # Add S3 Support for Hive (support for s3a://)
-RUN cp /stackable/hadoop/share/hadoop/tools/lib/hadoop-aws-${HADOOP}.jar /stackable/hive-metastore/lib/
-RUN cp /stackable/hadoop/share/hadoop/tools/lib/aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE}.jar /stackable/hive-metastore/lib/
+cp /stackable/hadoop/share/hadoop/tools/lib/hadoop-aws-${HADOOP}.jar /stackable/hive-metastore/lib/
+cp /stackable/hadoop/share/hadoop/tools/lib/aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE}.jar /stackable/hive-metastore/lib/
 
 # Add Azure ABFS support (support for abfs://)
-RUN cp /stackable/hadoop/share/hadoop/tools/lib/hadoop-azure-${HADOOP}.jar /stackable/hive-metastore/lib/
-RUN cp /stackable/hadoop/share/hadoop/tools/lib/azure-storage-${AZURE_STORAGE}.jar /stackable/hive-metastore/lib/
-RUN cp /stackable/hadoop/share/hadoop/tools/lib/azure-keyvault-core-${AZURE_KEYVAULT_CORE}.jar /stackable/hive-metastore/lib/
+cp /stackable/hadoop/share/hadoop/tools/lib/hadoop-azure-${HADOOP}.jar /stackable/hive-metastore/lib/
+cp /stackable/hadoop/share/hadoop/tools/lib/azure-storage-${AZURE_STORAGE}.jar /stackable/hive-metastore/lib/
+cp /stackable/hadoop/share/hadoop/tools/lib/azure-keyvault-core-${AZURE_KEYVAULT_CORE}.jar /stackable/hive-metastore/lib/
+
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+chmod -R g=u /stackable
+EOF
 
 COPY --chown=${STACKABLE_USER_UID}:0 --from=hive-builder /stackable/jmx /stackable/jmx
 COPY hive/licenses /licenses
 
+USER ${STACKABLE_USER_UID}
+
 ENV HADOOP_HOME=/stackable/hadoop
 ENV HIVE_HOME=/stackable/hive-metastore
 ENV PATH="${PATH}":/stackable/hadoop/bin:/stackable/hive-metastore/bin
diff --git a/kafka-testing-tools/Dockerfile b/kafka-testing-tools/Dockerfile
index 5fdda0d1..a15cc7d9 100644
--- a/kafka-testing-tools/Dockerfile
+++ b/kafka-testing-tools/Dockerfile
@@ -8,6 +8,7 @@ FROM stackable/image/stackable-base AS final
 ARG PRODUCT
 ARG KCAT
 ARG RELEASE
+ARG STACKABLE_USER_UID
 
 LABEL name="Kafka Testing Tools" \
       maintainer="info@stackable.tech" \
@@ -29,11 +30,10 @@ RUN microdnf install  \
     && rm -rf /var/cache/yum
 
 # Store kcat version with binary name and add softlink
-COPY --chown=stackable:stackable --from=kcat /stackable/kcat-${KCAT}/kcat /stackable/kcat-${KCAT}
+COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /stackable/kcat-${KCAT}/kcat /stackable/kcat-${KCAT}
 RUN ln -s /stackable/kcat-${KCAT} /stackable/kcat
-COPY --chown=stackable:stackable --from=kcat /licenses /licenses
+COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /licenses /licenses
 
-
-COPY --chown=stackable:stackable kafka-testing-tools/licenses /licenses
+COPY --chown=${STACKABLE_USER_UID}:0 kafka-testing-tools/licenses /licenses
 
 ENTRYPOINT ["/stackable/kcat"]
diff --git a/kafka/Dockerfile b/kafka/Dockerfile
index e3fc0289..4d7b204c 100644
--- a/kafka/Dockerfile
+++ b/kafka/Dockerfile
@@ -9,8 +9,9 @@ ARG PRODUCT
 ARG SCALA
 ARG OPA_AUTHORIZER
 ARG JMX_EXPORTER
+ARG STACKABLE_USER_UID
 
