What is the best practice for users creation/management in SonarQube

Should all users be integrated with AD? Or should there be a few local users (perhaps for administrative purposes). But sonarqube doesn’t provide password restrictive policies for local accounts. And if LDAP server is down, there will be no access to SonarQube.

Hi,

That’s a great question!

In fact, I don’t think we’ve spent a lot of time formulating a best practice in this area.

Some people delete all the local-to-SonarQube accounts to not leave any “back doors”. It might make sense to keep one for emergency access(…?) but now that we’ve (finally!) introduced some audit trailing (SQ 9.1, from Enterprise Edition($$)), I guess it might be helpful to ask yourself what you would expect to see in an audit trail: project foo deleted by sqLocalUser1 or project foo deleted by john-smith?

Regarding your point about LDAP being down, I suspect that if that happens you’ve got bigger problems than logging into SonarQube to check analysis metrics. But that does raise the issue of running analysis. If LDAP goes down with any frequency, it would interfere with your delivery pipeline. So that might mean that you create one or more limited-permission, local service accounts to run analysis with, and manage everyone else through LDAP.

 
HTH,
Ann

Hi,

using LDAP for authentication is common for enterprise, as it is used / compatible with most tools.
We have the local admin account - yes we already changed the default password first of all, even before Sonarqube enforced it :wink: - as backup.
Beside that we use permission templates and regex combined with AD groups to allow access
(browse and see source code permission) for specific projectkey namespaces.
An admin AD group has all permissions.
As Ann wrote, if your LDAP server burns down, you’ll have other problems :sweat_smile:

Gilbert

1 Like

Hi Ann,

The audit trial feature looks great. What is the road map for the feature to be available in community edition?

What is the general practice used in enterprise? Only using person accounts? i.e. john-smith. And only those people who are granted full administrative permissions will be able to perform administrative actions while the rest will only be able to see the projects they are assigned to.

Is LDAP being down usually taken into consideration? Correct me if I am wrong but for GitLab Integration with SonarQube, personal access token is being used. So even if LDAP is down, the pipeline would still be able to analyze the project isnt it?

Br,
John

Hi Gilbert,

What is the general practice used in enterprise? Only using person accounts? i.e. john-smith. And only those people who are granted full administrative permissions will be able to perform administrative actions while the rest will only be able to see the projects they are assigned to.

Is LDAP being down usually taken into consideration?

Br,
John

Hi John,

beside the builtin admin user, we use only particular AD groups.
Using single users would be a maintenance nightmare.

One admin group with full permissions
One reader group with browse + see source code permissions for all projects (think of security department …), this group is part of every permission template
Many groups for developers with browse + see source code for their assigned projects
The permission templates use regex and specific developer groups that should get access,
so a newly created Sonarqube project will automatically have the right permission setting.

After LDAP is configured in SONARQUBE_HOME/conf/sonar.properties to start with groups
you have to create them first in Sonarqube - the name has to be identical to the name in AD.
Bulk operations may be done with the Sonarqube web api.
Then if some user that is member of an existing AD group logs in to Sonarqube, the Sonarqube useraccount will automatically be created and added to the related Sonarqube group of the same name - if it exists - and the generic group sonar-users.

Adding users to the AD groups is part of a generic requirement process.

Gilbert

Hi John,

There’s not one.

I’ll defer to Gilbert on the other questions since his enterprise experience is far more current than mine.

 
:slight_smile:
Ann