Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 103 Next »

Table of Contents

 

Out of the box, SonarQube comes with a complete mechanism to manage security. Configuring security allows you to cover two main use cases:

  • Manage access rights to components, information, etc.
  • Enable customization (custom dashboards, notifications, etc.) of SonarQube for users
Here are examples of security restrictions you can enforce by configuring security in SonarQube:
  • Secure a SonarQube instance by forcing authentication prior to accessing any page
  • Make a given project invisible to anonymous users
  • Restrict access to a project to a given group of users
  • Restrict access to a project's source code (Code Viewer) to a given set of users
  • Define who can administer a project (setting exclusion patterns, tuning plugins configuration for that project, etc.)
  • Define who can administer a SonarQube instance

Built-in Security

Authentication

Default Admin Credentials

When installing SonarQube, a default user with administration privileges is created automatically:

  • Login: admin
  • Password: admin

Add Users

A user is a set of basic information: login, password, name and email.

To create a new user, go to Setting > Security > Users > Add new user: 

Change my Password

Log in and click on your name (top right of the screen).

LDAP plugin

Icon

When the LDAP plugin is installed and activated, it is no longer possible for users to change their password. Then, only system administrators can do so through Settings > Security > Users.

 

Authorization

The way authorization is implemented in SonarQube is pretty standard. It is possible to create as many users and groups of users as required in the system. The users can then be attached (or not) to (multiple) groups. Groups and / or users are then given (multiple) permissions. The permissions grant access to projects, services and functionalities.

Groups

Overview

A group is a set of users.

To create a new group, go to Settings > Security > Groups > Add new group:

To add/remove users to/from a group:

Special groups

Two groups have a special meaning:

  • Anyone is a group that exists in the system, but that cannot be managed. It is Every user belongs to this group, including "anonymous."
  • sonar-users is the default group to which users are automatically added. This group can be changed through the Global Security Settings (sonar.defaultGroup property).

Roles and Permissions

Global Permissions

  • System Administrators have the ability to perform all administration tasks on the SonarQube instance like global configuration, customization of the home page, etc.
  • Quality Profile Administrators have the ability to perform any changes on quality profiles (since version 3.6)

Project Roles

  • Users have the ability to see that a project exists, browse the measures and create/edit issues on the project
  • Code viewers have the ability to view the source code of the project. You must have the Users role on a project to make use of the Code viewers role.
  • Administrators have the ability to perform administration tasks for the project by accessing its settings. You must have the Users role on a project to make use of the Administrators role.

Note that roles are not cumulative. For instance, if you want to be able to administer the project, browse the measures and browse the source code, you have to be given the three roles: Administrators, Users and Code viewers.

Default project roles

It is possible to configure the system so that when a new project is created, some users/groups are automatically granted roles on this project.

In the example below, once a new project has been created:

  • All the users in the sonar-administrators group can administrate (Administrators), access the project (Users) and browse the source code (Code viewers).
  • The myAuditor user can access the project (Users) and browse the source code (Code viewers).

Security Settings

  1. Default user group: any new user created will automatically join this group.
  2. Force user authentication: this is really the first question that should be answered when setting the security strategy in SonarQube. Can anybody browse the SonarQube instance or do you need to be authenticated?
  3. Allow users to sign up online: this means that anybody can access a form to create himself an account in the system. Note that after filling up the form, the user should log in.
  4. Import sources: if set to false, source code will not be accessible for any user. To restrict access to source code for some users only, see Code viewers role.

Delegation to an External System

In order to leverage existing enterprise infrastructure, SonarQube provides the capability to delegate authentication and authorization to external systems through plugins:

SSO is also supported through the SonarQube OpenID plugin.

FAQ

I have locked myself out

There is currently nothing that stops you removing from every user and every group the global administrator role. the global administrator role. You then have no other solution than make an manual update in the SonarQube database to get back in control.

I have lost the admin password

In case you lost the admin password of your SonarQube instance, you can reset it by running the following update statement :

This will reset the password to admin.

  • No labels