GitLab users dissapearing from sonarqube-administrators group

Hello everyone,

I just setup the authentication of SonarQube to go over my GitLab instance following this official guide.

Everything works perfectly.

What I’d like to do is to give admin privileges to some GitLab users, so they can administer SQ.
I’ve tried adding them to the sonarqube-administrators group, but as soon as they login, they just disappear from that same group.

I believe is this a consequence of my group syncing with GitLab. But is this really intended? I cannot add GitLab users to any group made only in SonarQube or is it just some weird bug?

The only alternative right now I see is adding permissions to the user on global level. Does the job, but of course it’s not very clean approach.

System info:
SonarQube - 9.6-developer | self-hosted | Docker
GitLab - 15.5 | self-hosted | Docker

Thanks in advance!

Paula

Hey there.

As noted in the documentation on Delegated Authentication

Group Mapping

When using group mapping, the following caveats apply regardless of which delegated authentication method is used:

  • membership in synchronized groups will override any membership locally configured in SonarQube at each login
  • membership in a group is synched only if a group with the same name exists in SonarQube
  • membership in the default group sonar-users remains (this is a built-in group) even if the group does not exist in the identity provider

:warning:When group mapping is configured, the delegated authentication source becomes the one and only place to manage group membership, and the user’s groups are re-fetched with each log in.

This means if you have sonar.auth.gitlab.groupsSync set to true – your users will have their groups refreshed at each login and only match what is in Gitlab.

You can also turn sonar.auth.gitlab.groupsSync off, and manage group membership only using local SonarQube groups.

Hey @Colin ,

Thank you very much for your answer. I’m really sorry, I somehow overlooked that part of Docs.

My workaround is completely sufficient for now.

Is there any plan to implement a bit more granular permission levels on SonarQube side? E.g. I have many different roles on GitLab side in one group (Reporters, Developers, Maintainers) and it is not so nice if they all have the same permissions in a synced group in SonarQube. It would be amazing if I could choose permission level per GitLab Role - e.g. only Maintainers should Administer Security Issues, etc. Do you know if there is already a feature request like that that I could follow / upvote?

Kind regards,
Paula

I agree syncing permissions from the DevOps Platform would be great :pray: Can I suggest making a post over in Product Manager for a Day - Sonar Community?

Sure! Thank you, I’ll make a post on the link.