Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
{iframe:src=http://update.sonarsource.org/plugins/crowd-confluence.html|width=700|height=250|frameborder=0}
Your browser does not support iframes.
{iframe}

Compatibility matrix

Description / Features

This plugin allows the delegation of SonarQube authentication and authorization to Atlassian Crowd.

The main features are:

  • Password checking against the external authentication engine.
  • Automatic synchronization of usernames and emails.
  • Automatic synchronization of relationships between users and groups (authorization).
  • Ability to authenticate against both the external and the internal authentication systems (for instance, technical SonarQube user accounts do not need to be defined in Crowd as there is an automatic fallback on SonarQube engine if the user is not defined in Crowd or if the Crowd server is down).

During the first authentication trial, if the password is correct, the SonarQube database is automatically populated with the new user. Each time a user logs into SonarQube, the username, the email and the groups this user belongs to that are refreshed in the SonarQube database.

Requirements

Plugin

0.1

0.2

1.0

2.0

Crowd

2.0.2

2.0.2

2.0.2 - 2.2.x

Description / Features

The Sonar Crowd Plugin enables the delegation of Sonar authentication to an external system. The plugin currently supports Atlassian Crowd.

Only password-checking is done against the external system. Authorization (access control) is still fully managed in Sonar. That’s why Crowd users do not automatically have access to Sonar. A Sonar account must be created first for each new user wishing to use Sonar. The Sonar administrator should also assign the user to the desired groups in order to grant him necessary rights. If exists, the password in the Sonar account will be ignored as the external system password will override it.

Usage & Installation

...

titleconf/sonar.properties
2.1.0 - 2.8.x

Include Page
Include - Plugin Installation
Include - Plugin Installation

Usage

  1. Configure the Crowd plugin by editing the SONARQUBE_HOME/conf/sonar.properties file (see table below)

  2. Restart the SonarQube server and check the log file for:

    No Format
    INFO  web[org.sonar.INFO]  Security realm: Crowd
    ...
    INFO  web[o.s.p.c.CrowdRealm]  Crowd configuration is valid, connection test successful.
    INFO  web[org.sonar.INFO]  Security realm started
    
  3. Log in to SonarQube

General Configuration

Property
Description
Default value
Mandatory
Example
sonar.security.realm

To first try to authenticate against the external sytem. If the external system is not reachable or if the user is not defined in the external system, the authentication will be performed through the SonarQube internal system.

Available since SonarQube 3.6. It replaces the property sonar.authenticator.class usage.

None

Yes

Crowd (only possible value)
sonar.security.savePassword
To save the user password in the SonarQube database. Then, users will be able to log into SonarQube even when the Crowd server is not reachable.
false
No 
sonar.authenticator.createUsers

By default, the SonarQube database is automatically populated when a new user logs into SonarQube. Setting this value to false, makes it mandatory for a System administrator to first declare a user through the SonarQube web interface before allowing this user to log into SonarQube.

true
No 
sonar.security.updateUserAttributes

If set to true, at each login, user's attributes (name and email) are re-synchronized. If set to false, user's attributes are not re-synchronized.

Note that if set to false, user's attributes are synchronized just once, at the very first login.

Available since SonarQube 3.6.

true
No 
sonar.authenticator.downcaseSet to true when connecting to a Crowd server using a case-insensitive setup.falseNo 
crowd.url
URL of the Crowd server. Note that if you are using https with a self certified certificate, then you should install the server certificate into the Java truststore. Since version 2.0 of the plugin the url must be the root URL of your crowd instance and not the /services/ endpoint like for previous versions of the plugin.None

Yes

https://my.company.com/crowd/
crowd.application
Application name defined in Crowd to authenticate your sonar instance.NoneNosonar
crowd.password
Application password defined in Crowd to authenticate your sonar instance.NoneNo 

Example of LDAP Configuration

Code Block
titleSONARQUBE/_HOME/conf/sonar.properties
languagenone
 
#-------------------
# Sonar Crowd Plugin
#-------------------


# 

...

