Quick Search
Browse
Pages
Blog
Labels
Attachments
Mail
Advanced
What’s New
Space Directory
Feed Builder
Keyboard Shortcuts
Confluence Gadgets
Log In
Sign Up
Dashboard
SonarQube
Copy Page
You are not logged in. Any changes you make will be marked as
anonymous
. You may want to
Log In
if you already have an account. You can also
Sign Up
for a new account.
This page is being edited by
.
Paragraph
Paragraph
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Preformatted
Quote
Bold
Italic
Underline
More colours
Strikethrough
Subscript
Superscript
Monospace
Clear Formatting
Bullet list
Numbered list
Outdent
Indent
Align left
Align center
Align right
Link
Table
Insert
Insert Content
Image
Link
Attachment
Symbol
Emoticon
Wiki Markup
Horizontal rule
tinymce.confluence.insert_menu.macro_desc
Info
JIRA Issue
Status
Gallery
Tasklist
Table of Contents
Other Macros
Page Layout
No Layout
Two column (simple)
Two column (simple, left sidebar)
Two column (simple, right sidebar)
Three column (simple)
Two column
Two column (left sidebar)
Two column (right sidebar)
Three column
Three column (left and right sidebars)
Undo
Redo
Find/Replace
Keyboard Shortcuts Help
<table class="wysiwyg-macro" data-macro-name="info" data-macro-parameters="icon=false|title=Table of Contents" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2luZm86aWNvbj1mYWxzZXx0aXRsZT1UYWJsZSBvZiBDb250ZW50c30&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="RICH_TEXT"><tr><td class="wysiwyg-macro-body"><img class="editor-inline-macro" src="/plugins/servlet/confluence/placeholder/macro?definition=e3RvYzptYXhMZXZlbD0yfQ&locale=en_GB&version=2" data-macro-name="toc" data-macro-parameters="maxLevel=2"></td></tr></table><p> </p><p>SonarQube comes out of the box with a complete mechanism to manage security. Configuring security enables to cover two main use cases:</p><ul><li>Manage access rights to resources, information, etc.</li><li>Enable customization (custom <a class="confluence-link" href="/display/SONAR/Dashboards" data-linked-resource-id="163872785" data-linked-resource-type="page" data-linked-resource-default-alias="Dashboards" data-base-url="http://docs.codehaus.org">dashboards</a>, <a class="confluence-link" href="/display/SONAR/Notification" data-linked-resource-id="227049870" data-linked-resource-type="page" data-linked-resource-default-alias="Notification" data-base-url="http://docs.codehaus.org">notifications</a>, etc.) of SonarQube for users</li></ul><div>Here are some examples of configuration you can obtain by configuring security in SonarQube:</div><div><ul><li class="p1">Secure a SonarQube instance by forcing login prior to access to any page</li><li class="p1">Make a given project non accessible to anonymous</li><li class="p1">Allow access to source code (Code Viewer) to a given set of users</li><li class="p1">Restrict access to a project to a given group of users</li><li class="p1">Define who can administer a project (setting exclusion patterns, tuning plugins configuration for that project, etc.)</li><li class="p1">Define who can administer a SonarQube instance</li></ul></div><h1>Built-in Security</h1><h2>Authentication</h2><h3>Default Admin Credentials</h3><p>When installing SonarQube, a unique user gets created:</p><ul><li>Login: admin</li><li>Password: admin</li></ul><div><h3>Add Users</h3><p>A user is a set of basic information: login, password, name and email.</p><p>To create a new user, go to Setting > Security > Users > Add new user: </p><p><img class="confluence-embedded-image" src="/download/attachments/231082392/create-user.png?version=1&modificationDate=1371712944132" data-image-src="/download/attachments/231082392/create-user.png?version=1&modificationDate=1371712944132" data-linked-resource-id="231377317" data-linked-resource-type="attachment" data-linked-resource-default-alias="create-user.png" data-base-url="http://docs.codehaus.org" data-linked-resource-container-id="231082392" title="null > create-user.png" data-element-title="create-user.png"></p><h3>Change my Password</h3></div><p>Log in and click on your name (top right of the screen).