The analysis parameters page in the documentation states that if Anyone (the pre-existing group of users) does not have permission to perform analyses, you'll need to supply the credentials of a user with Execute Analysis permission for the analysis to run under.
I've allowed the group "Anyone" (and no other group or user) in my SonarQube instance (Version 5.4) to perform analysis in the global permissions page but I'm still getting an error message when analyzing my project with the SonarQube scanner for Maven. I have this issue since the upgrade to 5.4 from 5.3. It fails at
[INFO] Load user information
[DEBUG] GET 401 http://sonar.all.alcatel-lucent.com/batch/users?logins=someUser | time=78ms
with the error:
[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.0.1:sonar (default-cli) on project xxxx-parent: Not authorized. Analyzing this project requires to be authenticated. Please provide the values of the properties sonar.login and sonar.password.
I'm running the analysis in issues mode for the needs of a Jenkins plugin. I don't get the same issue in normal mode or on other projects. While looking at the project's permission, Anyone can browse, see source code and execute analysis. I've also tried settings up a user with every right on that project and providing the credentials in parameter. I get a similar behavior but with this message:
Not authorized. Please check the properties sonar.login and sonar.password
I've also tried with a user in a group that has every right on that project. I don't really understand how to configure that execute analysis permission. I believe these 2 issues (from the 5.4 upgrade note) are involved in some way but that's just a guess.
https://jira.sonarsource.com/browse/SONAR-7174
https://jira.sonarsource.com/browse/SONAR-7242
Thank you in advance for your answers.
Alexis.
The WS batch/users can't be accessed in anonymous way. So your first issue is expected (ie error 401 when trying to access it without credentials).
Now regarding your second attempt with credentials please provide the WS that is failing. The account you are using should have "analysis permission" either globally or for the project you want to analyse in preview mode.
Related
Sonar Server 6.7.1.
I have following queries wrt how permission works in SonarQube
1. How to enable window NT authentication on sonar portal. I believe by default it is open to everybody, no authentication.
Using sonar admin account I can create the quality profiles (add/remove rules) & assign it to a project. Can I do it as project admin account as well? My use case is I have couple of projects hosted, I do not want to share admin account with each project.
I created many users and groups on sonar portal, but I could not see them under Global Permission page. How to projet administrators?
Let's say I have set of issues reported by sonar for a project. From the portal I want to mark some of the issues as "Won't fixed". What is the minimal permission required user/project admin/sonar admin to do it?
Appreciate your response on above queries.
Disable anonymous access: Disallow anonymous users to access Sonar
You need Administer Quality Gates global permission
You have to start typing username you are looking for in Search field
You need Administer Issues project permission
Please take a look at SonarQube documentation: https://docs.sonarqube.org/display/SONAR/Authorization
We are trying to add Sonar pre and post build steps in VSTS / TFS Online as explained in here and here . Both are pretty good documentation from Sonar and MS. here are steps followed
1. Exposed internal Sonar (hosted inside company firewall on prem) end point and we tested successfully with login credentials
2. Created end point in VSTS with special Sonar end point.
Out of TWO options -
With Generic end point - If we chose to create with Generic end point which allows user name and pwd, Sonar Build step doesn't recognize end point in drop down , worst doesn't enable Save button :(
With Sonar end point - So as to make it work , had to Create Sonar end point which allows token based access - created token for user , provided all project access to user ID
But somehow, Sonar begin analysis never completes but errors out after some time. From log messages (copied below), looks like its 401 Unauthorized issue
Is it possible to access on prem Sonar server from VSTS / TFS online for Sonar build step? Also not sure weather token based access is working or something else
FYI - installed Sonar extension for TFS online from marketplace
Thanks in advance
----------- Error Log ---------------
2017-01-25T12:14:16.9334904Z SonarQube Scanner for MSBuild 2.2
2017-01-25T12:14:16.9334904Z Default properties file was found at D:\a\_tasks\SonarQubeScannerMsBuildBegin_15b84ca1-b62f-4a2a-a403-89b77a063157\2.0.0\SonarQubeScannerMsBuild\SonarQube.Analysis.xml
2017-01-25T12:14:16.9334904Z Loading analysis properties from D:\a\_tasks\SonarQubeScannerMsBuildBegin_15b84ca1-b62f-4a2a-a403-89b77a063157\2.0.0\SonarQubeScannerMsBuild\SonarQube.Analysis.xml
2017-01-25T12:14:16.9334904Z Pre-processing started.
2017-01-25T12:14:16.9334904Z Preparing working directories...
2017-01-25T12:14:16.9334904Z SonarQube Scanner for MSBuild 2.2
2017-01-25T12:14:16.9334904Z 12:14:16.484 Updating build integration targets...
2017-01-25T12:14:16.9334904Z 12:14:16.501 Fetching analysis configuration settings...
2017-01-25T12:14:17.4377059Z ##[error]
2017-01-25T12:14:17.5379198Z ##[error]Unhandled Exception: System.Net.WebException: The remote server returned an error: (401) Unauthorized.
2017-01-25T12:14:17.5379198Z ##[error]at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
2017-01-25T12:14:17.5379198Z ##[error]at System.Net.WebClient.DownloadString(Uri address)
2017-01-25T12:14:17.5379198Z ##[error]at System.Net.WebClient.DownloadString(String address)
2017-01-25T12:14:17.5379198Z ##[error]at SonarQube.TeamBuild.PreProcessor.WebClientDownloader.Download(String url)
First, regarding the endpoint, it was previously only possible to use a Generic Endpoint but since v2 we decided to move to a specific SonarQube Endpoint and so decided to drop support of the generic one.
