Access SonarQube from Gitlab with user authentication enforced

Umang · July 21, 2021, 2:58pm

SonarQube: 7.9.6
We are trying to enforce user authentication (from Administration → Security on left hand panel). For our Gitlab pipeline to create, analyse and update the projects on SonarQube we need to create token. There is no option in SonarQube to create token at project level, we can only create at user level. We created a token using a non admin user account and we see that it is able to create new projects and access existing projects as well.

Does it mean that any token we create with any user can access any project on the SonarQube whether the user has access to that project or not?

Can you please suggest if there is a better way to achieve this?

PS: We have installed “GitLab (GitLab Plugin for Reporting) version 4.1.0-SNAPSHOT” plugin.

ganncamp · July 26, 2021, 1:11pm

Hi,

What we recommend is a “technical user” account that will be used only by automation. It should have permissions to create projects, as well as permissions to run analysis on most, if not all, projects.

Regarding your existing account. it sounds like it probably has been granted permissions at the Global level (Administration → Security → Global Permissions). And/or it’s listed in your default Permission Template (Administration → Security → Permission Templates).

Alternately, it’s possible that “Anyone” has global permissions or is in the permissions template.

HTH,
Ann