Access Control Management in Sonar

by olivier gaudin|

    When used out-of-the-box, Sonar is a radiator for code quality continuously accessible by everyone. But of course, there are situations in which adding access control is necessary. Access control management in Sonar exists since version 1.12 (Nov. 2011) and covers most use cases:

    • securing an instance by making authentication mandatory, for example to expose it to the internet
    • isolating from each other the access to projects
    • protecting the source code of a strategic project
    • delegating project administration to a key user

    Application security is generally divided into 2 subjects: authentication and authorization. Sonar comes with built-in functionality for both. Authentication is based on a standard login / password mechanism. Authorization is based on roles that are associated to users and groups. There are currently 4 possible roles: global administrator, resource administrator, resource user and resource code viewer. A resource can be a project, but it can also be an aggregation of projects or a developer.

    Those mechanisms are simple and powerful and they do very well the job. However, in most enterprises, security is centralized in a single system (LDAP, active directory, etc.) and in this case what you really want is that Sonar delegates access control verification to those systems.

    The platform currently supports delegation of authentication to several standard external systems through a plugin: LDAP, Active Directory, Crowd and PAM. Single-Sign On implementations are also available for OpenID and CAS.

    Delegation of authorization is supported for LDAP and Active Directory. In this configuration, groups access control is still configured in Sonar but the users / groups mapping is delegated to LDAP which simplifies a lot security management. The plugin will then automatically synchronize user and groups with the external repository, enabling not only to delegate access control but also to insure service continuity in case the external tool is not available at some point.

    For more information about access control management, a complete documentation is available.

    Before you go and start configuring access control in your Sonar instance, maybe you want to know what is coming next for access control management? We are actually planning to add some sort of workflow process for manual reviews next year.