-USER stackable
+USER ${STACKABLE_USER_UID}
 WORKDIR /stackable
 
 RUN curl "https://repo.stackable.tech/repository/packages/kafka/kafka-${PRODUCT}-src.tgz" | tar -xzC . && \
@@ -27,28 +28,12 @@ RUN curl "https://repo.stackable.tech/repository/packages/kafka/kafka-${PRODUCT}
 RUN curl https://repo.stackable.tech/repository/packages/kafka-opa-authorizer/opa-authorizer-${OPA_AUTHORIZER}-all.jar \
     -o /stackable/kafka_${SCALA}-${PRODUCT}/libs/opa-authorizer-${OPA_AUTHORIZER}-all.jar
 
-COPY --chown=stackable:stackable kafka/stackable/jmx/ /stackable/jmx/
+COPY --chown=${STACKABLE_USER_UID}:0 kafka/stackable/jmx/ /stackable/jmx/
 RUN curl https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar \
     -o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar && \
     chmod +x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar && \
     ln -s /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx/jmx_prometheus_javaagent.jar
 
-# For earlier versions this script removes the .class file that contains the
-# vulnerable code.
-# TODO: This can be restricted to target only versions which do not honor the environment
-#   varible that has been set above but this has not currently been implemented
-COPY shared/log4shell.sh /bin
-RUN /bin/log4shell.sh /stackable/kafka_${SCALA}-${PRODUCT}
-
-# Ensure no vulnerable files are left over
-# This will currently report vulnerable files being present, as it also alerts on
-# SocketNode.class, which we do not remove with our scripts.
-# Further investigation will be needed whether this should also be removed.
-COPY shared/log4shell_1.6.1-log4shell_Linux_x86_64 /bin/log4shell_scanner_x86_64
-COPY shared/log4shell_1.6.1-log4shell_Linux_aarch64 /bin/log4shell_scanner_aarch64
-COPY shared/log4shell_scanner /bin/log4shell_scanner
-RUN /bin/log4shell_scanner s /stackable/kafka_${SCALA}-${PRODUCT}
-# ===
 
 FROM stackable/image/java-base AS final
 
@@ -56,6 +41,7 @@ ARG RELEASE
 ARG PRODUCT
 ARG SCALA
 ARG KCAT
+ARG STACKABLE_USER_UID
 
 LABEL name="Apache Kafka" \
       maintainer="info@stackable.tech" \
@@ -67,32 +53,38 @@ LABEL name="Apache Kafka" \
 
 # This is needed for kubectl
 COPY kafka/kubernetes.repo /etc/yum.repos.d/kubernetes.repo
-RUN microdnf update && \
-    microdnf install \
-    # needed by kcat for kerberos
-    cyrus-sasl-gssapi \
-    # Can be removed once listener-operator integration is used
-    kubectl && \
-    microdnf clean all && \
-    rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" | sort > /stackable/package_manifest.txt && \
-    rm -rf /var/cache/yum
-
-USER stackable
-WORKDIR /stackable
-
-COPY --chown=stackable:stackable kafka/licenses /licenses
+COPY --chown=${STACKABLE_USER_UID}:0 kafka/licenses /licenses
+COPY --chown=${STACKABLE_USER_UID}:0 --from=kafka-builder /stackable/kafka_${SCALA}-${PRODUCT} /stackable/kafka_${SCALA}-${PRODUCT}
+COPY --chown=${STACKABLE_USER_UID}:0 --from=kafka-builder /stackable/jmx/ /stackable/jmx/
+COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /stackable/kcat-${KCAT}/kcat /stackable/bin/kcat-${KCAT}
+COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /licenses /licenses
 
-# We copy opa-authorizer.jar and jmx-exporter through the builder image to have an absolutely minimal final image
-# (e.g. we don't even need curl in it).
-COPY --chown=stackable:stackable --from=kafka-builder /stackable/kafka_${SCALA}-${PRODUCT} /stackable/kafka_${SCALA}-${PRODUCT}
-COPY --chown=stackable:stackable --from=kafka-builder /stackable/jmx/ /stackable/jmx/
-COPY --chown=stackable:stackable --from=kcat /stackable/kcat-${KCAT}/kcat /stackable/bin/kcat-${KCAT}
-COPY --chown=stackable:stackable --from=kcat /licenses /licenses
+WORKDIR /stackable
 
