Force Authentication with Anonymous scan upload

SonarQube
, ,
1

Hi,

tl:dr; We would like to enable Force Authentication while still allowing anonymous scans/uploads to sonarqube.

Sonarqube v.6.7.5

We have a requirement of enforcing authentication into the sonarqube UI. To enable this, we have configured LDAP and the “Force Authentication” option.

This has worked as desired from the UI’s perspective as we wish to limit who can view the projects/scans on sonarqube. However, we would still like anyone (anonymous users) to submit their projects for scanning analysis (they will just have to login to actually see the results).

Upon enabling Force Authentication, our previously working maven command fails with the following error (below). I am aware of using the sonar.login and sonar.password arguments, but we would like to avoid that, and allow anonymous users. Mainly we would like to avoid people having to send in their credentials or tokens and just use a simpler command.

Is it possible to have both Forced Authentication while still allowing anonymous uploads to sonarqube? Any help would be greatly appear, thank you

Regards,
Erik

***mvn command***:
mvn -X -Dsonar.clover.reportPath=target/site/clover/clover.xml -Dsonar.host.url=${sonarqube_url} org.sonarsource.scanner.maven:sonar-maven-plugin:3.2:sonar`

***maven output***:
[DEBUG] 14:20:22.416 GET 401 ${sonarqube_url}/sonar/api/settings/values.protobuf | time=215ms
 [INFO] ------------------------------------------------------------------------
 [INFO] BUILD FAILURE
 [INFO] ------------------------------------------------------------------------
 [INFO] Total time: 1.404 s
 [INFO] Finished at: 2019-06-27T14:20:22-07:00
 [INFO] Final Memory: 12M/194M
 [INFO] ------------------------------------------------------------------------
 [ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.2:sonar (default-cli) on project cyberark-poc: Unable to load component class org.sonar.scanner.bootstrap.ScannerPluginInstaller: Unable to load component class org.sonar.home.cache.FileCache: Unable to load component class org.sonar.scanner.bootstrap.GlobalConfiguration: Not authorized. Analyzing this project requires to be authenticated. Please provide the values of the properties sonar.login and sonar.password. -> [Help 1]
 org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.2:sonar (default-cli) on project cyberark-poc: Unable to load component class org.sonar.scanner.bootstrap.ScannerPluginInstaller
 	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:213)
 	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:154)
 	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:146)
 	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
 	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
 	at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
 	at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
 	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309)
 	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194)
 	at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107)
 	at org.apache.maven.cli.MavenCli.execute(MavenCli.java:993)
 	at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345)
 	at org.apache.maven.cli.MavenCli.main(MavenCli.java:191)
 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 	at java.lang.reflect.Method.invoke(Method.java:498)
 	at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
 	at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
 	at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
 	at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
 Caused by: org.apache.maven.plugin.MojoExecutionException: Unable to load component class org.sonar.scanner.bootstrap.ScannerPluginInstaller
 	at org.sonarsource.scanner.maven.bootstrap.ExceptionHandling.handle(ExceptionHandling.java:36)
