Sonarqube project restriction to specific groups only

Hi Everyone,

I have a requirement to restrict the user/group to specific project only when the user belongs to that group login to sonarqube.
other members belong to other groups must not be able to see this project, but should be able to see their own projects. How to restrict like this?

  1. Create the project in sonarqube.
  2. A group should own this project, but should be visible only by them.
  3. other group members should not this project.
  4. can we apply permission template to the project remotely suppose from jenkins?

Let me know if this is possible.

Thanks,
Prasad.

Hi Prasad,

currently we use LDAP based authentication with active directory as follows =

  • several AD groups with their sibling groups in Sonarqube (same name, case sensitive)

  • Sonarqube permission templates with regex for the project key namespace,
    i.e. com\.foo\.bar.+
    when the AD Sonarqube admin group and the builtin admin user have all permissions
    one group has read permissions for all Sonarqube projects (browse and see source code),
    think of random checks by security team
    1 - n Sonarqube groups (mapping the AD groups with the same name) get browse and
    see source code permissions

Normally you use a technical user with your CI server (Jenkins …) that has permissions to create
projects, so no need to create projects manually. Our Jenkins user is even in the Sonarqube admin group, because we’re using the Sonarqube web api in our pipelines.

That is achieved with permission templates, see
https://docs.sonarqube.org/latest/instance-administration/delegated-auth/
https://docs.sonarqube.org/latest/instance-administration/security/#header-5

No need for that, as permission templates are automatically applied at project creation
by Sonarqube server.

Gilbert

1 Like

Thanks Gilbert for your reply. I have below challenges.

  1. We are setting the name of the project in sonarqube based on the repo name (extract the repo name in groovy code in jenkinsfile and pass it during scanning)
  2. So we dont know the name of the sonarqube project before and we can’t use that in the permission template to assign automatically.
  3. Can we assign the permission template directly to the project when the project is created? and can we restrict it to a group during this process
  4. We can set the project to private during its creation from the Jenkins pipeline?
  5. What kind of restriction we get when we make a project as private?

I have some confusion on this. Could you pls help me on above questions?

Thanks,
Prasad.

Hi Prasad,

Automating with permission templates and regex is only possible if you use some naming scheme,
i guess your reponames are using a naming scheme, something like project_subproject, i.e.
foobar_frontend, foobar_backend or similar !?

Yes, that is possible via web api api/permissions/apply_template

I recommend to use a default visibility ‘Private’
see Project Existence | SonarQube Docs

To see the metrics, sourcecode … etc. of a private Sonarqube project you need at least
browse and see source code permissions.

Gilbert

  1. We dont know the name of the repo before, it could be anything and not enforcing any naming standards. That is the reason we
    could not use the regex pattern.
  1. I will check this webapi. How can we associate a group to this project (from jenkins pipeline and from sonarqube UI), so that only these members should be able to use that project? By the end, project should be created, apply template to it and then associate a group to restrict to that project. this is the goal.
  1. Unless we provide the proper permissions others won’t be able to see the metrics, source code … etc right? the project is visible to the people who have the permission on the projects right?

We would like to automate onboarding of users to sonarqube. Based on your experience Could you provide the suggestions to me how to onboard the user to sonarqube so that
proper issolation should be there between teams and among the teams there should be two types of groups one should be like admins, others should be like
users of the projects

Thanks,
Prasad.

Using permission templates makes no sense without a naming scheme.
I strongly advise to use one combined with permission templates, everything else will be a maintenance nightmare.

If you’re using LDAP based authentication and group mapping (the same group name in AD and Sonarqube), a user will get member of the related Sonarqube group after login.
With api/permissions/add_group and parameters permission and projectid it should be possible to give a Sonarqube group access for a project, but i never used it.

yes.

From my experience, it’s best to use AD groups (one admin group, one read all group,1…n developer groups) combined with permission templates - works like a charm.
But this requires a naming scheme.
In general automation only works with (naming) conventions and rules.