</p><p><img class="confluence-embedded-image" src="/download/attachments/231082392/change-password.png?version=1&modificationDate=1371712944176" data-image-src="/download/attachments/231082392/change-password.png?version=1&modificationDate=1371712944176" data-linked-resource-id="231377320" data-linked-resource-type="attachment" data-linked-resource-default-alias="change-password.png" data-base-url="http://docs.codehaus.org" data-linked-resource-container-id="231082392" title="null > change-password.png" data-element-title="change-password.png"></p><table class="wysiwyg-macro" data-macro-name="note" data-macro-parameters="title=LDAP plugin" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e25vdGU6dGl0bGU9TERBUCBwbHVnaW59&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="RICH_TEXT"><tr><td class="wysiwyg-macro-body"><p>When the <a class="confluence-link" href="/display/SONAR/LDAP+Plugin" data-linked-resource-id="136118421" data-linked-resource-type="page" data-linked-resource-default-alias="LDAP Plugin" data-base-url="http://docs.codehaus.org">LDAP plugin</a> is installed and activated, it is no longer possible for users to change their password. Then, only system administrators can do so through Settings > Security > Users.</p></td></tr></table><p> </p><h2>Authorization</h2><p>The way authorization is implemented in SonarQube is pretty standard. It is possible to create as many users and groups of users as required in the system. The users can then be attache (or not) to (multiple) groups. Groups and / or users are then given (multiple) roles. The roles grant access to projects, services and functionalities.</p><h3>Groups</h3><h4>Overview</h4><p>A group is a set of users.</p><p>To create a new group, go to Settings > Security > Groups > Add new group:</p><p><img class="confluence-embedded-image" src="/download/attachments/231082392/create-group.png?version=1&modificationDate=1371712944129" data-image-src="/download/attachments/231082392/create-group.png?version=1&modificationDate=1371712944129" data-linked-resource-id="231377316" data-linked-resource-type="attachment" data-linked-resource-default-alias="create-group.png" data-base-url="http://docs.codehaus.org" data-linked-resource-container-id="231082392" title="null > create-group.png" data-element-title="create-group.png"></p><p>To add/remove users to/from a group:</p><p><img class="confluence-embedded-image" src="/download/attachments/231082392/add-user-to-group-1.png?version=1&modificationDate=1371712944116" data-image-src="/download/attachments/231082392/add-user-to-group-1.png?version=1&modificationDate=1371712944116" data-linked-resource-id="231377315" data-linked-resource-type="attachment" data-linked-resource-default-alias="add-user-to-group-1.png" data-base-url="http://docs.codehaus.org" data-linked-resource-container-id="231082392" title="null > add-user-to-group-1.png" data-element-title="add-user-to-group-1.png"></p><p><img class="confluence-embedded-image" src="/download/attachments/231082392/add-user-to-group-2.png?version=1&modificationDate=1371712944093" data-image-src="/download/attachments/231082392/add-user-to-group-2.png?version=1&modificationDate=1371712944093" data-linked-resource-id="231377314" data-linked-resource-type="attachment" data-linked-resource-default-alias="add-user-to-group-2.png" data-base-url="http://docs.codehaus.org" data-linked-resource-container-id="231082392" title="null > add-user-to-group-2.png" data-element-title="add-user-to-group-2.png"></p><h4>Special groups</h4><p>Two groups have a special meaning:</p><ul><li><strong>Anyone</strong> is a group that exists in the system, but that cannot be managed. Every user belongs to this group.</li><li><strong>sonar-users </strong>is the group to which users are automatically added. This group can be changed through the <a class="confluence-link" href="#defaultUserGroup" data-anchor="defaultUserGroup" data-linked-resource-default-alias="defaultUserGroup" data-base-url="http://docs.codehaus.org">Global Security Settings</a> (<code>sonar.defaultGroup</code> property).</li></ul><h3>Roles</h3><h4>Overview</h4><p>There are 5 different roles, 2 are global, the 3 others are defined at project level:</p><ul><li><strong>Global roles:</strong><ul><li><strong>System Administrators</strong> have the ability to perform all administration tasks on the SonarQube instance like global configuration, customization of the home page, etc.