Hi folks,
I am trying to give the members of a group on gitlab.com access to a private sonarqube (developer). Problem is: Apparently everybody can login using gitlab for oauth2, verified using my private gitlab account. This is unexpected. I had created the oauth application as documented for the given group on gitlab, but apparently this is not sufficient. scope = read_user.
How can I allow the members of gitlab group xyz access to my sonarqube and lock out everybody else? Local accounts on my sonarqube are not an option, of course.
This is sonarqube server 9.4.0.54424 developer on Debian.
Every insightful hint is highly appreciated.
Harri
Today, the only restriction available for Gitlab is whether or not new accounts will be created when a new user tries to login (configuring sonar.auth.gitlab.allowUsersToSignUp).
If you enable Group mapping (sonar.auth.gitlab.groupsSync), you’ll be able to restrict permissions on your projects to given Gitlab user groups, so that for Private projects nothing is visible unless you belong to that group. Permission Templates are great for this, and you can find more details in the documentation on Security > Authorization / Permission Templates for Default Permissions
So everybody can access my Sonarqube server to sneak around, using his private gitlab account via oauth2? Sorry to say, but this appears to be an unacceptable security risk. I have to disable allowUsersToSignUp, which takes away a huge benefit from oauth2.
I think we managed to configure Sonarqube to use private projects by default.
However, it would be really beneficial if it is possible in Sonarqube to whitelist users. For example, Traefik Forward Auth allows to allows only users with certain E-mail domain. That would be a really great extensions and would make the access to project more secure.