If your Jenkins user has sufficient permissions, a sonarqube project is automatically created.
Our Jenkins user has admin permissions, because we have to create the project with
special settings (new code setting, name of the main branch … etc.) via web api.
You might use a similar approach, see

Gilbert

1 Like

Hi Gilbert,

one admin group, one read all group,1…n developer groups

Have you created these groups manually or with automation (if automation how?) ? For the above groups will there be separate permissions templates, Will you create these templates manually or automated (if yes How?)?

Thanks,
Prasad

Hi Prasad,

in the past, there were many departments that were only responsible for their respective area of expertise.
Nowadays you have teams with members from different departments.
So recently we’ve started to create AD groups like

DevToolChain-xxx-Sales
DevToolChain-xxx-Mobile

when XXX is the name of a project or similar and we use it for all tools as Sonarqube, Jenkins, Nexus, NexusIQ … etc. I’ve created the related Sonarqube groups manually, but it would be no problem to automate that via Sonarqube web api.

Then there is an onboarding process for new colleagues to get all their tools (IntelliJ, Eclipse …) and permissions for one or more DevToolChain AD groups, those requests have to be unlocked by the team leaders/product owners.
After that, developers are automatically added to these groups and have all necessary permissions and tools.

There’s no automation for the Sonarqube admin and read all group, this is done manually.
The Sonarqube read all group is for our security team members and some developers responsible for styleguides.

So far the automation, but right now, the permission templates are still created manually on demand.
When requests for new Sonarqube project namespaces increase, i will automate that via Sonarqube web api too.

Gilbert

Hi Gilbert,

Sorry for this question again, But I have a confusion here.

You create the below for each team?

one admin group,
one read all group,
1…n developer
And Permission template.

Suppose if we have 10 teams/customers do we need to have above 4 separately for each team/customer?

or only developer groups are separate for each team and admin and readall groups for same for all teams? could you give clarity on this pls?

Thanks,
Prasad.

Hi Prasad,

we have only hosted inhouse projects, so your case might be different.
You will need one admin group for all, to do the maintenance, configuration for your Sonarqube instance and give support to all customers.
Don’t know if one read all groups makes sense for you, if you have different customers that are independent from each other.
If this is the case i would go with several groups like customerX-developers (browse and see source code) and maybe something like customerX-leaders that have more rights like adjust project settings …
Then beside that use permission templates with the developers and leaders group for each customer.

Gilbert

Gilbert,

So you are not using any automation in sonarqube right for creation groups and permission templates?

Thanks
Prasad.

Yes, currently this still happens on demand.
If more requests come in i’ll automate via Sonarqube web api and integrate it into our selfservice portal,
which has provisioning services for git repos, nexus repos, jenkins folders … etc.

1 Like

@Rebse

Hi Gilbert,

Have some challenge with Sonar Users Group.

  1. We have decided not use the LDAP user token for performing sonar analysis.
  2. So we have created the local user account in sonarqube and generated token. By default this user belong to SonarUsers Group.
  3. If we provide this user to team, they will be able to login and check the other projects also as the sonar users have the default permission(includes browse and source code also)
  4. Want to disable the sonarusers group where the local user gets default level permissons. If we provide this user/password to teams, they should be able to see other projects as well. Want to avoid this.
  5. What are the permissions required for token to perform the sonar analysis without any issues?

Want to know way to disable the Sonar Users group. Any challenges do I face if I do this?
Creating an equivalent groups and adding local users to it would be helpful?

Thanks,
Prasad.

@Rebse ,

Could you help me on the above pls?

Thanks,
Prasad.

@Rebse

Could you help me on above pls?

Thanks,
Prasad.

Hi Prasad,

the sonar-user group is a builtin default group that can’t be deleted / inactivated.
I never used local groups in Sonarqube, means i’m not able to help you with that.
If you have a Developer or Enterprise edition, you should contact Sonarsource support, they
will surely help you.

Gilbert

Thanks for your help.

Could you help me with the minimum level of permissions required for token to perform the sonar analysis without any issues?

Thanks,
Prasad.