How does sonarqube global gitlab "DevOps Platform Integrations" work?

Hi,

I’m currently setting up a sonarqube server. Everything worked fine so far and I now setting up everything for the first productive usage.
We use gitlab as our code repository. I created a user with only reporter access on our gitlab server and created a private access token for this user on the gitlab server.
Then on sonarqube I go to “Administration → Configuration → DevOps Platform Integrations → GitLab” and added a new configuration for gitlab which works fine.

If I now login as a normal user to the sonarqube server and press the “Create Project → From GitLab” button then the system asks me for my GitLab personal access token, which is strange for me because as admin I added a global access token for all users.

I think I simply misunderstood how this feature works, or I oversee somewhere a security setting (allow users to use global access tokens or something).
I searched in the docs but did not get an clear picture of how this feature should work.

How I currently think this feature works:
1.) The admin adds a global configuration for the code repository to sonarcube (manages access rights and so on)
2.) A user can import a project from the code repository to sonarqube using the global configuration. So only one access token is ever used and can be “easily” maintained by the admin in the global settings.

This is maybe completely wrong and I would be very happy if someone can explain me how this feature really works.

Regards,
keros

Hey there.

The token that is configured at the global level is used to perform actions like Merge Request Decoration, or

When users create new projects, SonarQube verifies that they actually have permissions on the Gitlab side to create projects for those repos by asking them to provide a token. Therefore, SonarQube does not expose to the user all repos on their Gitlab instance simply by having permission to Create Projects in SonarQube.

Ahh ok.

So If a user add his personal token for an import. The user token will only be used once and then never again (until another import)?
So on the analysis step or if the user clicks in “code” in the sonarqube gui the user token will not be used?

If so then I only need to make sure that the global token at least has access to the same projects as the user. And if not the user can still import and analyse the project only the “write” operations to the repository will then fail?

It will be saved so the user does not have to input it next time.

Correct.

Correct.

Thank you.
This makes it now clear for me how we want to setup this in a productive environment.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.