SonarQubeTM comes out of the box with a complete mechanism to manage security. Configuring security enables to cover two main use cases:
- Manage access rights to resources, information, etc.
- Enable customization (custom dashboards, notifications, etc.) of SonarQubeTM for users
- Secure a SonarQubeTM instance by forcing login prior to access to any page
- Make a given project non accessible to anonymous
- Allow access to source code (Code Viewer) to a given set of users
- Restrict access to a project to a given group of users
- Define who can administer a project (setting exclusion patterns, tuning plugins configuration for that project, etc.)
- Define who can administer a SonarQubeTM instance
Default Admin Credentials
When installing SonarQubeTM , a unique user gets created:
- Login: admin
- Password: admin
A user is a set of basic information: login, password, name and email.
To create a new user, go to Setting > Security > Users > Add new user:
Change my Password
Log in and click on your name (top right of the screen).
The way authorization is implemented in SonarQubeTM is pretty standard. It is possible to create as many users and groups of users as required in the system. The users can then be attache (or not) to (multiple) groups. Groups and / or users are then given (multiple) roles. The roles grant access to projects, services and functionalities.
A group is a set of users.
To create a new group, go to Settings > Security > Groups > Add new group:
To add/remove users to/from a group:
Two groups have a special meaning:
- Anyone is a group that exists in the system, but that cannot be managed. Every user belongs to this group.
- sonar-users is the group to which users are automatically added. This group can be changed through the Global Security Settings (
There are 5 different roles, 2 are global, the 3 others are defined at project level:
- Global roles:
- System Administrators have the ability to perform all administration tasks on the SonarQubeTM instance like global configuration, customization of the home page, etc.
- Quality Profile Administrators have the ability to perform any changes on quality profiles (since version 3.6)
- Project roles:
- Administrators have the ability to perform administration tasks for the project by accessing its settings
- Users have the ability to browse the measures and to create/edit issues on the project
- Code viewers have the ability to view the source code of the project
Note that roles are not cumulative. For instance, if you want to be able to administer the project, browse the measures and browse the source code, you have to be given the three roles: Administrator, User and Code Viewer.
Default project roles
It is possible to configure the system so that when a new project is created, some users/groups are automatically granted roles on this project.
In the example below, once a new project has been created:
- All the users in the sonar-administrators group can administrate (Administrators), access the project (Users) and browse the source code (Code viewers).
- The myAuditor user can access access the project (Users) and browse the source code (Code viewers).
- Default user group: any new user created will automatically join this group.
- Force user authentication: this is really the first question that should be answered when setting the security strategy in SonarQubeTM. Can anybody browse the SonarQubeTM instance or do you need to be authenticated?
- Allow users to sign up online: this means that anybody can access a form to create himself an account in the system. Note that after filling up the form, the user should log in.
- Import sources: if set to false, source code will not be accessible for any user, to restrict access to source code for some users only, see Code viewers role.
Delegation to an External System
In order to leverage existing enterprise infrastructure, SonarQubeTM provides the capability to delegate authentication and authorization to external systems through plugins:
- LDAP with the SonarQubeTM LDAP Plugin
- Active Directory with the SonarQubeTM LDAP Plugin
- PAM with the SonarQubeTM PAM Plugin
- Crowd with the SonarQubeTM Crowd Plugin
Encryption is mostly used to remove clear passwords from settings (database or SCM credentials for instance). The implemented solution is based on a symetric key algorithm. The keypoint is that the secret key is stored in a secured file on disk. This file must only be owned and readable by the system account that runs the SonarQubeTM server, the analysis with Sonar Runner, Ant Task, Maven or from the Continuous Integration server.
The algorithm is AES 128 bits. Note that 256 bits cipher is not used because it's not supported by default on all Java Virtual Machines (see this article).
1. Generate the secret key
A unique secret key must be shared between all parts of the SonarQubeTM infrastructure (server and analyzers). To generate it, go to Settings > Configuration > General Settings > Encryption and click on Generate secret key
2. Store the secret key
Store the secret key in a file on the machine hosting the SonarQubeTM server. Restrict access to this file to the system account running the SonarQubeTM server (ownership and read-access only). If you don't store the secret key in
~/.sonar/sonar-secret.txt, set its path through the
sonar.secretKeyPath property in SONARQUBE_HOME/conf/sonar.properties. Restart your SonarQubeTM server
Copy this file on any machines running SonarQubeTM analyses (continuous integration server, etc.).
3. Encrypt your settings
Go back to Settings > Configuration > General Settings > Encryption and generate the encrypted values or your settings.
Then, you just have to copy the encrypted values to the appropriate locations.
I have locked myself out
There is currently nothing that stops you removing from every user and every group the global administrator role. the global administrator role. You then have no other solution than make an manual update in the SonarQubeTM database to get back in control.
I have lost the admin password
In case you lost the admin password of your SonarQubeTM instance, you can reset it by running the following update statement :
This will reset the password to admin.