I am facing hard time while knowing more about AD integration with sonarqube. I have a group in my Active directory called Developers. this Developers group has ten members. so what I am looking for is, As I authenticated Sonarqube with my AD how can I make replication of same group Developers in sonarqube. I though in a way that
when all the ten users of Developers group got login in sonarqube server then I will create a group with name Developers and then I will add all the 10 users to group Developers. is this is a right manner or any other official way to do it. thanks..
Enable Group Mapping (by providing the group-related configuration values) and this group creation and membership will happen automatically.
You should be aware though that this group mapping is all-or-nothing. You cannot turn group mapping on and then try to manage membership in additional groups directly in SonarQube. Membership in such local groups will be wiped out by group synchronization the next time the user logs in.
Related
Trying to enforce that only an app can deploy changes to our team's azure functions so I want to disable a user from being able to web deploy changes.
Background:
The deploy app is triggered in a build pipeline, once changes have been signed off in code review.
There are 2 ways
WAY - 1
You can choose Reader in order to make the user not to have certain permissions. To set RBAC rules for certain users.
For assigning the role for resource scope you can directly do it from azure portal itself. This is the procedure that you can follow.
Select the resource that you want to assign.
Under Manage, select Roles to see the list of roles for Azure resources.
Select a member or group you want to assign to the role (READER) and then click Select.
For more information you can refer it from HERE.
WAY - 2
Add permissions for the users in Azure pipeline.
From within your project, select Pipelines > Pipelines. Select the All tab, and then select the more actions menu then Manage security.
On the permissions dialog box, make sure the following Role (READER) permissions are set to Allow.
For more information you can refer Pipelines user permissions - Azure Pipelines | Microsoft Docs
We configured our Jenkins to use the AD using LDAP plugin and AD plugin (Both), for most of the users the Jenkins then works very slow (Sometimes login or opening new link takes few minutes) while some have reasonable performance.
I checked using the /whoAmI option, and found that a user with good performance was connected to "Domain users" group, while a user with bad performance was instead connected to "authenticated" group (Which does not exist on the AD).
Both users are on the "Domain users" group in AD, but Jenkins does not recognize it on the users with slow performance. (And it identified the "authenticated" group which does not exist in AD, and does not appear with the user with good performance).
Any ideas?
Thanks in advance!!!!
Finally the answer was in another link of cloudbees-
https://support.cloudbees.com/hc/en-us/articles/218625237-How-to-diagnose-AD-integration-problems-
Issue number 1- Jenkins should use global catalog (ports 3268/3269) and not LDAP catalog (ports 389/636), after I switched to global catalog problems were resolved
We are trying to set up a SonarQube server (v. 6.5) to run in Kubernetes. Because of this, we need everything to be configured "as code" not through the web interface.
We have successfully set up single sign-on (SSO) against LDAP server, and that works as such. But since users can then not log out in order to log in as a static admin, we need some way to configure a group that has admin privileges.
It is my understanding that this should be done via group mapping, but all documentation and examples I can find only suggest setting up the groups through the UI.
Is there some way to configure groups via sonar.properties (or other properties file) that are then automatically mapped against groups from LDAP, and configure a group to get admin rights?
I am pretty new to SonarQube (and no ldap expert either), so I hope the question makes sense.
There is no way to configure groups through properties. There are web services (which are used by the UI itself) with which you could script this.
Alternately, see if you can turn on group synching with your SSO. Then you just have to grant admin rights (via the UI? via web services?) to the appropriate group in SonarQube.
Is it possible to delegate the deletion of projects in sonar to users ?
Knowing that the authentication of my sonar is managed by an ldap directory.
Thanks.
In SonarQube, project administrators have the right to delete the projects. So if you want to delegate deletion of projects to users, you must make sure that those users are granted Admin rights on the relevant projects.
As you are using an LDAP, you can do the following:
At global level, create one group per project called (for instance) "admin_projectName" (replace "projectName" by each project name)
In your LDAP, set the "admin_projectName" group on every user who should be project admin of a given project
Configure the LDAP plugin to synchronize the groups (called "Group Mapping")
I am new to SonarQube and trying to setup up a proper access control, with requirements as follows:
We have a few project areas, each area should have someone able to
manage their area, such as creating new projects and manage the
boards, not sure exactly what. This is something like project area
administrators.
A few administrators can do anything.
Integrate to AD
A few questions:
In a few places like this link: http://www.sonarsource.com/products/features/security/, I see this role based method, but I can't find these default roles, "SonarSource products come with three project-specific roles – project administrators, project users and project code viewers" anywhere in the system. Right now, I am using the community edition I guess without a license. Is there any more detailed document on that?
I kind of understand the default Global Permissions and Project Permissions. In my case, shall I create e.g. three groups in AD, sonar-administrators,sonar-project-administrators, sonar-users to map to the default groups?
I notice the following: right now I don't have the above AD groups, when I integrate to AD, I can login with my domain id/password, but once logout/in, the group information I added to the local user gone. I guess it sych with AD. So to use AD, I have to create these groups in AD?
Jirong
Access control in SonarQube is managed through Global Permissions and Project Permissions. Each permission can be granted to user(s) and/or to group(s). The documentation you pointed at is quite outdated, read the Authorization page for the most up to date details.
AD/LDAP integration is a different topic, documented here. With group mapping, group membership stays managed in AD but will be replicated in SonarQube when users log in (the AD groups must first be created in SonarQube with the same name).
To your example: if AD users belonging to group foo deserve to administer your SonarQube, just create group foo in SonarQube, and (in the Global Permissions settings) give Administer System permission to group foo.