To 

...

first 

...

try 

...

to 

...

authenticate 

...

against 

...

the 

...

external 

...

sytem.

...

# If the external system is not reachable or if the user is not defined in the external system, the authentication will be performed through the SonarQube internal system.
sonar.security.realm=Crowd
 
# URL of the Crowd server.
crowd.url=https://my.company.com/crowd/


# Crowd application name.
# Default is 'sonar'.
crowd.application=sonar-prod


# Crowd application password.
crowd.password=bar


# Don't use crowd for sonar account
sonar.security.localUsers=admin,sonar

 

Advanced Configuration

Include Page
Include - Technical Users
Include - Technical Users

Upgrades

to SonarQube 5.0

  • Only crowd plugin 2.0+ supports SonarQube 5.0+
  • sonar.security.realm must be used instead of sonar.authenticator.class (deprecated since SonarQube 3.6 and removed in SonarQube 5.0)

from Crowd plugin 1.0 to 2.0

  • Crowd plugin 2.0+ uses the REST API provided by Crowd. The crowd url used in the configuration (crowd.url) must be the main URL of your crowd instance and not its /services/ end point (used with the previous SOAP integration)
  • Crowd plugin 2.0+ synchronises groups from Crowd thus take care to create a group sonar-administrators in your Crowd directory and add in this group all users you'll want to use to administer SonarQube. You can also define some accounts to not synchronise with the property sonar.security.localUsers

Deprecated Crowd plugin 1.0 configuration

  1. Make sure that at least one user with System administration role exists in SonarQube as well as in the external system
  2. Update the SONARQUBE_HOME/conf/sonar.properties file by adding the following lines:

    Code Block
    titleSONARQUBE/_HOME/conf/sonar.properties
    languagenone
    # Activates the plugin. Leave blank or comment out to use default sonarSonarQube authentication.
    sonar.authenticator.class: org.sonar.plugins.crowd.CrowdAuthenticator
    
    # Ignore failure at startup if the connection to external system is refused.
    # Users can browse sonarSonarQube but not log in as long as the connection fails.
    # When set to true, SonarSonarQube will not start if connection to external system fails.
    # Default is false.
    #sonar.authenticator.ignoreStartupFailure: true
    
    # Automatically create users (available since Sonar 2.0).
    # When set to true, user will be created after successful authentication, if doesn't exists.
    # The default group affected to new users can be defined online, in SonarSonarQube general settings. The default value is "sonar-users".
    # Default is false.
    #sonarsonar.authenticator.createUsers: true
    
    # URL of the Crowd server (usually ends with /services/).
    crowd.url:
    
    # Crowd application name.
    # Default is 'sonar'.
    #crowd.application:
    
    # Crowd application password.
    crowd.password:
    
  3. Restart the

    Sonar server

    SonarQube server and check the log file for:

    No Format
    
    INFO  org.sonar.INFO  Authentication plugin: class org.sonar.plugins.crowd.CrowdAuthenticator
    INFO  org.sonar.INFO  Authentication plugin started
    
  4. Log in to SonarSonarQube

 

Troubleshooting

You For versions prior to SonarQube 4.1, you can enable debug logging by adding the following to conf/logback.xml:

Code Block
titleconf/logback.xml
   <logger name="org.sonar.plugins.crowd">
    <level value="DEBUG"/>
    <appender-ref ref="CONSOLE"/>
    <appender-ref ref="SONAR_FILE"/>
  </logger>

Changelog

JIRA Issues
anonymoustrue
titleRelease 1.0
height90
width800
columnstype;key;summary;priority;status;resolution
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=16911&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000
JIRA Issues
anonymoustrue
titleRelease 0.2
height90
width800
columnstype;key;summary;priority;status;resolution
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=16515&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000
JIRA Issues
anonymoustrue
titleRelease 0.1
height120
width800
columnstype;key;summary;priority;status;resolution
urlhttp://jira.codehaus.org/sr/jira.issueviews:searchrequest-xml/temp/SearchRequest.xml?fixfor=16079&pid=11911&sorter/field=priority&sorter/order=DESC&tempMax=1000