Receiving "Not authorized" error after upgrading to SonarQube 4.2 - sonarqube

When executing the sonar analysis using the Maven Sonar Plugin:
Without any other change, except upgrading from SonarQube 3.7 to 4.2
We receive the following error:
[ERROR] Failed to execute goal org.codehaus.mojo:sonar-maven-plugin:2.2:sonar (default- cli) on project museum-mobile: Can not execute SonarQube analysis: Not authorized. Please check the properties sonar.login and sonar.password. -> [Help 1]
Our account is still listed as "sonar-administrator", with full access to all Global Permissions: Administer Quality Profiles, Administer System, Execute Analysis, Execute Preview Analysis, Provision Projects, Share Dashboards And Filters
When we run with the default "admin" account we are able to execute the analysis.
Environment:
Windows 7 64-bit
Java JDK 1.6.0_31 and 1.7.0_25
Maven 3.0.5
sonar-maven-plugin 2.0 and 2.3
JIRA opened: MSONAR-66

If you use LDAP users in your Sonar installation, and a non-LDAP user to maven sonar plugin, this may explain the problem:
http://sonarqube.15.x6.nabble.com/cannot-login-to-sonar-using-created-user-and-ldap-td5025428.html
http://jira.codehaus.org/browse/SONAR-4543
I fixed the problem editing the sonar.properties like this:
# LDAP
sonar.security.realm=LDAP
sonar.security.localUsers=admin,jenkinsuser
ldap.url=....

I have sent 3-4 emails stating the problem and issues that we have faced. I have also sent a summary as Jared and David have mentioned.
Answers to the above comments and questions:-
Q- From which version did you upgrade ? – Simon Brandhof yesterday
-
3.7**
Q-If you upgraded from a version less than 3.7, then the account has probably not the permission "Execute Analysis". See docs.codehaus.org/display/SONAR/… – Simon Brandhof yesterday.
- We have that set to Anyone in the Groups. We have also set it to sonar-users/sonar-administrators which means access to all the users in the system.
Q-Or it means that you have activated the force authentication feature. See docs.codehaus.org/display/SONAR/Authentication. – David RACODON - SonarSource yesterday
- sonar.forceAuthentication=true is already set to true. Yes it is correct.
"upgrading from SonarQube 3.7 to 4.2" – David M. Karr yesterday
-Right.
Q-I added each of the global permissions above. The upgrade was from 3.7 (working) to 4.2 (not working). We will check the force authentication feature. Is that new to 4.2?
After reading about the feature I am not sure how it would explain why my user in the sonar-administrator group can no longer execute an analysis. – Jared yesterday
- It is set to true but it is needed and we want users to be authenticated.
Thanks,
Jitesh

For whatever reason, version 4.2 has to use the "admin" userid to execute analysis. We were able to work around this bug by doing the following:
Create a new default Administrator User and name it anything you
like. We used "sonar_admin".
For the "admin" userid, ensure that it has permissions "Execute Analysis" and if you want it to add new projects to Sonarqube "Provision Projects".
You can change the password of "admin" to whatever you like.
Ensure sonar.login and sonar.password properties are being defined within your build script, and set to the "admin" userid and password.

You just need to add below 2 properties to get it work -
sonar.login=
sonar.password=
These properties can be added in 2 ways :
1. By setting it in build.xml with sonar target
2. By setting system property using -Dsonar.login=admin -Dsonar.password=password

Related

How to use a certain sonar server in sonar-maven-plugin

I've successfully built up a SonarQube server, and I wrote several custom rules to review the code. Now, I can use the server and custom rule with Jenkins and with Maven only when the code is on the same server.
My question is when I develop maven project on another computer, and I want to use maven build or maven install, how can I still use the certain SonarQube server? Simply add plugins in the pom.xml can't use the SonarQube server I established, and the custom rules I developed are also not taken into effect.
As stated in the docs, you only need to make sure the address of your SonarQube server is available to the analysis. Beyond that, you should provide the token of a user with analysis permissions (and 'create project' permissions if the project doesn't already exist) and analyze away.
Of course, this pre-supposes that your SQ server is visible on your network.

