My goal is to create application which let logged user do a export of project metrics. for security reasons the users could only see and export metrics from the projects they are authorized to access.
I don’t want provide user credentials in basic Auth in sonar rest api each time I make a call because its less safe and i Don t want provide password for each call.
Si I have seen that its possible to use rest api
SonarQube to generate token for user (by using login parameter)
Is it a good practice to use this api to generate token user (by providing credentials admin user) for a login user and then use the generated token user for each rest api like search projects?
Thank you for advice.
Welcome to the community!
If I understand your question, you’re asking whether the global admin should generate users’ tokens and then pass those tokens off to the users for use in your application?
In general, I would say users should generate their own tokens. After all, it’s more secure if even you don’t have access to them.
Otherwise, what you’ve outlined seems sound.
Thank you for your quick answer
Yes you have well understood my goal, however I didn’t say about the scenario end to end :
The user come to the application,
He is redirected to sign sign on server to authenticate,
He comes back to the application as logged user,
Then Its necessary to authenticate in sonar to get his projects he belongs. So I don’t want provide his password because he is already logged, I just want get user token, it’s why I talked about the rest api generate token (don’t need to provide password, I only need to provide login user parameter)
Are you planning to store those tokens or generate a new one each time? Either way, it’s not the best idea.
You haven’t really talked about your application or why users need to access this data outside of SonarQube, so I’ll point out that you can add pages to SonarQube. Maybe this is a way to do what you need…?
No I neither want store tokens nor generate new every times.
I thought let the user send it in header in every request but iam still not sure.
The need of application is to create a workflow quality project, the managers follow a quality process about sonar metrics and other quality points, it will not easy to integrate in sonar page and iam not sure it’s the sonar area.
Maybe I can only use admin account for call api sonar, but is it possible to find projects related to a user with sonar rest api?
For example : give me all projects key that user ‘b2030’ could access?
It could be a easier way to resolve my need.
Thank for the time you are spending.
I think this is probably the best direction to explore. In the SonarQube footer is a link to the onboard Web API documentation (so you always get the correct docs for your version of SQ )
I’ve taken a look because I didn’t remember off-hand where to point you. It looks like you’re going to need to use an “internal” service (there’s a toggle to turn on visibility for this at the top left):
api/permissions/users. Unfortunately, it looks like it goes in the wrong direction: listing the users’ perms on a particular project, so you’d have to iterate projects looking for the current user. Or maybe batch this … nightly? & store the results.
The other caveat here is that “internal” services can change without warning (although in reality they’re very stable).
Thank for your advice, yes the user api permissions do the opposite use case I need
There are many projects in the sonar, so I should call to many rest api sonar query and I need to keep up to date the projects in my database.
I will try to think about the reuse the access token from sso login to call sonar api rest it should normally works and I will let the choice to user to also search a project by using admin account sonar api.
Thank you again
Coming back on what you are trying to achieve, if I understand correctly, you’d like to export projects metrics into a dedicated database. Could you please share with us the reasons why you are trying to do this and how you plan to use it?