We also decided to only support token based authentication because we strongly believe this is more secure than a username/password one.
Last, based on the log and what you described I think your token has not been correctly copied into the SonarQube Endpoint. Depending on your browser it may have added a space at the end. You can test that your token is valid by running an analysis locally (follow this tutorial). If the begin part is successful you don't need to go further.
Feel free to tell us if the token is correct so we can dig deeper.
I'd like to configure SonarQube so that developers can generate an HTML report locally (in 'issues' mode), but not be able to publish reports on the SonarQube server (in 'publish' mode).
Instead, I'd like the CI server to be the only system with access to publish results (using a 'technical' user).
The Release notes for SonarQube 5.4 indicate that the "Execute Preview Analysis" permission has been removed.
There is an "Execute Analysis" permission, but from what I've understood, this is required for both 'issues' mode and 'publish' mode.
Right now, the Execute Analysis permission has been granted to 'Anyone'. This allows the Maven plugin to perform an analysis (issues or publish mode). However, sonar-runner (and sonar-scanner) both seem to need a login token configured before they can run even a preview analysis. This inconsistency seems confusing.
How can SonarQube 5.4 be secured so that only the build server can update the results shown on the dashboard?
This is pretty simple:
Make sure that the "Execute Analysis" global permission is granted only to a "technical" user and configure your CI server to pass credentials of this user to the Maven command
=> This will allow the CI to push analysis reports to the SonarQube server, but prevent any other user to do so.
Make sure that every other user has the "Browse" permission on the projects
=> This will allow any user to run an "issues" analysis and therefore generate an HTML report
The Release notes for SonarQube 5.2 indicate that scanners no longer access the database directly.
With SonarQube 5.1, it's possible to ensures that the dashboard only ever shows reports on code in version control by configuring the database to only accept connections from the build server.
With SonarQube 5.2, I wouldn't expect this approach to work, because scanners aren't connecting directly to the database.
How can SonarQube 5.2 be secured so that only the build server can update the results shown on the dashboard?
This is really straightforward:
Make sure that your build server runs SQ analyses with non-empty sonar.login and sonar.password properties
Usually, the user corresponding to this sonar.login is a technical user
In the SQ Web Administration console, go to "Security > Global Permissions" and make sure that only the user corresponding to sonar.login has the "Execute Analysis" permission
Note that this can (or I'd even say "should") be done even on versions older than 5.2.
When executing the sonar analysis using the Maven Sonar Plugin:
Without any other change, except upgrading from SonarQube 3.7 to 4.2
We receive the following error:
[ERROR] Failed to execute goal org.codehaus.mojo:sonar-maven-plugin:2.2:sonar (default- cli) on project museum-mobile: Can not execute SonarQube analysis: Not authorized. Please check the properties sonar.login and sonar.password. -> [Help 1]
Our account is still listed as "sonar-administrator", with full access to all Global Permissions: Administer Quality Profiles, Administer System, Execute Analysis, Execute Preview Analysis, Provision Projects, Share Dashboards And Filters
When we run with the default "admin" account we are able to execute the analysis.
Environment:
Windows 7 64-bit
Java JDK 1.6.0_31 and 1.7.0_25
Maven 3.0.5
sonar-maven-plugin 2.0 and 2.3
JIRA opened: MSONAR-66
If you use LDAP users in your Sonar installation, and a non-LDAP user to maven sonar plugin, this may explain the problem:
http://sonarqube.15.x6.nabble.com/cannot-login-to-sonar-using-created-user-and-ldap-td5025428.html
http://jira.codehaus.org/browse/SONAR-4543
I fixed the problem editing the sonar.properties like this:
# LDAP
sonar.security.realm=LDAP
sonar.security.localUsers=admin,jenkinsuser
ldap.url=....
I have sent 3-4 emails stating the problem and issues that we have faced. I have also sent a summary as Jared and David have mentioned.
Answers to the above comments and questions:-
Q- From which version did you upgrade ? – Simon Brandhof yesterday
-
3.7**
Q-If you upgraded from a version less than 3.7, then the account has probably not the permission "Execute Analysis". See docs.codehaus.org/display/SONAR/… – Simon Brandhof yesterday.
- We have that set to Anyone in the Groups. We have also set it to sonar-users/sonar-administrators which means access to all the users in the system.
Q-Or it means that you have activated the force authentication feature. See docs.codehaus.org/display/SONAR/Authentication. – David RACODON - SonarSource yesterday
- sonar.forceAuthentication=true is already set to true. Yes it is correct.
"upgrading from SonarQube 3.7 to 4.2" – David M. Karr yesterday
-Right.
Q-I added each of the global permissions above. The upgrade was from 3.7 (working) to 4.2 (not working). We will check the force authentication feature. Is that new to 4.2?
After reading about the feature I am not sure how it would explain why my user in the sonar-administrator group can no longer execute an analysis. – Jared yesterday
- It is set to true but it is needed and we want users to be authenticated.
Thanks,
Jitesh
For whatever reason, version 4.2 has to use the "admin" userid to execute analysis. We were able to work around this bug by doing the following:
Create a new default Administrator User and name it anything you
like. We used "sonar_admin".
For the "admin" userid, ensure that it has permissions "Execute Analysis" and if you want it to add new projects to Sonarqube "Provision Projects".
You can change the password of "admin" to whatever you like.
Ensure sonar.login and sonar.password properties are being defined within your build script, and set to the "admin" userid and password.
You just need to add below 2 properties to get it work -
sonar.login=
sonar.password=
These properties can be added in 2 ways :
1. By setting it in build.xml with sonar target
2. By setting system property using -Dsonar.login=admin -Dsonar.password=password