</li><li><strong>Quality Profile Administrators</strong> have the ability to perform any changes on quality profiles (since version 3.6)</li></ul></li></ul><ul><li><strong>Project roles:</strong><br /><ul><li><strong>Administrators</strong> have the ability to perform administration tasks for the project by accessing its settings</li><li><strong>Users</strong> have the ability to browse the measures<span style="color: rgb(34,34,34);"> and to create/edit issues on</span> the project</li><li><strong><img class="editor-inline-macro" src="/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpjb2RlVmlld2Vyc1JvbGV9&locale=en_GB&version=2" data-macro-name="anchor" data-macro-default-parameter="codeViewersRole">Code viewers</strong> have the ability to view the source code of the project</li></ul></li></ul><p>Note that roles are not cumulative. For instance, if you want to be able to administer the project, browse the measures and browse the source code, you have to be given the three roles: Administrator, User and Code Viewer.</p><h4>Default project roles</h4><p>It is possible to configure the system so that when a new project is created, some users/groups are automatically granted roles on this project.</p><p>In the example below, once a new project has been created:</p><ul><li>All the users in the sonar-administrators group can administrate (Administrators), access the project (Users) and browse the source code (Code viewers).</li><li>The myAuditor user can access access the project (Users) and browse the source code (Code viewers).</li></ul><div><img class="confluence-embedded-image" src="/download/attachments/231082392/default-roles-new-projects.png?version=1&modificationDate=1371712944075" data-image-src="/download/attachments/231082392/default-roles-new-projects.png?version=1&modificationDate=1371712944075" data-linked-resource-id="231377313" data-linked-resource-type="attachment" data-linked-resource-default-alias="default-roles-new-projects.png" data-base-url="http://docs.codehaus.org" data-linked-resource-container-id="231082392" title="null > default-roles-new-projects.png" data-element-title="default-roles-new-projects.png"></div><h3>Security Settings</h3><p><img class="confluence-embedded-image" src="/download/attachments/231082392/global-settings-security.png?version=1&modificationDate=1371712944164" data-image-src="/download/attachments/231082392/global-settings-security.png?version=1&modificationDate=1371712944164" data-linked-resource-id="231377319" data-linked-resource-type="attachment" data-linked-resource-default-alias="global-settings-security.png" data-base-url="http://docs.codehaus.org" data-linked-resource-container-id="231082392" title="null > global-settings-security.png" data-element-title="global-settings-security.png"></p><ol><li><strong><img class="editor-inline-macro" src="/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpkZWZhdWx0VXNlckdyb3VwfQ&locale=en_GB&version=2" data-macro-name="anchor" data-macro-default-parameter="defaultUserGroup">Default user group: </strong>any new user created will automatically join this group.</li><li><strong><img class="editor-inline-macro" src="/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjpmb3JjZVVzZXJBdXRoZW50aWNhdGlvbn0&locale=en_GB&version=2" data-macro-name="anchor" data-macro-default-parameter="forceUserAuthentication">Force user authentication:</strong> this is really the first question that should be answered when setting the security strategy in SonarQube. Can anybody browse the SonarQube instance or do you need to be authenticated?</li><li><strong>Allow users to sign up online:</strong> this means that anybody can access a form to create himself an account in the system. Note that after filling up the form, the user should log in.</li><li><strong><img class="editor-inline-macro" src="/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjppbXBvcnRTb3VyY2VzfQ&locale=en_GB&version=2" data-macro-name="anchor" data-macro-default-parameter="importSources">Import sources:</strong> if set to false, source code will not be accessible for any user, to restrict access to source code for some users only, see <a class="confluence-link" href="#codeViewersRole" data-anchor="codeViewersRole" data-linked-resource-default-alias="codeViewersRole" data-base-url="http://docs.codehaus.org">Code viewers role</a>.