Hi,
I have noticed that each Sonarqube API call I make on projects endpoint using token previously generated on the UI are failing with “Insufficient privileges” message:
curl -u sqa_my-personal-token: https://mysonarqube.instance.com/api/projects/search?projects=my-project-key
{"errors":[{"msg":"Insufficient privileges"}]}
The user related to the token belongs to a group with sufficient rights normally.
I can even see, after having set up debug logs in Sonarqube application, that the user is correctly identified from the token:
2022.07.25 21:42:07 DEBUG web[AYI3T2pWX8YUvABtAAAA][auth.event] login success [method|BASIC_TOKEN][provider|LOCAL|local][IP|172.20.0.4|10.1.133.53][login|my-name17289
I have also generated a user token from admin account, and the API call still drew the “Insufficient privileges” message.
However, the API call did work using direct admin account credentials:
curl -u admin:admin-password https://mysonarqube.instance.com/api/projects/search?projects=my-project-key
{"paging":{"pageIndex":1,"pageSize":100,"total":0},"components":[]}
Please note the following elements about our Sonarqube installation:
- Sonarqube version: Developer Edition Version 9.5 (build 56709)
- Authentication: Azure Active Directory
- Architecture: dockerized installation with Sonarqube running in a container behind a Nginx reverse proxy to handle the SSL, with a PostgreSQL 13 database
Below is the docker-compose.yml file used to manage this architecture;
version: "3"
services:
sonarqube:
image: sonarqube:9.5-developer
depends_on:
- db
environment:
SONAR_JDBC_URL: jdbc:postgresql://db:5432/sonarqube
SONAR_JDBC_USERNAME: sonar
SONAR_JDBC_PASSWORD: sonar-password
SONAR_WEB_JAVAOPTS: "-Xmx512m -Xms128m -XX:+HeapDumpOnOutOfMemoryError"
SONAR_SEARCH_JAVAOPTS: "-Xmx512m -Xms512m -XX:MaxDirectMemorySize=256m -XX:+HeapDumpOnOutOfMemoryError"
volumes:
- sonarqube_data:/opt/sonarqube/data
- sonarqube_extensions:/opt/sonarqube/extensions
- sonarqube_logs:/opt/sonarqube/logs
- /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts:/usr/lib/jvm/java-11-openjdk/lib/security/cacerts:ro
ports:
- "9000"
networks:
- sonarnet
db:
image: postgres:13
networks:
- sonarnet
environment:
POSTGRES_USER: sonar
POSTGRES_PASSWORD: sonar-password
POSTGRES_DB: sonarqube
volumes:
- postgresql:/var/lib/postgresql
- postgresql_data:/var/lib/postgresql/data
reverse_proxy:
container_name: reverse_proxy
depends_on:
- sonarqube
image: nginx
networks:
- sonarnet
ports:
- 80:80
- 443:443
restart: always
volumes:
- /var/opt/nginx/conf/nginx.conf:/etc/nginx/conf.d/default.conf:ro
- /etc/pki/my-cert.crt:/etc/ssl/certs/sonarqube.crt:ro
- /etc/pki/my-cert.key:/etc/ssl/private/sonarqube.key:ro
- /var/opt/nginx/log:/var/log/nginx
networks:
sonarnet:
driver: bridge
volumes:
sonarqube_data:
sonarqube_extensions:
sonarqube_logs:
postgresql:
postgresql_data:
Please also find the nginx reverse proxy configuration:
server {
listen 80;
listen [::]:80;
server_name mysonarqube.instance.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
client_max_body_size 100M;
client_body_in_file_only on;
server_name mysonarqube.instance.com;
ssl_certificate /etc/ssl/certs/sonarqube.crt;
ssl_certificate_key /etc/ssl/private/sonarqube.key;
access_log /var/log/nginx/sonarqube.access.log;
error_log /var/log/nginx/sonarqube.error.log debug;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
#proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
proxy_pass http://sonarqube:9000;
proxy_redirect off;
}
}
Would this issue be related to the new token rights management (squ, sqp and sqa type) from 9.5 release ? Or is it related to nginx reverse proxy configuration which might remove some HTTP header elements, or the Azure authentication ?
Thanks.
