Authenticate sonarScanner via basic auth

Question

I'm frustrated with this problem, Our sonarqube server is behind http basic authentication and local runner fails with 401 error. Is it somehow possible to provide credentials to it? AOfficial docs shows how to provide sonarqube's internal user... http://www.it1me.com/it-answers?id=35790175&s=User%20talk:Omotecho&ttl=Authenticate+sonar- runner+via+basic+auth

any idea or experiences about it?

What have you tried? Also, how are you analyzing? – G. Ann - SonarSource Team Apr 21 '17 at 14:15 — G. Ann - SonarSource Team, Apr 21 '17 at 14:15

score 0 · Answer 1 · answered Apr 24 '17 at 06:47

0

The permission "Execute Analysis" is required to execute an analysis. In order to set credential to the scanner, you need to use sonar.login and sonar.password. For more information, please have a look at :

Authorization : https://docs.sonarqube.org/display/SONAR/Authorization
Scanner parameters : https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner

answered Apr 24 '17 at 06:47

Julien L. - SonarSource Team

2,577
17
15

Hi Julien, it's not a Sonar authentication problem, but an http authentication that make not possible to reach sonarQube at all. – Stefano C Apr 26 '17 at 12:21
If the SonarScanner is failing with a 401 error, it means that it was able to reach the server but the user used to executed the analysis is missing some permission – Julien L. - SonarSource Team Apr 27 '17 at 06:38
@JulienL.-SonarSourceTeam - Not necessarily. The OP says "Our sonarqube server is behind http basic authentication and local runner fails with 401 error" - so the 401 can be from the proxy that has basic auth and not Sonar itself. – talonx Feb 07 '22 at 10:05

Arigion · Answer 2 · 2020-02-09T01:29:03.460

I know the question is rather old, but I just spent a day to figure the following out:

TLDR: The sonar-runner, even if configured with credentials, does not use these to make it's first call to the server. The endpoint is /batch/index. You have to allow public access to that endpoint. For all other urls basic auth is fine.

Some more details: I use Apache 2.4 as reverse proxy with basic authentication for Sonar 7.9.2, which lives in docker containers under the path /sonar. Part of my Apache 2.4 config for auth

  <Location /sonar/batch/index>
    SetEnvIf User-Agent "^ScannerMaven" scanner_maven
    SetEnvIf User-Agent "^ScannerCli" scanner_maven
  </Location>
  <Location /sonar>
    <RequireAny>
      Require group sonar
      <RequireAll>
        Require expr %{REQUEST_URI} =~ m#^.*\/sonar\/batch\/index#
        Require env scanner_maven
      </RequireAll>
    </RequireAny>
    SetEnv proxy-chain-auth On
  </Location>

As you can see the path /sonar/batch/index does not use authentication. As a not very good, but better than nothing restriction, I set an env variable if someone with the User-Agent ScannerMaven or ScannerCli (thats the sonar-scanner) is making the request. Be aware that the User-Agent can be easily faked or may change depending on the scanner. For all other urls a user being in the group sonar must be authenticated. (The users for Apache and Sonar are the same, the proxy forwards the credentials with proxy-chain-auth to Sonar).

This setup is tested with maven: mvn sonar:sonar

Using

    <profiles>
      <profile>
        <id>sonar</id>
        <activation>
            <activeByDefault>true</activeByDefault>
        </activation>
        <properties>
          <sonar.host.url>https://myhost/sonar/</sonar.host.url>
          <sonar.login>${env.SONARUSER}</sonar.login>
          <sonar.password>${env.SONARPWD}</sonar.password>
        </properties>
      </profile>
    </profiles>

    [...]

    <plugin>
        <groupId>org.sonarsource.scanner.maven</groupId>
        <artifactId>sonar-maven-plugin</artifactId>
        <version>3.7.0.1746</version>
    </plugin>

Authenticate sonarScanner via basic auth

2 Answers2

Linked