-RUN ln -s /stackable/bin/kcat-${KCAT} /stackable/bin/kcat && \
-    # kcat was located in /stackable/kcat - legacy
-    ln -s /stackable/bin/kcat /stackable/kcat && \
-    ln -s /stackable/kafka_${SCALA}-${PRODUCT} /stackable/kafka
+RUN <<EOF
+microdnf update
+# cyrus-sasl-gssapi: needed by kcat for kerberos
+# kubectl: Can be removed once listener-operator integration is used
+microdnf install \
+  cyrus-sasl-gssapi \
+  kubectl
+
+microdnf clean all
+rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" | sort > /stackable/package_manifest.txt
+rm -rf /var/cache/yum
+
+ln -s /stackable/bin/kcat-${KCAT} /stackable/bin/kcat
+# kcat was located in /stackable/kcat - legacy
+ln -s /stackable/bin/kcat /stackable/kcat
+ln -s /stackable/kafka_${SCALA}-${PRODUCT} /stackable/kafka
+
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+chmod -R g=u /stackable
+EOF
+
+USER ${STACKABLE_USER_UID}
 
 ENV PATH="${PATH}:/stackable/bin:/stackable/kafka/bin"
 
diff --git a/kcat/Dockerfile b/kcat/Dockerfile
index 4da109e2..5cd2ecf2 100644
--- a/kcat/Dockerfile
+++ b/kcat/Dockerfile
@@ -7,6 +7,7 @@
 FROM stackable/image/java-base AS builder
 
 ARG PRODUCT
+ARG STACKABLE_USER_UID
 
 RUN microdnf update \
     && microdnf install \
@@ -32,7 +33,7 @@ RUN curl -O https://repo.stackable.tech/repository/packages/kcat/kcat-${PRODUCT}
     && cd kcat-${PRODUCT} \
     && ./bootstrap.sh
 
-COPY --chown=stackable:stackable kcat/licenses /licenses
+COPY --chown=${STACKABLE_USER_UID}:0 kcat/licenses /licenses
 
 # SNIPPET 1
 # 145.2 gcc  -I/stackable/kcat-1.7.0/tmp-bootstrap/usr/include -I/stackable/kcat-1.7.0/tmp-bootstrap/usr/include -g -O2 -Wall -Wsign-compare -Wfloat-equal -Wpointer-arith -Wcast-align -L/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib -Wl,-rpath-link=/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib -L/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib -Wl,-rpath-link=/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib kcat.o format.o tools.o input.o json.o avro.o -o kcat  -lm -ldl -lpthread -lrt -lpthread -lrt  -L/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib  /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libavro.a /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libjansson.a -lcurl /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libserdes.a -Wl,-Bstatic -lavro -Wl,-Bdynamic /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libyajl_s.a -L/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib //stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/librdkafka.a -lm -ldl -lpthread -lrt -lz -lcrypto -lssl -lsasl2   -lm -ldl -lpthread -lrt -lpthread -lrt  -L/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib  /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libavro.a /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libjansson.a -lcurl
diff --git a/nifi/Dockerfile b/nifi/Dockerfile
index c5e5325d..472be39a 100644
--- a/nifi/Dockerfile
+++ b/nifi/Dockerfile
@@ -5,6 +5,7 @@ FROM stackable/image/java-devel AS nifi-builder
 
 ARG PRODUCT
 ARG MAVEN_VERSION="3.9.8"
+ARG STACKABLE_USER_UID
 
 RUN microdnf update && \
     microdnf clean all && \
@@ -22,10 +23,10 @@ RUN if [[ "${PRODUCT}" == 2.* ]] ; then \
         ln -sf /tmp/apache-maven-${MAVEN_VERSION}/bin/mvn /usr/bin/mvn ; \
     fi
 
-USER stackable
+USER ${STACKABLE_USER_UID}
 WORKDIR /stackable
 
-COPY --chown=stackable:stackable nifi/stackable/patches /stackable/patches
+COPY --chown=${STACKABLE_USER_UID}:0 nifi/stackable/patches /stackable/patches
 
 # NOTE: NiFi 1.21.0 source build does not work with the current arm64 git runners due to java heap issues:
 #
@@ -82,28 +83,11 @@ RUN if [[ "${PRODUCT}" == "1.21.0" ]] ; then \
         rm -rf /stackable/nifi-${PRODUCT}/docs ; \
     fi
 
