SonarQube 9.9 LTS (issue noticed first in 9.9, never checked before)
We have a dev, test and prod instance all on the same version with the same configs
Docker
Issue summary
LDAP groups of user are not synced when analysis is executed with user token. Group membership is only synced when logging in (via web UI or api/authentication/login) with username and password.
Issue detail
For uploading the scan results to SQ, the teams at our company use service accounts, which we as IT department own.
We generate one “User Token” per service account and SQ instance using the HTTP API (calling /api/user_tokens/generate with username and password).
Now at some point in time in the future the users add the service user to an AD group that has the permission to execute analysis on their SQ project. The scan fails with ERROR: You're not authorized to run analysis. Please contact the project administrator. Investigation as SQ admin shows in the “Administration > Security > Users” view that the user is part of the sonar-users group.
This seems to me as though it cannot be wanted behavior as I don’t see a reason why the group memberships could not also be synced when authenticating via the user token, e.g. during a scan result upload.
If this topic has been covered elsewhere already I will gladly refer that post or documentation but I did not find anything on the forum that matched my problem statement.
You’ve (presumably) enabled group synching and groups are synchronized on login. On the face of it, an API call using an account’s credentials requires authorization & thus would count for this.
But it doesn’t. Why? Because it’s not actually a log in. I.E. it’s not a call to LDAP to say (approximately) “Hey, are login x and password y valid together?” To which LDAP response “Yup, and here are that user’s groups…”
That call and response don’t happen when you make an API call with a user token. All that happens in that case is that SonarQube checks:
is the token valid?
does its user account have permissions for the call?
Thanks for your timely response.
As a side note, we are already using Enterprise Edition.
But to get back to the actual topic:
I understand that currently SonarQube is only checking validity and permissions but for me this is a permissions question and somewhat of a security risk.
Since I can configure permissions using groups, I would also expect that my group memberships are refreshed before checking whether I’ve got permissions.
But as you already noted it seems like this is not the case currently.
Is there a way this can be requested as a change?
Explanation of the security risk
We use a group to grant Administer System privileges so that we can maintain the list of administrators or support engineers for multiple tools with a single AD group.
So we can grant permissions via the group.
Then one of those users creates a token. The same user leaves the company at some point and we remove the account from the AD group. Now the token is still valid and the user also still has the Administer System permission since he of course did not log in after leaving and being removed from the group.
So we cannot remove permissions via the group.
Since the functionality doesn’t exist with LDAP, I’ve moved this to the Product Manager for a Day category. I suspect the syncing you’re after won’t happy quickly with LDAP (if ever) but I’ll make sure the full-time Product Managers see this.
Just to make sure, you mean that SonarQube doesn’t have this functionality with LDAP, right?
Because LDAP definitely has the functionality to get the groups of a user.
I even have this in my server’s sonar.properties file:
