Full documentation for SonarQube has moved to a new location: http://docs.sonarqube.org/display/SONAR

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info
iconfalse
titleTable of Contents
Table of Contents
maxLevel3

 

Out of the box, SonarQube comes with a complete mechanism to manage security. Configuring security allows you to cover two main use cases:

  • Manage access rights to components, information, etc.
  • Enable customization (custom dashboards, notifications, etc.) of SonarQube for users

...

  • Secure a SonarQube instance by forcing authentication prior to accessing any page
  • Make a given project invisible to anonymous users
  • Restrict access to a project to a given group of users
  • Restrict access to a project's source code (Code Viewer) to a given set of users
  • Define who can administer a project (setting exclusion patterns, tuning plugins configuration for that project, etc.)
  • Define who can administer a SonarQube instance
Authentication

Default Admin Credentials

When installing SonarQube, a default user with administration privileges is created automatically:

  • Login: admin
  • Password: admin

User

A user is a set of basic information: login, password, name and email.

To create a new user, go to Setting > Users > Add new user: 

Image Removed

Changing my Password

Log in and go to Your Name > My Profile:

Image Removed

Note
titleLDAP plugin

When the LDAP plugin is installed and activated, it is no longer possible for users to change their password. Then, only system administrators can do so through Settings > Users.

Authorization

The way authorization is implemented in SonarQube is pretty standard. It is possible to create as many users and groups of users as required in the system. The users can then be attached (or not) to (multiple) groups. Groups and / or users are then given (multiple) permissions. The permissions grant access to projects, services and functionalities.

Group

A group is a set of users.

To create a new group, go to Settings > Groups > Add new group:

Image Removed

To add/remove users to/from a group:

Image Removed

Image Removed

Two groups have a special meaning:

  • Anyone is a group that exists in the system, but that cannot be managed. Every user belongs to this group, including "anonymous."
  • sonar-users is the default group to which users are automatically added. This group can be changed through the Global Security Settings (sonar.defaultGroup property).

Global Permissions

To set global permissions, log in as a System administrator and go to Settings > Global Permissions.

  • Administer System: Ability to perform all administration functions for the instance: global configuration and personalization of default dashboards.
  • Administer Quality Profiles: Ability to perform any action on the quality profiles. Available since version 3.6.
  • Dashboard And Filter Sharing: Ability to share dashboards, issue filters and measure filters. Available since version 3.7.
  • Analysis Execution: Ability to execute analyses, and to get all settings required to perform the analysis, even the secured ones like the scm account password, the jira account password, and so on. Available since version 3.7.
  • Local (dry run) Analysis Execution: Ability to execute local (dry run) analyses without pushing the results to the server, and to get all settings required to perform a local analysis. This permission does not include the ability to access secured settings such as the scm account password, the jira account password, and so on. This permission is required to execute a local analysis in Eclipse or via the Issues Report plugin. Available since version 3.7.

Project Permissions

Three different permissions can be set on projects (projects, views, developers):

...

Note that permissions are not cumulative. For instance, if you want to be able to administer the project, browse the measures and browse the source code, you have to be given the three permissions: Administrators, Users and Code viewers.

You can either manually grant permissions for each project to some users and groups or apply permission templates to projects (since version 3.7).

 

Manually grant permissions for each project to some users and groups

Log in as a System administrator and go to Settings > Project Permissions > Projects (was Settings > Roles prior to version 3.7):

Image Removed

Apply permission templates to projects (available since version 3.7)

Create first some permission templates. To do so, go to Settings > Project Permissions > Permission Templates:

Image Removed

Then, apply permission templates to projects (either to a specific one through the "Apply permission template" link or apply some bulk changes on the selected projects):

Image Removed

Note that there is no relation between a project and a permission template, meaning that:

  • the permissions of a project can be modified after a permission template has been applied to this project
  • none of the project permissions is changed when a permission template is modified

Default project permissions

It is possible to configure the system so that when a new project (project, view, developer) is created, some users/groups are automatically granted permissions on this project.

For versions 3.7+, this is done through permission templates. Go to Settings > Project Permissions > Permission Templates > Set default templates:

Image Removed

For versions prior to 3.7, it is done through the "Default roles for new Projects" table:

In the example below, once a new project has been created:

  • All the users in the sonar-administrators group can administrate (Administrators), access the project (Users) and browse the source code (Code viewers).
  • The myAuditor user can access the project (Users) and browse the source code (Code viewers).
Image Removed

Security Settings

Log in as a System administrator and go to Settings > General Settings > Security:

...

Delegating Authentication and Authorization to External Systems

In order to leverage existing enterprise infrastructure, SonarQube provides the capability to delegate authentication and authorization to external systems through plugins:

...

SSO is also supported through the SonarQube OpenID plugin. Anchorencryptionencryption

FAQ

I have locked myself out

To recreate a System administrator:

Code Block
INSERT INTO user_roles(user_id, role) VALUES ((select id from users where login='mylogin'), 'admin');

I have lost the admin password

In case you lost the admin password of your SonarQube instance, you can reset it by running the following update statement :

Code Block
update users set crypted_password = '88c991e39bb88b94178123a849606905ebf440f5', salt='6522f3c5007ae910ad690bb1bdbf264a34884c6d' where login = 'admin'

This will reset the password to admin.

C:\Users\david.racodon.DAVID-PORTABLE.001\Desktop\set-default-templates.png