Block the ability to interact with Sonar from local environments

Przemek_Sech · March 6, 2023, 11:25pm

Must-share information (formatted with Markdown):

which versions are you using SonarQube Enterprise EditionVersion 8.9.9 (build 56886)
how is SonarQube deployed: Docker
what are you trying to achieve: Block the ability to interact with Sonar from laptops
We have Stage and Prod environments. The prod is meant to be controlled via CI/CD and Stage is a sandbox where users can run experiments. We want to disable the ability to push data from laptops.

The solution could be:

Prevent creating personal tokens
Modify permissions of personal tokens so they can’t upload stats

I looked at Permission templates for default permissions, but I did not find anything useful.

ganncamp · March 8, 2023, 3:36pm

Hi,

Welcome to the community!

This is going to be a question of what permissions are granted to your users, not of token creation.

Ideally, only the technical account used by your CI to run analysis will have permissions to analyze a project. Individual developers shouldn’t have those permissions.

I suggest you check your permission template to make sure it’s limited in the analysis permissions it grants, and then consider re-applying it to your projects (via Administration → Projects → Management) to reset everything to base. Note that doing so will “kick out” individual project admins unless they’re in your template. So you would need to re-grant E.G. project leads the ability to administer their projects.

And BTW, under Administration → Security you have the ability to toggle whether project administrators have the ability to update the permissions on their projects (e.g. re-grant analyze). By default that’s on.

HTH,
Ann

Przemek_Sech · March 8, 2023, 10:20pm

Hi Ann,

Thank you for getting back to me and clarifying.
It was super helpful.

Cheers,
Przemek

Przemek_Sech · March 9, 2023, 9:46am

@ganncamp

It is also good to mention Global Permissions as they cover Execute Analysis permission.

What is the difference between Execute Analysis permission in Global Permissions and Permission Templates?

ganncamp · March 9, 2023, 1:20pm

Hi,

Granting a global permission gives the person or group that permission… globally - on all projects. Or access to global functions such as instance admin.

Granting a permission in a template is a potential permission. Nothing’s been granted, and won’t be until the next project is created and that permission template is applied.

Does that make sense?

Ann

Przemek_Sech · March 9, 2023, 10:15pm

Hi,

Thank you for shedding some light on it. It was not obvious.

Which one is a higher priority if permission is mutually exclusive?
E.g. I have a template allowing analysis for a group, and I unselect it in global permissions.

A side idea for improvement
Verifying the user has permission at the beginning of the scan would save some time unless there’s a reason for scanning without being able to post the results back to Sonar.

Przemek

ganncamp · March 10, 2023, 3:28pm

Hi Przemek,

Permissions aren’t mutually exclusive. They’re addative. If you have permission through both a group and individually, and one - but only one - is removed, you still have permission.

Fair point. I’ll pass it on.

Ann

Przemek_Sech · March 11, 2023, 4:49am

Thank you for the explanation.