-# ===
-# For earlier versions this script removes the .class file that contains the
-# vulnerable code.
-# TODO: This can be restricted to target only versions which do not honor the environment
-#   varible that has been set above but this has not currently been implemented
-COPY shared/log4shell.sh /bin
-RUN /bin/log4shell.sh /stackable/nifi-${PRODUCT}
-
-# Ensure no vulnerable files are left over
-# This will currently report vulnerable files being present, as it also alerts on
-# SocketNode.class, which we do not remove with our scripts.
-# Further investigation will be needed whether this should also be removed.
-COPY shared/log4shell_1.6.1-log4shell_Linux_x86_64 /bin/log4shell_scanner_x86_64
-COPY shared/log4shell_1.6.1-log4shell_Linux_aarch64 /bin/log4shell_scanner_aarch64
-COPY shared/log4shell_scanner /bin/log4shell_scanner
-RUN /bin/log4shell_scanner s /stackable/nifi-${PRODUCT}
-# ===
-
 FROM stackable/image/java-base AS final
 
 ARG PRODUCT
 ARG RELEASE
+ARG STACKABLE_USER_UID
 
 LABEL name="Apache NiFi" \
       maintainer="info@stackable.tech" \
@@ -113,28 +97,39 @@ LABEL name="Apache NiFi" \
       summary="The Stackable image for Apache NiFi." \
       description="This image is deployed by the Stackable Operator for Apache NiFi."
 
-RUN microdnf update && \
-    microdnf install \
-    # Required to install nipyapi
-    python-pip && \
-    microdnf clean all && \
-    rm -rf /var/cache/yum && \
-    # The nipyapi is required for the ReportingTaskJob
-    pip install --no-cache-dir nipyapi==0.19.1 && \
-    # For backwards compatibility we create a softlink in /bin where the jar used to be as long as we are root
-    # This can be removed once older versions / operators using this are no longer supported
-    ln -s /stackable/stackable-bcrypt.jar /bin/stackable-bcrypt.jar
+COPY --chown=${STACKABLE_USER_UID}:0 --from=nifi-builder /stackable/nifi-${PRODUCT} /stackable/nifi-${PRODUCT}/
+COPY --chown=${STACKABLE_USER_UID}:0 --from=nifi-builder /stackable/stackable-bcrypt.jar /stackable/stackable-bcrypt.jar
+
+COPY --chown=${STACKABLE_USER_UID}:0 nifi/stackable/bin /stackable/bin
+COPY --chown=${STACKABLE_USER_UID}:0 nifi/licenses /licenses
+COPY --chown=${STACKABLE_USER_UID}:0 nifi/python /stackable/python
+
+RUN <<EOF
+ln -s /stackable/nifi-${PRODUCT} /stackable/nifi
+
+microdnf update
+
+# python-pip: Required to install nipyapi
+microdnf install \
+  python-pip
+
+microdnf clean all
+rm -rf /var/cache/yum
 
-USER stackable
+# The nipyapi is required for the ReportingTaskJob
+pip install --no-cache-dir nipyapi==0.19.1 && \
 
-COPY --chown=stackable:stackable --from=nifi-builder /stackable/nifi-${PRODUCT} /stackable/nifi-${PRODUCT}/
-COPY --chown=stackable:stackable --from=nifi-builder /stackable/stackable-bcrypt.jar /stackable/stackable-bcrypt.jar
+# For backwards compatibility we create a softlink in /bin where the jar used to be as long as we are root
+# This can be removed once older versions / operators using this are no longer supported
+ln -s /stackable/stackable-bcrypt.jar /bin/stackable-bcrypt.jar
 
-COPY --chown=stackable:stackable nifi/stackable/bin /stackable/bin
-COPY --chown=stackable:stackable nifi/licenses /licenses
-COPY --chown=stackable:stackable nifi/python /stackable/python
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+chmod -R g=u /stackable
+EOF
 
-RUN ln -s /stackable/nifi-${PRODUCT} /stackable/nifi
+USER ${STACKABLE_USER_UID}
 
 ENV HOME=/stackable
 ENV NIFI_HOME=/stackable/nifi
diff --git a/omid/Dockerfile b/omid/Dockerfile
index a5f0f08c..1c7d14f8 100644
--- a/omid/Dockerfile
+++ b/omid/Dockerfile
@@ -5,6 +5,7 @@ FROM stackable/image/java-devel AS builder
 