</li></ol><h1>Delegation to an External System</h1><p>In order to leverage existing enterprise infrastructure, SonarQube provides the capability to delegate authentication and authorization to external systems through plugins:</p><ul><li><strong>LDAP </strong>with the <a class="confluence-link" href="/display/SONAR/LDAP+Plugin" data-linked-resource-id="136118421" data-linked-resource-type="page" data-linked-resource-default-alias="LDAP Plugin" data-base-url="http://docs.codehaus.org">SonarQube LDAP Plugin</a></li><li><strong>Active Directory</strong> with the <a class="confluence-link" href="/display/SONAR/LDAP+Plugin" data-linked-resource-id="136118421" data-linked-resource-type="page" data-linked-resource-default-alias="LDAP Plugin" data-base-url="http://docs.codehaus.org">SonarQube LDAP Plugin</a></li><li><strong>PAM </strong>with the <a class="confluence-link" href="/display/SONAR/PAM+Plugin" data-linked-resource-id="198279265" data-linked-resource-type="page" data-linked-resource-default-alias="PAM Plugin" data-base-url="http://docs.codehaus.org">SonarQube PAM Plugin</a></li><li><strong>Crowd</strong> with the <a class="confluence-link" href="/display/SONAR/Crowd+Plugin" data-linked-resource-id="136118426" data-linked-resource-type="page" data-linked-resource-default-alias="Crowd Plugin" data-base-url="http://docs.codehaus.org">SonarQube Crowd Plugin</a></li></ul><div><strong>SSO</strong> is also supported through the <a class="confluence-link" href="/display/SONAR/OpenID+Plugin" data-linked-resource-id="229212681" data-linked-resource-type="page" data-linked-resource-default-alias="OpenID Plugin" data-base-url="http://docs.codehaus.org">SonarQube OpenID</a> plugin.<img class="editor-inline-macro" src="/plugins/servlet/confluence/placeholder/macro?definition=e2FuY2hvcjplbmNyeXB0aW9ufQ&locale=en_GB&version=2" data-macro-name="anchor" data-macro-default-parameter="encryption"></div><h1>Settings Encryption</h1><p>Encryption is mostly used to remove clear passwords from settings (database or SCM credentials for instance). The implemented solution is based on a symetric key algorithm. The keypoint is that the secret key is stored in a secured file on disk. This file must only be owned and readable by the system account that runs the SonarQube server, the analysis with SonarQube Runner, SonarQube Ant Task, Maven or from the Continuous Integration server.</p><p>The algorithm is AES 128 bits. Note that 256 bits cipher is not used because it's not supported by default on all Java Virtual Machines (<a href="https://confluence.terena.org/display/%7Evisser/No+256+bit+ciphers+for+Java+apps">see this article</a>).</p><h3>1. Generate the secret key</h3><p>A unique secret key must be shared between all parts of the SonarQube infrastructure (server and analyzers). To generate it, go to Settings > Configuration > General Settings > Encryption and click on <em>Generate secret key:</em></p><p><img class="confluence-embedded-image" confluence-query-params="effects=drop-shadow" src="/download/attachments/231082392/generate-secret-key.png?version=1&modificationDate=1371712944069&effects=drop-shadow" data-image-src="/download/attachments/231082392/generate-secret-key.png?version=1&modificationDate=1371712944069&effects=drop-shadow" data-linked-resource-id="231377312" data-linked-resource-type="attachment" data-linked-resource-default-alias="generate-secret-key.png" data-base-url="http://docs.codehaus.org" data-linked-resource-container-id="231082392" title="null > generate-secret-key.png"></p><h3>2. Store the secret key on the SonarQube server</h3><ol><li><p>Copy this secret key in a file:</p><table class="wysiwyg-macro" data-macro-name="code" data-macro-parameters="language=none|title=sonar-secret.txt" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6dGl0bGU9c29uYXItc2VjcmV0LnR4dHxsYW5ndWFnZT1ub25lfQ&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>bIOVA1TybepjqLH+uYxuNh==</pre></td></tr></table><p><br /><br /></p></li><li><p>Store this file on the machine hosting the SonarQube server (default location: <code>~/.sonar/sonar-secret.txt</code>). If you want to store it somewhere else, set its path through the <code>sonar.secretKeyPath</code> property in <em>SONARQUBE_HOME/conf/sonar.properties</em>:</p><table class="wysiwyg-macro" data-macro-name="code" data-macro-parameters="language=none|title=SONARQUBE_HOME/conf/sonar.properties" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6dGl0bGU9U09OQVJRVUJFX0hPTUUvY29uZi9zb25hci5wcm9wZXJ0aWVzfGxhbmd1YWdlPW5vbmV9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>... sonar.secretKeyPath=C:/path/to/my/secure/location/my_secret_key.txt ...</pre></td></tr></table><p><br /><br /></p></li><li>Restrict its access to the system account running the SonarQube server (ownership and read-access only).</li><li>Restart your SonarQube server.