Getting asked for credentials in issues mode for sonarqube analysis

The analysis parameters page in the documentation states that if Anyone (the pre-existing group of users) does not have permission to perform analyses, you'll need to supply the credentials of a user with Execute Analysis permission for the analysis to run under.
I've allowed the group "Anyone" (and no other group or user) in my SonarQube instance (Version 5.4) to perform analysis in the global permissions page but I'm still getting an error message when analyzing my project with the SonarQube scanner for Maven. I have this issue since the upgrade to 5.4 from 5.3. It fails at
[INFO] Load user information
[DEBUG] GET 401 http://sonar.all.alcatel-lucent.com/batch/users?logins=someUser | time=78ms
with the error:
[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.0.1:sonar (default-cli) on project xxxx-parent: Not authorized. Analyzing this project requires to be authenticated. Please provide the values of the properties sonar.login and sonar.password.
I'm running the analysis in issues mode for the needs of a Jenkins plugin. I don't get the same issue in normal mode or on other projects. While looking at the project's permission, Anyone can browse, see source code and execute analysis. I've also tried settings up a user with every right on that project and providing the credentials in parameter. I get a similar behavior but with this message:
Not authorized. Please check the properties sonar.login and sonar.password
I've also tried with a user in a group that has every right on that project. I don't really understand how to configure that execute analysis permission. I believe these 2 issues (from the 5.4 upgrade note) are involved in some way but that's just a guess.
https://jira.sonarsource.com/browse/SONAR-7174
https://jira.sonarsource.com/browse/SONAR-7242
Thank you in advance for your answers.
Alexis.
The WS batch/users can't be accessed in anonymous way. So your first issue is expected (ie error 401 when trying to access it without credentials).
Now regarding your second attempt with credentials please provide the WS that is failing. The account you are using should have "analysis permission" either globally or for the project you want to analyse in preview mode.

How to secure SonarQube 5.2?

The Release notes for SonarQube 5.2 indicate that scanners no longer access the database directly.
With SonarQube 5.1, it's possible to ensures that the dashboard only ever shows reports on code in version control by configuring the database to only accept connections from the build server.
With SonarQube 5.2, I wouldn't expect this approach to work, because scanners aren't connecting directly to the database.
How can SonarQube 5.2 be secured so that only the build server can update the results shown on the dashboard?
This is really straightforward:
Make sure that your build server runs SQ analyses with non-empty sonar.login and sonar.password properties
Usually, the user corresponding to this sonar.login is a technical user
In the SQ Web Administration console, go to "Security > Global Permissions" and make sure that only the user corresponding to sonar.login has the "Execute Analysis" permission
Note that this can (or I'd even say "should") be done even on versions older than 5.2.

Administer issues does not work as Anyone

I cannot get administration of issues to be active for Anyone.
I have added the group Anyone to both browse and administer issues for the project.
Anyone can browse, but not administer issues.
It works if i create a user and add it to administer issues (when logged in as that user), but i do not want to use users at all.
I want anyone to be able to administer issues.
I tried deleting the project and created a default template with Anyone for browse and administer thinking that perhaps the setting cannot be changed for existing projects for some reason, but that did not help.
Running sonarqube 4.4
Plugins:
Checkstyle 2.1
Findbugs 3.0
Java 2.4
PMD 2.2
SCM Activity 1.8
Scm Stats 0.3.1
By definition, to do actions on issues on SQ (SonarQube), you must be authenticated because SQ needs to keep track of who did what. By default, authenticated users in SQ are part of the "sonar-users" group. So you just have to add the "sonar-users" group to the "Administer Issues" permission.

Why Sonar-Runner talks to the local database?

In the similar question Sonar-Runner talks to the local database "David RACODON - SonarSource" wrote:
The SonarQube Runner needs to talk to both the database and the web server.
I'm will try to understand why Sonar Runner talks do sonar database, because somebody who use sonar runner will known database user and password and do anything on it, for example change admin password and take control on Sonar instance.
On the other hand, at sonar runner docs (http://docs.sonarqube.org/display/SONAR/Installing+and+Configuring+SonarQube+Runner) I see info:
The SonarQube Runner is recommended as the default launcher to analyze a project with SonarQube.
So, it means that I should give database password to each developer of my team? This is inconsistent. Could somebody explain it?
SonarQube needs to talk to the database in order to save the results (metrics) of the analysis.
I will not talk about all the different possibilities that you can implement in order to avoid SonarQube's users to know the admin login, but here is the one I use:
SonarQube + Runner
Jenkins with Sonar plugin
This post (on my blog) is 1 year old http://qualilogy.com/en/install-sonarqube-the-sonarqub-jenkins-plugin/) but it will give you an idea.
You already have SonarQube + Runner installed.
Install Jenkins
Install SonarQube plugin for Jenkins
Configure the plugin:
Location of Runner
SonarQube dashboard URL
Connection to the DB : password is encrypted.
Then, when configuring and running an analysis from Jenkins, no need to use any DB login as a parameter.
Hope it helps.
As of version 5.2, this is no longer the case. Now, all DB credentials/connections are managed by Sonar itself, not the runner.

Resources