We have AD configure to our SonarQube (V7.1). We want to give administrator access to some users who belong to AD, so tried this. Logged in using the admin account (local user created during SonarQube setup). Went to Administration -> Security -> Users and from the list selected the user and and in ‘Groups’ selected ‘sonar-administrators’. But, when the user login he’s not able to get admin access. When we look at his user name in administration page it’s defaulted to ‘sonar-users’. Need help with this. Looks like this information is not getting stored in DB. Or, may be we are doing it wrong. Please help.
For an LDAP user, the only source of truth for group membership (outside of the default sonar-users) group is LDAP. That’s why a user will get plucked out of the sonar-administrators group upon logging in, because that group does not exist in LDAP.
I recommend creating a group in LDAP that will be granted the same permissions as the “sonar-administrators” group, and adding that group to the default permission template for projects / portfolios / applications. You may need to adjust permissions of already created components to give this new group permissions over those components.
Thanks a lot for the quick reply Colin. Sorry, I think am a bit confused. As per my request, I need to give admin rights to a set of users. But, I want to grant that access to their Active Directory IDs. Based on your suggestion,
- I need to create a group in AD and add those users to that group.
- How and where will I find/add this group in SonarQube? When I goto Administration -> Security -> Groups, I don’t see and option to get the AD group details. I only have option to create a group even where I only have two fields - ‘Name’ and ‘Description’. Not sure how this AD group can be configured here.
- In Administration -> Security -> Permission Template I see what you have mentioned and likewise for the already created components. But, between these two I’m not sure how to add/configure the AD group I created.
If you have a look at the documentation on Group Mapping, you’ll see that groups must be first defined in SonarQube, then SonarQube will automatically synchronize the relationships between users and groups.
To sum up :
- Create a group “sonar-administrators” in SonarQube or whatever name you want.
- Create a group with the same name in AD
- Add your AD admin users to this group (in AD)
When these users will authenticate in SonarQube they will be granted admin.
I hope it’s more clear now.
Thanks a lot Julien. This is very clear. I thought of the same, but wasn’t sure if that is how it’ll work. Thanks for the info.