</li></ol><h3>3. Generate the encrypted values of your settings</h3><p>Go back to Settings > Configuration > General Settings > Encryption and generate the encrypted values or your settings:</p><p><img class="confluence-embedded-image" confluence-query-params="effects=drop-shadow" src="/download/attachments/231082392/generate-encrypted-settings.png?version=1&modificationDate=1371712944045&effects=drop-shadow" data-image-src="/download/attachments/231082392/generate-encrypted-settings.png?version=1&modificationDate=1371712944045&effects=drop-shadow" data-linked-resource-id="231377311" data-linked-resource-type="attachment" data-linked-resource-default-alias="generate-encrypted-settings.png" data-base-url="http://docs.codehaus.org" data-linked-resource-container-id="231082392" title="null > generate-encrypted-settings.png"></p><h3>4. Use these encrypted values</h3><h4>Server side</h4><p>Simply copy these encrypted values into <em>SONARQUBE_HOME/conf/sonar.properties</em>:</p><table class="wysiwyg-macro" data-macro-name="code" data-macro-parameters="language=none|title=SONARQUBE_HOME/conf/sonar.properties" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6dGl0bGU9U09OQVJRVUJFX0hPTUUvY29uZi9zb25hci5wcm9wZXJ0aWVzfGxhbmd1YWdlPW5vbmV9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>sonar.jdbc.url=jdbc:oracle:thin:@172.16.199.130/XE sonar.jdbc.username=sonar sonar.jdbc.password={aes}CCGCFg4Xpm6r+PiJb1Swfg== # Encrypted password for the database ... sonar.secretKeyPath=C:/path/to/my/secure/location/my_secret_key.txt</pre></td></tr></table><p>Restart your SonarQube server.</p><h4>Batch side</h4><p>Copy the secret key file on the machine running the analysis.</p><p>Copy these encrypted values into the analyzer configuration file: <em>sonar-runner.properties, settings.xml</em>, etc. Do not forget to define the path to your secret key as well.</p><table class="wysiwyg-macro" data-macro-name="code" data-macro-parameters="language=none|title=sonar-runner.properties" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6dGl0bGU9c29uYXItcnVubmVyLnByb3BlcnRpZXN8bGFuZ3VhZ2U9bm9uZX0&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>... sonar.jdbc.url=jdbc:oracle:thin:@localhost/XE sonar.jdbc.username=postgres sonar.jdbc.password={aes}CCGCFg4Xpm6r+PiJb1Swfg== ... sonar.secretKeyPath=C:/path/to/my/secure/location/my_secret_key.txt ...</pre></td></tr></table><table class="wysiwyg-macro" data-macro-name="code" data-macro-parameters="language=html/xml|title=settings.xml" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGU6dGl0bGU9c2V0dGluZ3MueG1sfGxhbmd1YWdlPWh0bWwveG1sfQ&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>... <profile> <id>sonar</id> <properties> <sonar.jdbc.url>jdbc:oracle:thin:@172.16.199.130/XE</sonar.jdbc.url> <sonar.jdbc.username>sonar</sonar.jdbc.username> <sonar.jdbc.password>{aes}CCGCFg4Xpm6r+PiJb1Swfg==</sonar.jdbc.password> ... <sonar.secretKeyPath>C:/path/to/my/secure/location/my_secret_key.txt</sonar.secretKeyPath> </properties> </profile> ...</pre></td></tr></table><table class="wysiwyg-macro" data-macro-name="note" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e25vdGV9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="RICH_TEXT"><tr><td class="wysiwyg-macro-body"><p>The <code>sonar.password</code> property is not encryptable. See <a href="http://jira.codehaus.org/browse/SONAR-4061">SONAR-4061</a>.</p></td></tr></table><h1>FAQ</h1><h3>I have locked myself out</h3><p>There is currently nothing that stops you removing from every user and every group the global administrator role. the global administrator role. You then have no other solution than make an manual update in the SonarQube database to get back in control.</p><table class="wysiwyg-macro" data-macro-name="code" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGV9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>INSERT INTO user_roles(user_id, role) VALUES ((select id from users where login='mylogin'), 'admin'); </pre></td></tr></table><h3>I have lost the admin password</h3><p>In case you lost the admin password of your SonarQube instance, you can reset it by running the following update statement :</p><table class="wysiwyg-macro" data-macro-name="code" style="background-image: url(/plugins/servlet/confluence/placeholder/macro-heading?definition=e2NvZGV9&locale=en_GB&version=2); background-repeat: no-repeat;" data-macro-body-type="PLAIN_TEXT"><tr><td class="wysiwyg-macro-body"><pre>update users set crypted_password = '88c991e39bb88b94178123a849606905ebf440f5', salt='6522f3c5007ae910ad690bb1bdbf264a34884c6d' where login = 'admin' </pre></td></tr></table><p>This will reset the password to admin.</p>
Please type the word appearing in the picture.
Attachments
Labels
Location
Watch this page
< Edit
Preview >
Loading…
Save
Cancel
Next hint
search
attachments
weblink
advanced