通过基本身份验证对 sonarScanner 进行身份验证 [英] Authenticate sonarScanner via basic auth

问题描述

我对这个问题感到沮丧，我们的 sonarqube 服务器落后于 http 基本身份验证，本地运行器失败并出现 401 错误.是否有可能向它提供凭据?AOfficial docs 展示了如何提供 sonarqube 的内部用户...http://www.it1me.com/it-answers?id=35790175&s=User%20talk:Omotecho&ttl=Authenticate+sonar-runner+via+basic+auth

I'm frustrated with this problem, Our sonarqube server is behind http basic authentication and local runner fails with 401 error. Is it somehow possible to provide credentials to it? AOfficial docs shows how to provide sonarqube's internal user... http://www.it1me.com/it-answers?id=35790175&s=User%20talk:Omotecho&ttl=Authenticate+sonar- runner+via+basic+auth

有什么想法或经验吗?

推荐答案

我知道这个问题有点老了，但我花了一天时间弄清楚以下问题:

I know the question is rather old, but I just spent a day to figure the following out:

TLDR:sonar-runner，即使配置了凭据，也不会使用这些凭据来首次调用服务器.端点是/batch/index.您必须允许对该端点的公共访问.对于所有其他网址，基本身份验证都可以.

TLDR: The sonar-runner, even if configured with credentials, does not use these to make it's first call to the server. The endpoint is /batch/index. You have to allow public access to that endpoint. For all other urls basic auth is fine.

更多细节:我使用 Apache 2.4 作为反向代理，对 Sonar 7.9.2 进行基本身份验证，它位于路径/sonar 下的 docker 容器中.我的 Apache 2.4 身份验证配置的一部分

Some more details: I use Apache 2.4 as reverse proxy with basic authentication for Sonar 7.9.2, which lives in docker containers under the path /sonar. Part of my Apache 2.4 config for auth

  <Location /sonar/batch/index>
    SetEnvIf User-Agent "^ScannerMaven" scanner_maven
    SetEnvIf User-Agent "^ScannerCli" scanner_maven
  </Location>
  <Location /sonar>
    <RequireAny>
      Require group sonar
      <RequireAll>
        Require expr %{REQUEST_URI} =~ m#^.*/sonar/batch/index#
        Require env scanner_maven
      </RequireAll>
    </RequireAny>
    SetEnv proxy-chain-auth On
  </Location>

如您所见，路径 /sonar/batch/index 不使用身份验证.作为一个不是很好但总比没有好的限制，如果有人使用 User-Agent ScannerMaven 或 ScannerCli(即声纳扫描仪)发出请求，我会设置一个 env 变量.请注意，用户代理很容易被伪造或可能会根据扫描仪而改变.对于所有其他 url，必须对组 sonar 中的用户进行身份验证.(Apache 和 Sonar 的用户是相同的，代理将带有 proxy-chain-auth 的凭据转发给 Sonar.

As you can see the path /sonar/batch/index does not use authentication. As a not very good, but better than nothing restriction, I set an env variable if someone with the User-Agent ScannerMaven or ScannerCli (thats the sonar-scanner) is making the request. Be aware that the User-Agent can be easily faked or may change depending on the scanner. For all other urls a user being in the group sonar must be authenticated. (The users for Apache and Sonar are the same, the proxy forwards the credentials with proxy-chain-auth to Sonar).

此设置已使用 maven 进行测试:mvn sonar:sonar

This setup is tested with maven: mvn sonar:sonar

使用

    <profiles>
      <profile>
        <id>sonar</id>
        <activation>
            <activeByDefault>true</activeByDefault>
        </activation>
        <properties>
          <sonar.host.url>https://myhost/sonar/</sonar.host.url>
          <sonar.login>${env.SONARUSER}</sonar.login>
          <sonar.password>${env.SONARPWD}</sonar.password>
        </properties>
      </profile>
    </profiles>

    [...]

    <plugin>
        <groupId>org.sonarsource.scanner.maven</groupId>
        <artifactId>sonar-maven-plugin</artifactId>
        <version>3.7.0.1746</version>
    </plugin>

这篇关于通过基本身份验证对 sonarScanner 进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！