 ARG PRODUCT
 ARG DELETE_CACHES="true"
+ARG STACKABLE_USER_UID
 
 RUN <<EOF
 microdnf update
@@ -17,13 +18,13 @@ microdnf clean all
 rm -rf /var/cache/yum
 EOF
 
-USER stackable
+USER ${STACKABLE_USER_UID}
 WORKDIR /stackable
 
-COPY --chown=stackable:stackable omid/stackable/patches/apply_patches.sh /stackable/phoenix-omid-${PRODUCT}/patches/apply_patches.sh
-COPY --chown=stackable:stackable omid/stackable/patches/${PRODUCT} /stackable/phoenix-omid-${PRODUCT}/patches/${PRODUCT}
+COPY --chown=${STACKABLE_USER_UID}:0 omid/stackable/patches/apply_patches.sh /stackable/phoenix-omid-${PRODUCT}/patches/apply_patches.sh
+COPY --chown=${STACKABLE_USER_UID}:0 omid/stackable/patches/${PRODUCT} /stackable/phoenix-omid-${PRODUCT}/patches/${PRODUCT}
 
-RUN --mount=type=cache,id=maven-omid-${PRODUCT},uid=1000,target=/stackable/.m2/repository <<EOF
+RUN --mount=type=cache,id=maven-omid-${PRODUCT},uid=${STACKABLE_USER_UID},target=/stackable/.m2/repository <<EOF
   set -x
   curl https://repo.stackable.tech/repository/packages/omid/phoenix-omid-${PRODUCT}-src.tar.gz | tar -xzC .
   cd /stackable/phoenix-omid-${PRODUCT} || exit
@@ -62,6 +63,7 @@ FROM stackable/image/java-base
 ARG PRODUCT
 ARG RELEASE
 ARG JMX_EXPORTER
+ARG STACKABLE_USER_UID
 
 LABEL name="Apache Phoenix Omid" \
       maintainer="info@stackable.tech" \
@@ -73,31 +75,33 @@ LABEL name="Apache Phoenix Omid" \
 
 COPY omid/licenses /licenses
 
-COPY --chown=stackable:stackable omid/stackable /stackable
-COPY --chown=stackable:stackable --from=builder /stackable/omid-tso-server-${PRODUCT} /stackable/omid-tso-server-${PRODUCT}
-COPY --chown=stackable:stackable --from=builder /stackable/omid-examples-${PRODUCT} /stackable/omid-examples-${PRODUCT}
+COPY --chown=${STACKABLE_USER_UID}:0 omid/stackable /stackable
+COPY --chown=${STACKABLE_USER_UID}:0 --from=builder /stackable/omid-tso-server-${PRODUCT} /stackable/omid-tso-server-${PRODUCT}
+COPY --chown=${STACKABLE_USER_UID}:0 --from=builder /stackable/omid-examples-${PRODUCT} /stackable/omid-examples-${PRODUCT}
 
 RUN <<EOF
-  microdnf update
-  microdnf clean all
-  rm -rf /var/cache/yum
-
-  ln -s /stackable/omid-tso-server-${PRODUCT} /stackable/omid-tso-server
-  ln -s /stackable/omid-examples-${PRODUCT} /stackable/omid-examples
-  curl https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar \
-  -o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
-  chmod -x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
-  # omid.sh places this file at the front of the classpath: remove it to allow the config map entry to take precedence
-  rm /stackable/omid-tso-server/conf/hbase-site.xml
-
-  # To support arbitrary user ids on OpenShift, this folder must belong to the root group.
-  mkdir /stackable/logs
-  chown -R 1000:0 /stackable/logs
-  chgrp -R 0 /stackable/logs
-  chmod -R g=u /stackable/logs
+microdnf update
+microdnf clean all
+rm -rf /var/cache/yum
+
+ln -s /stackable/omid-tso-server-${PRODUCT} /stackable/omid-tso-server
+ln -s /stackable/omid-examples-${PRODUCT} /stackable/omid-examples
+curl https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar \
+-o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
+chmod -x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar
+# omid.sh places this file at the front of the classpath: remove it to allow the config map entry to take precedence
+rm /stackable/omid-tso-server/conf/hbase-site.xml
+
+# To support arbitrary user ids on OpenShift, this folder must belong to the root group.
+mkdir /stackable/logs
+
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+chmod -R g=u /stackable
 EOF
 