 	at org.sonarsource.scanner.maven.bootstrap.ScannerBootstrapper.execute(ScannerBootstrapper.java:81)
 	at org.sonarsource.scanner.maven.SonarQubeMojo.execute(SonarQubeMojo.java:122)
 	at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:134)
 	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208)
 	... 20 more
 Caused by: java.lang.IllegalStateException: Unable to load component class org.sonar.scanner.bootstrap.ScannerPluginInstaller
 	at org.sonar.core.platform.ComponentContainer$ExtendedDefaultPicoContainer.getComponent(ComponentContainer.java:64)
 	at org.picocontainer.DefaultPicoContainer.getComponent(DefaultPicoContainer.java:632)
 	at org.picocontainer.parameters.BasicComponentParameter$1.resolveInstance(BasicComponentParameter.java:118)
 	at org.picocontainer.parameters.ComponentParameter$1.resolveInstance(ComponentParameter.java:136)
 	at org.picocontainer.injectors.SingleMemberInjector.getParameter(SingleMemberInjector.java:78)
 	at org.picocontainer.injectors.ConstructorInjector$CtorAndAdapters.getParameterArguments(ConstructorInjector.java:309)
 	at org.picocontainer.injectors.ConstructorInjector$1.run(ConstructorInjector.java:335)
 	at org.picocontainer.injectors.AbstractInjector$ThreadLocalCyclicDependencyGuard.observe(AbstractInjector.java:270)
 	at org.picocontainer.injectors.ConstructorInjector.getComponentInstance(ConstructorInjector.java:364)
 	at org.picocontainer.injectors.AbstractInjectionFactory$LifecycleAdapter.getComponentInstance(AbstractInjectionFactory.java:56)
 	at org.picocontainer.behaviors.AbstractBehavior.getComponentInstance(AbstractBehavior.java:64)
 	at org.picocontainer.behaviors.Stored.getComponentInstance(Stored.java:91)
 	at org.picocontainer.DefaultPicoContainer.instantiateComponentAsIsStartable(DefaultPicoContainer.java:1034)
 	at org.picocontainer.DefaultPicoContainer.addAdapterIfStartable(DefaultPicoContainer.java:1026)
 	at org.picocontainer.DefaultPicoContainer.startAdapters(DefaultPicoContainer.java:1003)
 	at org.picocontainer.DefaultPicoContainer.start(DefaultPicoContainer.java:767)
 	at org.sonar.core.platform.ComponentContainer.startComponents(ComponentContainer.java:134)
 	at org.sonar.batch.bootstrapper.Batch.doStart(Batch.java:94)
 	at org.sonar.batch.bootstrapper.Batch.start(Batch.java:88)
 	at org.sonarsource.scanner.api.internal.batch.BatchIsolatedLauncher.start(BatchIsolatedLauncher.java:52)
 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 	at java.lang.reflect.Method.invoke(Method.java:498)
 	at org.sonarsource.scanner.api.internal.IsolatedLauncherProxy.invoke(IsolatedLauncherProxy.java:60)
 	at com.sun.proxy.$Proxy23.start(Unknown Source)
 	at org.sonarsource.scanner.api.EmbeddedScanner.doStart(EmbeddedScanner.java:220)
 	at org.sonarsource.scanner.api.EmbeddedScanner.start(EmbeddedScanner.java:156)
 	at org.sonarsource.scanner.maven.bootstrap.ScannerBootstrapper.execute(ScannerBootstrapper.java:60)
 	... 23 more
 Caused by: java.lang.IllegalStateException: Unable to load component class org.sonar.home.cache.FileCache
 	at org.sonar.core.platform.ComponentContainer$ExtendedDefaultPicoContainer.getComponent(ComponentContainer.java:64)
 	at org.picocontainer.DefaultPicoContainer.getComponent(DefaultPicoContainer.java:632)
 	at org.picocontainer.parameters.BasicComponentParameter$1.resolveInstance(BasicComponentParameter.java:118)
 	at org.picocontainer.parameters.ComponentParameter$1.resolveInstance(ComponentParameter.java:136)
 	at org.picocontainer.injectors.SingleMemberInjector.getParameter(SingleMemberInjector.java:78)
 	at org.picocontainer.injectors.ConstructorInjector$CtorAndAdapters.getParameterArguments(ConstructorInjector.java:309)
 	at org.picocontainer.injectors.ConstructorInjector$1.run(ConstructorInjector.java:335)
 	at org.picocontainer.injectors.AbstractInjector$ThreadLocalCyclicDependencyGuard.observe(AbstractInjector.java:270)
