Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info
iconfalse
titleTable of Contents
Table of Contents
maxLevel2

 

Sonar comes out of the box Out of the box, SonarQube comes with a complete mechanism to manage security (authentication + authorization). Configuring security in Sonar enables allows you to cover two main use cases:

  • Manage access rights to resourcescomponents, information, etc.
  • Enable customization (custom dashboards, notifications, etc.) of Sonar SonarQube for users

Here are

...

examples of

...

security restrictions you can

...

enforce by configuring security in

...

SonarQube:

  • Secure a Sonar SonarQube instance by forcing login authentication prior to access to accessing any page
  • Make a given project non accessible invisible to anonymous users
  • Allow Restrict access to source code (Code Viewer) a project to a given set group of users
  • Restrict access to a project's source code to a given group set of users
  • Define who can administer a project (setting exclusion patterns, tunning tuning plugins configuration for that project, etc.)
  • Define who can administer a Sonar instance

Built-in Security

Authentication

Default Admin Credentials

When installing Sonar, a unique user gets created:

  • Login: admin
  • Password: admin

Add Users

A user is a set of basic information: login, password, name and email.

To create a new user, go to Configuration > Users > Add new user

Image Removed

Change my Password

Log in and click on your name (the top right of the screen).

Enter the old password, the new one and confirm it:

Image Removed

Authorization

The way authorization is implemented in Sonar is pretty standard. It is possible to create as many users and groups of users as required in the system. The users can then be attached (or not) to (multiple) groups. Groups and / or users are then given (multiple) roles. The roles grant access to projects, services and functionalities in Sonar.

Groups

Overview

A group is a set of users.

To create a new group, go to Configuration > Groups > Add new group:

Image Removed

To add/remove users to/from a group:

Image Removed

Image Removed

Special groups

Two groups have a special status in Sonar:

  • Anyone is a group that exists in the system, but that cannot be managed. Every user belongs to this group.
  • sonar-users is the group to which users are automatically added. This group can be changed through the Security Global Settings. See Global Security Settings, property sonar.defaultGroup for more information.

Roles

Overview

There are 4 roles in Sonar, 1 is global, the 3 others are defined at project level:

  • Global roles:
    • Global Administrators: have the ability to perform all administration tasks on the Sonar instance like global configuration, customization of the home page, of the time machine, etc.

...

Default project roles

It is possible to configure the system so that when a new project is created, some users/groups are automatically granted roles on this project.

In the example below, once a new project has been created:

  • All the users in the sonar-administrators group can administrate (Administrators), access the project (Users) and browse the source code (Code viewers).
  • The myAuditor user can access access the project (Users) and browse the source code (Code viewers).
Image Removed

Security Settings

Image Removed

...

Delegation to an External System

In order to leverage existing infrastructures, Sonar provides the capability of delegating authentication and authorization to external systems through plugins:

...

Settings Encryption

Info

Encryption of settings is available since release 3.0.1.

Encryption is mostly used to remove clear passwords from settings, ie the database or SCM credentials. The implemented solution is based on a symetric key algorithm. The keypoint is that the secret key is stored in a secured file on disk. This file must be readable and owned by only the system account that executes the different Java process (Maven Plugin , Ant task, continuous integration server, sonar server, ...).

The algorithm is AES 128 bits. Note that 256 bits cipher is not used because it's not supported by default on all Java Virtual Machines (see this article).

How to generate the secret key

An unique secret key is shared between all the parts of the Sonar infrastructure (server and code analyzers). It is generated online with the administration console (Configuration > General Settings > Encryption). Follow the instructions to store the key in a secured file on the server, generally in ~/.sonar/sonar-secret.txt. If the file is elsewhere, then declare its path with the property sonar.secretKeyPath in conf/sonar.properties and restart the server.

If you want to encrypt properties that are used by code analyzers, then copy the file on all the required machines. Use the same property sonar.secretKeyPath to change the default location.

Code Block
titleExample of sonar-secret.txt
languagenone
bIOVA1TybepjqLH+uYxuNh==

When this is done, you can start encrypting settings.

How to encrypt settings

The administration console used to generate the secret key allows also to encrypt text values. Simply copy the encrypted texts in the appropriate locations.

Code Block
titleExample for Maven settings.xml
languagehtml/xml
<profile>
  <id>sonar</id>
  <properties>
    <sonar.jdbc.url>jdbc:oracle:thin:@172.16.199.130/XE</sonar.jdbc.url>
    <sonar.jdbc.username>sonar</sonar.jdbc.username>
    <sonar.jdbc.password>{aes}CCGCFg4Xpm6r+PiJb1Swfg==</sonar.jdbc.password>

    <!-- optional - override if secret key is not stored in ~/.sonar/sonar-secret.txt -->
    <sonar.secretKeyPath>/path/to/secret.key</sonar.secretKeyPath>
  </properties>
</profile>
Code Block
titleExample for conf/sonar.properties
languagenone
sonar.jdbc.url=       jdbc:oracle:thin:@172.16.199.130/XE
sonar.jdbc.username=  sonar
sonar.jdbc.password=  {aes}CCGCFg4Xpm6r+PiJb1Swfg==

# optional - override if secret key is not stored in ~/.sonar/sonar-secret.txt
sonar.secretKeyPath=  /path/to/secret.key

Troubleshooting

See the Security section of the FAQ.

  • a SonarQube instance

For detailed explanations on how to configure the built-in security mechanism, browse Authentication and Authorization.

Authentication and authorization can also be delegated to an external system: LDAP or Active Directory with the SonarQube LDAP Plugin, PAM with the SonarQube PAM Plugin or Crowd with the SonarQube Crowd Plugin. SSO is also supported through the SonarQube OpenID plugin.

Another aspect of security is the encryption of settings such as passwords. SonarQube provide a built-in mechanism to encrypt settings.