Sonar comes out of the box with a complete mechanism to manage security. Configuring security in Sonar will enable to cover 2 main use cases:
- Manage access rights to resources, information...
- Enable customization of Sonar for users
- Secure a Sonar instance by forcing login prior to access to any page
- Make a given project non accessible to anonymous
- Allow access to source code (Code Viewer) to a given set of people
- Restrict access to a project to a given group of people
- Define who can administer a project (setting exclusion patterns, tunning plugins configuration for that project, …)
- Define who can administer a Sonar instance
Default Admin Credentials
When installing Sonar, a unique user gets created:
- Login: admin
- Password: admin
A user is a set of basic information: login, password, name and email.
To create a new user, go to Configuration > Users > Add new user:
Change my Password
Log in and click on your name (the top right of the screen).
Enter the old password, the new one and confirm it:
The way authorization is implemented in Sonar is pretty standard. It is possible to create as many users and groups of users as required in the system. The users can then be attached (or not) to (multiple) groups. Groups and / or users are then given (multiple) roles. The roles grant access to projects, services and functionalities in Sonar.
A group is a set of users.
To create a new group, go to Configuration > Groups > Add new group:
To add/remove users to/from a group:
Two groups have a special status in Sonar:
- Anyone is a group that exists in the system, but that cannot be managed. Every user belongs to this group.
- sonar-users is the group to which users are automatically added. This group can be changed through the Security Global Settings. See Global Security Settings, property sonar.defaultGroup for more information.
There are 4 roles in Sonar, 1 is global, the 3 others are defined at project level:
- Global roles:
- Global Administrators: have the ability to perform all administration tasks on the Sonar instance like global configuration, customization of the home page, of the time machine, etc.
- Project roles:
- Administrators: have the ability to perform administration tasks for a project by accessing its settings
- Users: have the ability to navigate through every service of a project, except viewing source code and settings
- Code viewers: have the ability to view source code of a project
Default project roles
It is possible to configure the system so that when a new project is created, some users/groups are automatically granted roles on this project.
In the example below, once a new project has been created:
- All the users in the sonar-administrators group can administrate (Administrators), access the project (Users) and browse the source code (Code viewers).
- The myAuditor user can access access the project (Users) and browse the source code (Code viewers).
- Default user group: any new user created will automatically join this group.
- Force user authentication: this is really the first question that should be answered when setting the security strategy in Sonar. Can anybody browse the Sonar instance or do you need to be authenticated?
- Allow users to sign up online: this means that anybody can access a form to create himself an account in the system. Note that after filling up the form, the user should log in.
- Import sources: if set to false, source code will not be accessible for any user, to restrict access to source code for some users only, see Code viewers role.
Delegation to an External System
In order to leverage existing infrastructures, Sonar provides the capability of delegating authentication and authorization to external systems through plugins:
- LDAP with the Sonar LDAP Plugin
- Active Directory with the Sonar LDAP Plugin
- PAM with the Sonar PAM Plugin
- Crowd with the Sonar Crowd Plugin
Encryption is mostly used to remove clear passwords from settings, ie the database or SCM credentials. The implemented solution is based on a symetric key algorithm. The keypoint is that the secret key is stored in a secured file on disk. This file must be readable and owned by only the system account that executes the different Java process (Maven Plugin , Ant task, continuous integration server, sonar server, ...).
The algorithm is AES 128 bits. Note that 256 bits cipher is not used because it's not supported by default on all Java Virtual Machines (see this article).
How to generate the secret key
An unique secret key is shared between all the parts of the Sonar infrastructure (server and code analyzers). It is generated online with the administration console (Configuration -> General Settings > Encryption). Follow the instructions to store the key in a secured file on the server, generally in
~/.sonar/sonar-secret.txt. If the file is elsewhere, then declare its path with the property
sonar.secretKeyPath in conf/sonar.properties and restart the server.
If you want to encrypt properties that are used by code analyzers, then copy the file on all the required machines. Use the same property
sonar.secretKeyPath to change the default location.
When this is done, you can start encrypting settings.
How to encrypt settings
The administration console used to generate the secret key allows also to encrypt text values. Simply copy the encrypted texts in the appropriate locations.
See the Security section of the FAQ.