-USER 1000
+USER ${STACKABLE_USER_UID}
 WORKDIR /stackable/omid-tso-server
 
 ENV HOME=/stackable
diff --git a/opa/Dockerfile b/opa/Dockerfile
index 31aa3f13..df7695c9 100644
--- a/opa/Dockerfile
+++ b/opa/Dockerfile
@@ -85,32 +85,41 @@ FROM stackable/image/vector
 
 ARG PRODUCT
 ARG RELEASE
+ARG STACKABLE_USER_UID
 
 LABEL name="Open Policy Agent" \
       maintainer="info@stackable.tech" \
       vendor="Stackable GmbH" \
       version="${PRODUCT}" \
       release="${RELEASE}" \
-      summary="The Stackable image for OPA." \
+      summary="The Stackable image for Open Policy Agent (OPA)." \
       description="This image is deployed by the Stackable Operator for OPA."
 
-RUN microdnf update && \
-    microdnf install \
-    # Required for filtering logs
-    jq && \
-    microdnf clean all && \
-    rm -rf /var/cache/yum
-
 COPY opa/licenses /licenses
 
-USER stackable
-WORKDIR /stackable/opa
+COPY --from=opa-builder --chown=${STACKABLE_USER_UID}:0 /opa/opa /stackable/opa/opa
+COPY --from=opa-bundle-builder --chown=${STACKABLE_USER_UID}:0 /opa-bundle-builder/target/release/stackable-opa-bundle-builder /stackable/opa-bundle-builder
+COPY --from=multilog-builder --chown=${STACKABLE_USER_UID}:0 /daemontools/admin/daemontools/command/multilog /stackable/multilog
 
-COPY --from=opa-builder /opa/opa /stackable/opa/opa
-COPY --from=opa-bundle-builder --chown=stackable:stackable /opa-bundle-builder/target/release/stackable-opa-bundle-builder /stackable/opa-bundle-builder
-COPY --from=multilog-builder --chown=stackable:stackable /daemontools/admin/daemontools/command/multilog /stackable/multilog
+COPY --chown=${STACKABLE_USER_UID}:0 opa/stackable/bin /stackable/opa/bin
 
-COPY --chown=stackable:stackable opa/stackable/bin /stackable/opa/bin
+RUN <<EOF
+microdnf update
+
+# jq: Required for filtering logs
+microdnf install \
+  jq
+microdnf clean all
+rm -rf /var/cache/yum
+
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+chmod -R g=u /stackable
+EOF
+
+USER ${STACKABLE_USER_UID}
+WORKDIR /stackable/opa
 
 ENV PATH="${PATH}:/stackable/opa:/stackable/opa/bin"
 
diff --git a/spark-k8s/Dockerfile b/spark-k8s/Dockerfile
index 84a15dcc..965efdaf 100644
--- a/spark-k8s/Dockerfile
+++ b/spark-k8s/Dockerfile
@@ -12,6 +12,7 @@ FROM stackable/image/hbase AS hbase-builder
 FROM stackable/image/java-devel AS spark-source-builder
 
 ARG PRODUCT
+ARG STACKABLE_USER_UID
 
 RUN <<EOF
 microdnf update
@@ -34,10 +35,10 @@ EOF
 
 WORKDIR /stackable/spark
 
-COPY --chown=stackable:stackable \
+COPY --chown=${STACKABLE_USER_UID}:0 \
     spark-k8s/stackable/patches/apply_patches.sh \
     patches/apply_patches.sh
-COPY --chown=stackable:stackable \
+COPY --chown=${STACKABLE_USER_UID}:0 \
     spark-k8s/stackable/patches/${PRODUCT} \
     patches/${PRODUCT}
 
@@ -52,6 +53,7 @@ ARG PRODUCT
 ARG HADOOP
 ARG HBASE
 ARG HBASE_CONNECTOR
+ARG STACKABLE_USER_UID
 
 RUN <<EOF
 microdnf update
@@ -70,7 +72,7 @@ WORKDIR /stackable
 # versions used by Spark. The pom.xml defines child modules which are
 # not required and not copied, therefore mvn must be called with the
 # parameter --non-recursive.
-COPY --chown=stackable:stackable --from=spark-source-builder \
+COPY --chown=${STACKABLE_USER_UID}:0 --from=spark-source-builder \
     /stackable/spark/pom.xml \
     spark/
 
