2

My developers are making use of the IntelliJ SonarLint plugin to connect to our SonarQube server and perform local analysis

To connect to the server they need to provide a token, so I want to create a single token which can be shared across all developers. I want this token to have minimal privileges i.e. to only allow the download of rules to allow local analysis to work.

If I generate a token as a SonarQube administrator, does this mean that the token has more privileges than a token generated by a non-admin user? The SonarQube documentation implies any token has the ability to execute the full list of SonarQube Web Services.

slartidan
  • 20,403
  • 15
  • 83
  • 131
MandyW
  • 1,117
  • 3
  • 14
  • 23

1 Answers1

2

A token you create has all your privileges. Neither is it possible to gain privileges by using a token instead of username/password, nor to restrict a tokens' privileges. In SonarQube tokens and username/password are much alike - both tell the server who you are and what you are allowed to do.

A solution in your case might be:

  1. Create a new, technical user, that only has very limited privileges. Use a password, that only YOU know
  2. Login as that user
  3. Create a bunch of tokens, one for each developer, with the developer's name as token name
  4. Give each developer his/her own token
  5. Whenever a developer leaves the company, invalidate his/her token
slartidan
  • 20,403
  • 15
  • 83
  • 131