Reputation: 1147
How to limit the permissions of a token?
My developers are making use of the IntelliJ SonarLint plugin to connect to our SonarQube server and perform local analysis
To connect to the server they need to provide a token, so I want to create a single token which can be shared across all developers. I want this token to have minimal privileges i.e. to only allow the download of rules to allow local analysis to work.
If I generate a token as a SonarQube administrator, does this mean that the token has more privileges than a token generated by a non-admin user? The SonarQube documentation implies any token has the ability to execute the full list of SonarQube Web Services.
Upvotes: 2
Views: 1009
Answers (1)
Reputation: 21586
A token you create has all your privileges. Neither is it possible to gain privileges by using a token instead of username/password, nor to restrict a tokens' privileges. In SonarQube tokens and username/password are much alike - both tell the server who you are and what you are allowed to do.
A solution in your case might be:
- Create a new, technical user, that only has very limited privileges. Use a password, that only YOU know
- Login as that user
- Create a bunch of tokens, one for each developer, with the developer's name as token name
- Give each developer his/her own token
- Whenever a developer leaves the company, invalidate his/her token
Upvotes: 2
Related Questions
- sonarqube analysis requires authentication when permission is anyone
- SonarLint plugin IntelliJ with no authentication
- How to restrict SonarQube Execute Analysis permission per project?
- How to Assign a project to specific user only in SonarQube?
- SonarQube 6.0 authorization using groups
- Authorization in Sonar REST/Web API
- Problems with users authorization in Sonar 6.2
- Token + project provisioning = Insufficient privileges
- How to do role based access control with SonarQube?
- How to check user permissions in Sonar plugin