I am trying to integrate GitLab authentication for SonarQube to restrict users from accessing any projects/portfolios. Based on my research and PoC, I understood that
- we can enable GitLab authentication for SonarQube where the group membership will be synced automatically (upon having the groups already available in SonarQube)
- By changing the project permission to private and applying the permission template, only the people who are entitled to view the project can access.
The clarification I have is: How can I map the SonarQube project and portfolios with the specific GitLab group?
In general, the groups at our GitLab instance will be available in the below possible formats:
Parent group: xxx or xxxxxxx (alphanumeric characters only, fixed in length, either 3 characters or 7 characters: examples: abc, abcdefg)
Sub-groups:
- xxx-nn, where xxx is the parent group, alphanumeric and nn is numeric (such as abc-00, abc-01,…)
- xxx-aaaaaaaaa (such as abc-myfirstproject, where first 3 fixed characters indicates that it is the parent group, alphanumberic and the second one followed by - will be project name)
- xxxxxxx-aaaaaaa: such as abcdefg-myfirstproject where the length of abcdefg is fixed, which is the parent group name.
The membership of gitlab group is maintained at group or sub-group level: such as sov/sov-00
The project key in SonarQube is available in the following format - group:sub-group:project. So, a sample will be sov:sov-00:sample-maven-project
Now, I have the sov/sov-00 group available in GitLab and SonarQube. I also have sov/sov-01 group available in both places. Members of the sov/sov-00 group can have access to the project in SonarQube whereas sov/sov-01 group members (who are not part of sov/sov-00) should not be able to access the SonarQube project and portfolios.
I also tried with the following regular expressions.
^ [^:]+:[^:]+
^ [^:]+/[^:]+
I already enabled the project permission to private and applied the permission template with the above regular expression. I tried adding the sov/sov-00, sov/sov-01 to the permission template and also removed them from the permission template. However, members of sov/sov-01 group is able to view and access the sov:sov-00:sample-maven-project and view the source code at SonarQube.
How should I restrict users on this?