 	at org.picocontainer.injectors.ConstructorInjector.getComponentInstance(ConstructorInjector.java:364)
 	at org.picocontainer.injectors.AbstractInjectionFactory$LifecycleAdapter.getComponentInstance(AbstractInjectionFactory.java:56)
 	at org.picocontainer.behaviors.AbstractBehavior.getComponentInstance(AbstractBehavior.java:64)
 	at org.picocontainer.behaviors.Stored.getComponentInstance(Stored.java:91)
 	at org.picocontainer.DefaultPicoContainer.getInstance(DefaultPicoContainer.java:699)
 	at org.picocontainer.DefaultPicoContainer.getComponent(DefaultPicoContainer.java:647)
 	at org.sonar.core.platform.ComponentContainer$ExtendedDefaultPicoContainer.getComponent(ComponentContainer.java:62)
 	... 51 more
 Caused by: java.lang.IllegalStateException: Unable to load component class org.sonar.scanner.bootstrap.GlobalConfiguration
 	at org.sonar.core.platform.ComponentContainer$ExtendedDefaultPicoContainer.getComponent(ComponentContainer.java:64)
 	at org.picocontainer.DefaultPicoContainer.getComponent(DefaultPicoContainer.java:632)
 	at org.picocontainer.parameters.BasicComponentParameter$1.resolveInstance(BasicComponentParameter.java:118)
 	at org.picocontainer.parameters.ComponentParameter$1.resolveInstance(ComponentParameter.java:136)
 	at org.picocontainer.injectors.SingleMemberInjector.getParameter(SingleMemberInjector.java:78)
 	at org.picocontainer.injectors.SingleMemberInjector.getMemberArguments(SingleMemberInjector.java:61)
 	at org.picocontainer.injectors.MethodInjector.getMemberArguments(MethodInjector.java:100)
 	at org.picocontainer.injectors.MethodInjector$2.run(MethodInjector.java:112)
 	at org.picocontainer.injectors.AbstractInjector$ThreadLocalCyclicDependencyGuard.observe(AbstractInjector.java:270)
 	at org.picocontainer.injectors.MethodInjector.decorateComponentInstance(MethodInjector.java:120)
 	at org.picocontainer.injectors.CompositeInjector.decorateComponentInstance(CompositeInjector.java:58)
 	at org.picocontainer.injectors.Reinjector.reinject(Reinjector.java:142)
 	at org.picocontainer.injectors.ProviderAdapter.getComponentInstance(ProviderAdapter.java:96)
 	at org.picocontainer.DefaultPicoContainer.getInstance(DefaultPicoContainer.java:699)
 	at org.picocontainer.DefaultPicoContainer.getComponent(DefaultPicoContainer.java:647)
 	at org.sonar.core.platform.ComponentContainer$ExtendedDefaultPicoContainer.getComponent(ComponentContainer.java:62)
 	... 65 more
 Caused by: Not authorized. Analyzing this project requires to be authenticated. Please provide the values of the properties sonar.login and sonar.password.
 [ERROR]
 [ERROR]
 [ERROR] For more information about the errors and possible solutions, please read the following articles:
 [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
2

Hi Erik,

What you’re after isn’t possible. Normally I’d tell you that your users need to generate tokens and pass them as the value of -Dsonar.login. However, it sounds like you have individual users randomly submitting analysis, which makes me question your setup. Ideally, you’re going to have a central CI system configured with the token of a minimum-permissions technical account, and that CI system is going to analyze automatically after each commit, so that random users never need to deal with this.

Let me know if this doesn’t make sense.

 
HTH,
Ann

1 Like
3

Hi @ganncamp,

Thanks for your response. Ideally, yes, a central CI would be doing triggering the analyzations, however we are not quite there. I also don’t think its too much to ask users to include tokens, unfortunately that is not the acceptance criteria at the moment.

We will be looking at Permission Templates to resolve our use case. Leave Force Authentication off, but make every project private. Then use groups to manage who can see what. A bit more administrative work, but a must to meet our requirements.