Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info
iconfalse
titleTable of Contents
Table of Contents
maxLevel2

 

SonarQube comes out of the box Out of the box, SonarQube comes with a complete mechanism to manage security (authentication + authorization). Configuring security enables allows you to cover two main use cases:

Here are

...

examples of

...

security restrictions you can

...

enforce by configuring security in SonarQube:

  • Secure a SonarQubeinstance SonarQube instance by forcing login authentication prior to access to accessing any page
  • Make a given project non accessible invisible to anonymous users
  • Allow Restrict access to source code (Code Viewer) a project to a given set group of users
  • Restrict access to a project's source code to a given group set of users
  • Define who can administer a project (setting exclusion patterns, tuning plugins configuration for that project, etc.)
  • Define who can administer a SonarQubeinstance

Built-in Security

Authentication

Default Admin Credentials

When installing SonarQube, a unique user gets created:

  • Login: admin
  • Password: admin

Add Users

A user is a set of basic information: login, password, name and email.

To create a new user, go to Setting > Security > Users > Add new user: 

Image Removed

Change my Password

Log in and click on your name (top right of the screen).

Image Removed

Note
titleLDAP plugin

When the LDAP plugin is installed and activated, it is no longer possible for users to change their password. Then, only system administrators can do so through Settings > Security > Users.

 

Authorization

The way authorization is implemented in SonarQubeis pretty standard. It is possible to create as many users and groups of users as required in the system. The users can then be attache (or not) to (multiple) groups. Groups and / or users are then given (multiple) roles. The roles grant access to projects, services and functionalities.

Groups

Overview

A group is a set of users.

To create a new group, go to Settings > Security > Groups > Add new group:

Image Removed

To add/remove users to/from a group:

Image Removed

Image Removed

Special groups

Two groups have a special meaning:

  • Anyone is a group that exists in the system, but that cannot be managed. Every user belongs to this group.
  • sonar-users is the group to which users are automatically added. This group can be changed through the Global Security Settings (sonar.defaultGroup property).

Roles

Overview

There are 5 different roles, 2 are global, the 3 others are defined at project level:

  • Global roles:
    • System Administrators have the ability to perform all administration tasks on the SonarQube instance like global configuration, customization of the home page, etc.
    • Quality Profile Administrators have the ability to perform any changes on quality profiles (since version 3.6)

...

Note that roles are not cumulative. For instance, if you want to be able to administer the project, browse the measures and browse the source code, you have to be given the three roles: Administrator, User and Code Viewer.

Default project roles

It is possible to configure the system so that when a new project is created, some users/groups are automatically granted roles on this project.

In the example below, once a new project has been created:

  • All the users in the sonar-administrators group can administrate (Administrators), access the project (Users) and browse the source code (Code viewers).
  • The myAuditor user can access access the project (Users) and browse the source code (Code viewers).
Image Removed

Security Settings

Image Removed

...

Delegation to an External System

In order to leverage existing enterprise infrastructure, SonarQubeprovides the capability to delegate authentication and authorization to external systems through plugins:

SSO
  • a SonarQube instance

For detailed explanations on how to configure the built-in security mechanism, browse Authentication and Authorization.

Authentication and authorization can also be delegated to an external system: LDAP or Active Directory with the SonarQube LDAP Plugin, PAM with the SonarQube PAM Plugin or Crowd with the SonarQube Crowd Plugin. SSO is also supported through the SonarQube OpenID plugin.

...

Settings Encryption

Encryption is mostly used to remove clear passwords from settings (database or SCM credentials for instance). The implemented solution is based on a symetric key algorithm. The keypoint is that the secret key is stored in a secured file on disk. This file must only be owned and readable by the system account that runs the SonarQubeserver, the analysis with SonarQubeRunner, SonarQubeAnt Task, Maven or from the Continuous Integration server.

The algorithm is AES 128 bits. Note that 256 bits cipher is not used because it's not supported by default on all Java Virtual Machines (see this article).

1. Generate the secret key

A unique secret key must be shared between all parts of the SonarQubeinfrastructure (server and analyzers). To generate it, go to Settings > Configuration > General Settings > Encryption and click on Generate secret key:

Image Removed

2. Store the secret key on the SonarQubeserver

Copy this secret key in a file:

Code Block
titlesonar-secret.txt
languagenone
bIOVA1TybepjqLH+uYxuNh==

Store this file on the machine hosting the SonarQubeserver (default location:  ~/.sonar/sonar-secret.txt). If you want to store it somewhere else, set its path through the sonar.secretKeyPath property in SONARQUBE_HOME/conf/sonar.properties:

Code Block
titleSONARQUBE_HOME/conf/sonar.properties
languagenone
...
sonar.secretKeyPath=C:/path/to/my/secure/location/my_secret_key.txt
...

...

3. Generate the encrypted values of your settings

Go back to Settings > Configuration > General Settings > Encryption and generate the encrypted values or your settings:

Image Removed

4. Use these encrypted values

Server side

Simply copy these encrypted values into SONARQUBE_HOME/conf/sonar.properties:

Code Block
titleSONARQUBE_HOME/conf/sonar.properties
languagenone
sonar.jdbc.url=jdbc:oracle:thin:@172.16.199.130/XE
sonar.jdbc.username=sonar
sonar.jdbc.password={aes}CCGCFg4Xpm6r+PiJb1Swfg==     # Encrypted password for the database
...
sonar.secretKeyPath=C:/path/to/my/secure/location/my_secret_key.txt

Restart your SonarQubeserver.

Batch side

Copy the secret key file on the machine running the analysis.

Copy these encrypted values into the analyzer configuration file: sonar-runner.properties, settings.xml, etc. Do not forget to define the path to your secret key as well.

Code Block
titlesonar-runner.properties
languagenone
...
sonar.jdbc.url=jdbc:oracle:thin:@localhost/XE
sonar.jdbc.username=postgres
sonar.jdbc.password={aes}CCGCFg4Xpm6r+PiJb1Swfg==
...
sonar.secretKeyPath=C:/path/to/my/secure/location/my_secret_key.txt
...
Code Block
titlesettings.xml
languagehtml/xml
...
<profile>
  <id>sonar</id>
  <properties>
    <sonar.jdbc.url>jdbc:oracle:thin:@172.16.199.130/XE</sonar.jdbc.url>
    <sonar.jdbc.username>sonar</sonar.jdbc.username>
    <sonar.jdbc.password>{aes}CCGCFg4Xpm6r+PiJb1Swfg==</sonar.jdbc.password>
    ...
    <sonar.secretKeyPath>C:/path/to/my/secure/location/my_secret_key.txt</sonar.secretKeyPath>
  </properties>
</profile>
...
Note

The sonar.password property is not encryptable. See SONAR-4061.

FAQ

I have locked myself out

There is currently nothing that stops you removing from every user and every group the global administrator role. the global administrator role. You then have no other solution than make an manual update in the SonarQubedatabase to get back in control.

Code Block
INSERT INTO user_roles(user_id, role) VALUES ((select id from users where login='mylogin'), 'admin');

I have lost the admin password

In case you lost the admin password of your SonarQubeinstance, you can reset it by running the following update statement :

Code Block
update users set crypted_password = '88c991e39bb88b94178123a849606905ebf440f5', salt='6522f3c5007ae910ad690bb1bdbf264a34884c6d' where login = 'admin'

This will reset the password to admin.

Another aspect of security is the encryption of settings such as passwords. SonarQube provide a built-in mechanism to encrypt settings.