Reputation: 21
How to restrict SonarQube Execute Analysis permission per project?
we are trying to setup our SonarQube server (5.6) so that anyone can run a Sonar analysis using Sonar Scanner and publish the results to the SonarQube. However, we want to restrict the users to publish the analysis only for certain project keys to prevent messing up existing project histories.
We've played around with the permissions settings quite a bit. Let's say we have project key SomeProjectKey and a group SomeGroup. All analysis were published under user who is member of SomeGroup. The SomeGroup was granted all the permissions of SomeProjectKey except for Execute Analysis, which we tried to add and remove. The results can be seen in the matrix below:
Based on these results, it seems that granting the Execute Analysis (EA) on project level has no effect. It is required to have global EA to be able to publish the analysis. This, however, enables users with granted global EA to publish analysis for all projects. We haven't found any way how to restrict the publishing per project. The EA permission on project level seems completely redundant.
Is there any way how to enable users publish analysis for only certain projects? More precisely, is there a way at all to allow users to publish analysis without granting them global EA?
Thank you for any advice
Edit: I turned the SonarQube log level to debug but still no clue. With global Execute Analysis granted, everything works fine and the log shows:
2016.08.19 17:13:42 DEBUG web[http] POST /api/ce/submit?projectKey=zz.yyy:xxx-exp&projectName=xxx&projectBranch=xxx | time=4279ms
2016.08.19 17:13:43 INFO ce[o.s.s.c.t.CeWorkerCallableImpl] Execute task | project=zz.yyy:xxx-exp&projectName=xxx&projectBranch=xxx | type=REPORT | id=AVajXWLL944EkuNYd4rD | submitter=pavel.sindelar
2016.08.19 17:13:48 INFO ce[o.s.s.c.t.CeWorkerCallableImpl] Executed task | project=zz.yyy:xxx-exp&projectName=xxx&projectBranch=xxx | type=REPORT | id=AVajXWLL944EkuNYd4rD | submitter=pavel.sindelar | time=4456ms
With Executed Analysis granted on the project level (all project permission granted), there is 403 HTTP status code with response body:
{"errors":[{"msg":"Insufficient privileges"}]}
The SonarQube log contains no info on what's wrong, there is just the line with the POST request being received, nothing more related to the anaylysis publishing, no error, nothing, even on trace level:
2016.08.22 10:15:57 DEBUG web[http] POST /api/ce/submit?projectKey=project=zz.yyy:xxx-exp&projectName=xxx&projectBranch=xxx | time=564ms
We will try to update to 6.0.
Upvotes: 2
Views: 1375
Answers (1)
Reputation: 26843
You probably miss something and mixed some permissions, because what you want to achieve is exactly what was done in SonarQube 5.4 with SONAR-7174.
The following scenario works:
- You create a project
- You grant all the permissions (including "Execute Analysis") of this project to user Foo
- You run an analysis with the login/password (or better: with a token) of user Foo
- The analysis is successfully pushed and processed
Upvotes: 2
Related Questions
- Apply custom permission template automatically for sonarqube new project report using sonar-runner
- Disable SonarQube plugin for specific projects
- How to Assign a project to specific user only in SonarQube?
- SonarQube-6.7.1 How to limit the projects seen by users
- How to limit the permissions of a token?
- Sonarqube 6.4+: Can't change permission to private project
- sonarqube api/permission/add_group for project permission managenebt
- How to do role based access control with SonarQube?
- How to check user permissions in Sonar plugin
- How to enable automatic Project Permissions for Sonar-Users / User-Groups