@@ -83,10 +85,10 @@ EOF
 
 # Patch the hbase-connectors source code
 WORKDIR /stackable/hbase-connectors
-COPY --chown=stackable:stackable \
+COPY --chown=${STACKABLE_USER_UID}:0 \
     spark-k8s/stackable/hbase-connectors-patches/apply_patches.sh \
     patches/apply_patches.sh
-COPY --chown=stackable:stackable \
+COPY --chown=${STACKABLE_USER_UID}:0 \
     spark-k8s/stackable/hbase-connectors-patches/${HBASE_CONNECTOR} \
     patches/${HBASE_CONNECTOR}
 RUN patches/apply_patches.sh ${HBASE_CONNECTOR}
@@ -170,10 +172,11 @@ ARG WOODSTOX_CORE
 ARG JMX_EXPORTER
 ARG TARGETARCH
 ARG TINI
+ARG STACKABLE_USER_UID
 
 WORKDIR /stackable/spark-${PRODUCT}
 
-COPY --chown=stackable:stackable --from=spark-source-builder \
+COPY --chown=${STACKABLE_USER_UID}:0 --from=spark-source-builder \
     /stackable/spark/ \
     ./
 
@@ -200,35 +203,35 @@ RUN curl -o /usr/bin/tini "https://repo.stackable.tech/repository/packages/tini/
 WORKDIR /stackable/spark-${PRODUCT}/dist/jars
 
 # Copy modules required for s3a://
-COPY --from=hadoop-builder --chown=stackable:stackable \
+COPY --from=hadoop-builder --chown=${STACKABLE_USER_UID}:0 \
     /stackable/hadoop/share/hadoop/tools/lib/hadoop-aws-${HADOOP}.jar \
     /stackable/hadoop/share/hadoop/tools/lib/aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE}.jar \
     ./
 
 # Copy modules required for abfs://
-COPY --from=hadoop-builder --chown=stackable:stackable \
+COPY --from=hadoop-builder --chown=${STACKABLE_USER_UID}:0 \
     /stackable/hadoop/share/hadoop/tools/lib/hadoop-azure-${HADOOP}.jar \
     /stackable/hadoop/share/hadoop/tools/lib/azure-storage-${AZURE_STORAGE}.jar \
     /stackable/hadoop/share/hadoop/tools/lib/azure-keyvault-core-${AZURE_KEYVAULT_CORE}.jar \
     ./
 
 # Copy the HBase connector including required modules
-COPY --from=hbase-connectors-builder --chown=stackable:stackable \
+COPY --from=hbase-connectors-builder --chown=${STACKABLE_USER_UID}:0 \
     /stackable/spark/jars/* \
     ./
 
 # Copy modules required to access HBase
-COPY --from=hbase-builder --chown=stackable:stackable \
+COPY --from=hbase-builder --chown=${STACKABLE_USER_UID}:0 \
     /stackable/hbase/lib/shaded-clients/hbase-shaded-client-byo-hadoop-${HBASE}.jar \
     /stackable/hbase/lib/shaded-clients/hbase-shaded-mapreduce-${HBASE}.jar \
     ./
 # Copy modules required to access HBase if $HBASE == 2.4.x
-COPY --from=hbase-builder --chown=stackable:stackable \
+COPY --from=hbase-builder --chown=${STACKABLE_USER_UID}:0 \
     /stackable/hbase/lib/client-facing-thirdparty/htrace-core4-*-incubating.jar \
     /stackable/hbase/lib/client-facing-thirdparty/slf4j-reload4j-*.jar \
     ./
 # Copy modules required to access HBase if $HBASE == 2.6.x
-COPY --from=hbase-builder --chown=stackable:stackable \
+COPY --from=hbase-builder --chown=${STACKABLE_USER_UID}:0 \
     /stackable/hbase/lib/client-facing-thirdparty/opentelemetry-api-*.jar \
     /stackable/hbase/lib/client-facing-thirdparty/opentelemetry-context-*.jar \
     /stackable/hbase/lib/client-facing-thirdparty/opentelemetry-semconv-*-alpha.jar \
@@ -271,7 +274,7 @@ ARG PRODUCT
 ARG PYTHON
 ARG RELEASE
 ARG JMX_EXPORTER
-
+ARG STACKABLE_USER_UID
 
 LABEL name="Apache Spark" \
     maintainer="info@stackable.tech" \
@@ -281,24 +284,6 @@ LABEL name="Apache Spark" \
     summary="The Stackable image for Apache Spark with PySpark support." \
     description="This image is deployed by the Stackable Operator for Apache Spark on Kubernetes."
 
