How to map a group to a project key to restrict user's access to project/portfolio?

I am trying to integrate GitLab authentication for SonarQube to restrict users from accessing any projects/portfolios. Based on my research and PoC, I understood that

  • we can enable GitLab authentication for SonarQube where the group membership will be synced automatically (upon having the groups already available in SonarQube)
  • By changing the project permission to private and applying the permission template, only the people who are entitled to view the project can access.

The clarification I have is: How can I map the SonarQube project and portfolios with the specific GitLab group?

In general, the groups at our GitLab instance will be available in the below possible formats:

Parent group: xxx or xxxxxxx (alphanumeric characters only, fixed in length, either 3 characters or 7 characters: examples: abc, abcdefg)

Sub-groups:

  • xxx-nn, where xxx is the parent group, alphanumeric and nn is numeric (such as abc-00, abc-01,…)
  • xxx-aaaaaaaaa (such as abc-myfirstproject, where first 3 fixed characters indicates that it is the parent group, alphanumberic and the second one followed by - will be project name)
  • xxxxxxx-aaaaaaa: such as abcdefg-myfirstproject where the length of abcdefg is fixed, which is the parent group name.

The membership of gitlab group is maintained at group or sub-group level: such as sov/sov-00

The project key in SonarQube is available in the following format - group:sub-group:project. So, a sample will be sov:sov-00:sample-maven-project

Now, I have the sov/sov-00 group available in GitLab and SonarQube. I also have sov/sov-01 group available in both places. Members of the sov/sov-00 group can have access to the project in SonarQube whereas sov/sov-01 group members (who are not part of sov/sov-00) should not be able to access the SonarQube project and portfolios.

I also tried with the following regular expressions.

^ [^:]+:[^:]+

^ [^:]+/[^:]+

I already enabled the project permission to private and applied the permission template with the above regular expression. I tried adding the sov/sov-00, sov/sov-01 to the permission template and also removed them from the permission template. However, members of sov/sov-01 group is able to view and access the sov:sov-00:sample-maven-project and view the source code at SonarQube.

How should I restrict users on this?

The project in GitLab is available in the below format:
https://gitlab.organization.net/parent-group/sub-group/project.git - Example: https://gitlab.organization.net/sov/sov-00/sample-maven-project.git
https://gitlab.organization.net/parent-group/sub-group/project.git - Example: https://gitlab.organization.net/sov/maven-project/sample-maven-project.git
https://gitlab.organization.net/parent-group/project.git - Example: https://gitlab.organization.net/abcdedg/sample-maven-project.git

I came to know from a recent conversation with SonarQube support that it is not possible to map the group and project with project key pattern. So, I need to create individual permission templates.

Good learning curve!

Thanks,
Guna

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.