Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info
iconfalse
titleTable of Contents
Table of Contents
maxLevel2

 

SonarQubeTM comes SonarQubecomes out of the box with a complete mechanism to manage security. Configuring security enables to cover two main use cases:

  • Manage access rights to resources, information, etc.
  • Enable customization (custom dashboards, notifications, etc.) of SonarQube TM for users
Here are some examples of configuration you can obtain by configuring security in SonarQubeTM :
  • Secure a SonarQubeTM instance SonarQubeinstance by forcing login prior to access to any page
  • Make a given project non accessible to anonymous
  • Allow access to source code (Code Viewer) to a given set of users
  • Restrict access to a project to a given group of users
  • Define who can administer a project (setting exclusion patterns, tuning plugins configuration for that project, etc.)
  • Define who can administer a SonarQubeTM instancea SonarQubeinstance

Built-in Security

Authentication

...

When installing SonarQubeTM , a unique user gets created:

...

The way authorization is implemented in SonarQubeTM is SonarQubeis pretty standard. It is possible to create as many users and groups of users as required in the system. The users can then be attache (or not) to (multiple) groups. Groups and / or users are then given (multiple) roles. The roles grant access to projects, services and functionalities.

...

  • Global roles:
    • System Administrators have the ability to perform all administration tasks on the SonarQube TM instance like global configuration, customization of the home page, etc.
    • Quality Profile Administrators have the ability to perform any changes on quality profiles (since version 3.6)

...

  1. Anchor
    defaultUserGroup
    defaultUserGroup
    Default user group: any new user created will automatically join this group.
  2. Anchor
    forceUserAuthentication
    forceUserAuthentication
    Force user authentication: this is really the first question that should be answered when setting the security strategy in SonarQubeTM. Can anybody browse the SonarQube TM instance or do you need to be authenticated?
  3. Allow users to sign up online: this means that anybody can access a form to create himself an account in the system. Note that after filling up the form, the user should log in.
  4. Anchor
    importSources
    importSources
    Import sources: if set to false, source code will not be accessible for any user, to restrict access to source code for some users only, see Code viewers role.

...

In order to leverage existing enterprise infrastructure, SonarQubeTM provides  SonarQubeprovides the capability to delegate authentication and authorization to external systems through plugins:

SSO is also supported through the SonarQube TM OpenID plugin.
Anchor
encryption
encryption

...

Encryption is mostly used to remove clear passwords from settings (database or SCM credentials for instance). The implemented solution is based on a symetric key algorithm. The keypoint is that the secret key is stored in a secured file on disk. This file must only be owned and readable by the system account that runs the SonarQubeTM serverSonarQubeserver, the analysis with SonarQubeTM Runner, SonarQubeTM Ant SonarQubeRunner, SonarQubeAnt Task, Maven or from the Continuous Integration server.

...

A unique secret key must be shared between all parts of the SonarQubeTM infrastructure SonarQubeinfrastructure (server and analyzers). To generate it, go to Settings > Configuration > General Settings > Encryption and click on Generate secret key:

2. Store the secret key on the

...

SonarQubeserver

  1. Copy this secret key in a file:

    Code Block
    titlesonar-secret.txt
    languagenone
    bIOVA1TybepjqLH+uYxuNh==



  2. Store this file on the machine hosting the SonarQubeTM server SonarQubeserver (default location:  ~/.sonar/sonar-secret.txt). If you want to store it somewhere else, set its path through the sonar.secretKeyPath property in SONARQUBE_HOME/conf/sonar.properties:

    Code Block
    titleSONARQUBE_HOME/conf/sonar.properties
    languagenone
    ...
    sonar.secretKeyPath=C:/path/to/my/secure/location/my_secret_key.txt
    ...



  3. Restrict its access to the system account running the SonarQubeTM server SonarQubeserver (ownership and read-access only).
  4. Restart your SonarQubeTM serverSonarQubeserver.

3. Generate the encrypted values of your settings

...

Code Block
titleSONARQUBE_HOME/conf/sonar.properties
languagenone
sonar.jdbc.url=jdbc:oracle:thin:@172.16.199.130/XE
sonar.jdbc.username=sonar
sonar.jdbc.password={aes}CCGCFg4Xpm6r+PiJb1Swfg==     # Encrypted password for the database
...
sonar.secretKeyPath=C:/path/to/my/secure/location/my_secret_key.txt

Restart your SonarQubeTM serverSonarQubeserver.

Batch side

Copy the secret key file on the machine running the analysis.

...

There is currently nothing that stops you removing from every user and every group the global administrator role. the global administrator role. You then have no other solution than make an manual update in the SonarQubeTM database SonarQubedatabase to get back in control.

Code Block
INSERT INTO user_roles(user_id, role) VALUES ((select id from users where login='mylogin'), 'admin');

...

In case you lost the admin password of your SonarQubeTM instanceSonarQubeinstance, you can reset it by running the following update statement :

...