-RUN microdnf update && \
-    microdnf install \
-    gzip \
-    hostname \
-    # required for spark startup scripts
-    procps \
-    "python${PYTHON}" \
-    "python${PYTHON}-pip" \
-    zip \
-    # This is needed by the Spark UI to display process information using jps and jmap
-    # Copying the binaries from the builder stage failed.
-    "java-${JAVA_VERSION}-openjdk-devel" \
-    && microdnf clean all \
-    && rm -rf /var/cache/yum
-
-RUN ln -s /usr/bin/python${PYTHON} /usr/bin/python \
-    && ln -s /usr/bin/pip-${PYTHON} /usr/bin/pip
-
 
 ENV HOME=/stackable
 ENV SPARK_HOME=/stackable/spark
@@ -306,21 +291,44 @@ ENV PATH=$SPARK_HOME:$PATH:/bin:$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$HOME/.local/b
 ENV PYSPARK_PYTHON=/usr/bin/python
 ENV PYTHONPATH=$SPARK_HOME/python
 
-COPY --chown=stackable:stackable --from=spark-builder /stackable/spark-${PRODUCT}/dist /stackable/spark
-COPY --chown=stackable:stackable --from=spark-builder /stackable/spark-${PRODUCT}/assembly/target/bom.json /stackable/spark/spark-${PRODUCT}.cdx.json
-COPY --chown=stackable:stackable --from=spark-builder /stackable/jmx /stackable/jmx
+COPY spark-k8s/stackable /stackable
+COPY spark-k8s/licenses /licenses
+
+COPY --chown=${STACKABLE_USER_UID}:0 --from=spark-builder /stackable/spark-${PRODUCT}/dist /stackable/spark
+COPY --chown=${STACKABLE_USER_UID}:0 --from=spark-builder /stackable/spark-${PRODUCT}/assembly/target/bom.json /stackable/spark/spark-${PRODUCT}.cdx.json
+COPY --chown=${STACKABLE_USER_UID}:0 --from=spark-builder /stackable/jmx /stackable/jmx
 COPY --from=spark-builder /usr/bin/tini /usr/bin/tini
 
-RUN ln -s "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" /stackable/jmx/jmx_prometheus_javaagent.jar \
-    # Symlink example jar, so that we can easily use it in tests
-    && ln -s /stackable/spark/examples/jars/spark-examples_*.jar /stackable/spark/examples/jars/spark-examples.jar
+RUN <<EOF
+microdnf update
+# procps: required for spark startup scripts
+# java-*-openjdk-devel: This is needed by the Spark UI to display process information using jps and jmap
+#                       Copying just the binaries from the builder stage failed.
+microdnf install \
+  gzip \
+  hostname \
+  procps \
+  "python${PYTHON}" \
+  "python${PYTHON}-pip" \
+  zip \
+  "java-${JAVA_VERSION}-openjdk-devel"
+microdnf clean all
+rm -rf /var/cache/yum
 
-USER stackable
-WORKDIR /stackable
+ln -s /usr/bin/python${PYTHON} /usr/bin/python
+ln -s /usr/bin/pip-${PYTHON} /usr/bin/pip
 
-COPY spark-k8s/stackable /stackable
-COPY spark-k8s/licenses /licenses
+ln -s "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" /stackable/jmx/jmx_prometheus_javaagent.jar
+# Symlink example jar, so that we can easily use it in tests
+ln -s /stackable/spark/examples/jars/spark-examples_*.jar /stackable/spark/examples/jars/spark-examples.jar
+
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+chmod -R g=u /stackable
+EOF
 
+USER ${STACKABLE_USER_UID}
 
 WORKDIR /stackable/spark
 ENTRYPOINT [ "/stackable/run-spark.sh" ]