So if you think this would help to educate your users, here I'm ready to create a ticket to do the same in SonarLint for Eclipse.
++
Julien
Hi Julien,
this button will definetly improve the workaround we are currently using, so please go ahead and implement it!
That beeing said - you could make authentication pluggable. You could provide an extensionpoint that others could use to implement whatever SSO solution they fancy...
In our setup that would probably be a little plugin that would use waffle to get the ticket and hand it on.
How are the chances of that happening?
Le jeudi 27 octobre 2016 13:01:07 UTC+2, Jörg Sesterhenn a écrit :Hi Julien,
this button will definetly improve the workaround we are currently using, so please go ahead and implement it!
That beeing said - you could make authentication pluggable. You could provide an extensionpoint that others could use to implement whatever SSO solution they fancy...
In our setup that would probably be a little plugin that would use waffle to get the ticket and hand it on.Sorry I'm not experimented with Kerberos. Once you have the ticket, how would you pass it to perform authenticated HTTP request? Is your proxy expecting to find the ticket in the "Authorization" header? Or should it be set as another header?
How are the chances of that happening?Depends on the way you pass your ticket (see previous question). If ticket is a replacement for SQ username/password or token (ie passed as a Basic authentication credential) that could be quite easy to do (transparent for sonarlint-core / sonar-ws libraries). If we need to do modifications in the whole stack to support SSO, that's unlikely to happen.
Am Donnerstag, 27. Oktober 2016 13:31:06 UTC+2 schrieb Julien HENRY:Le jeudi 27 octobre 2016 13:01:07 UTC+2, Jörg Sesterhenn a écrit :Hi Julien,
this button will definetly improve the workaround we are currently using, so please go ahead and implement it!Just voted for it.That beeing said - you could make authentication pluggable. You could provide an extensionpoint that others could use to implement whatever SSO solution they fancy...
In our setup that would probably be a little plugin that would use waffle to get the ticket and hand it on.Sorry I'm not experimented with Kerberos. Once you have the ticket, how would you pass it to perform authenticated HTTP request? Is your proxy expecting to find the ticket in the "Authorization" header? Or should it be set as another header?
Currently we have implemented a Kerberos SSO client against TeamCity-Rest API. Here we use a simple RequestFilter to add an "Authorization" Header based on the Kerberos Token. The Headervalue looks like
"Negotiate <base64encoded-kerberostoken>".
How are the chances of that happening?Depends on the way you pass your ticket (see previous question). If ticket is a replacement for SQ username/password or token (ie passed as a Basic authentication credential) that could be quite easy to do (transparent for sonarlint-core / sonar-ws libraries). If we need to do modifications in the whole stack to support SSO, that's unlikely to happen.
Since this apears indeed to be "quite easy" - would you create an issue for this as well please?
regards,
Jörg
Am Donnerstag, 27. Oktober 2016 10:12:51 UTC+2 schrieb Julien HENRY:Hi guys,I prefer to not create a ticket since I'm 99% sure (never say never :) ) we will not implement that. Going this way we would need to support all SSO protocol (even home made?) in SonarLint. If you take example of oauth / GitHub authentication, this is by nature web based so not applicable in an IDE AFAIK. That's why this concept of user token was introduced. Using its web browser (and SSO) any user can go to it's preference page and generate a token per application.If you are using SonarLint for IntelliJ, there is even a nice button to directly let user to open the token generation page:
So if you think this would help to educate your users, here I'm ready to create a ticket to do the same in SonarLint for Eclipse.
++
Julien
Le jeudi 27 octobre 2016 09:17:38 UTC+2, Jörg Sesterhenn a écrit :Could someone (who has the required rights) create an issue in the sonarsource Jira so that we can vote on it?
TIA
Jörg
Am Mittwoch, 26. Oktober 2016 09:37:24 UTC+2 schrieb Jörg Sesterhenn:Hello,
as suggested by Julien Lancelot in https://jira.sonarsource.com/browse/SONAR-5430 I'd like to bring up this topic, to see if there might be a general interest in a new SSO Feature in SonarLint.
There is now a feature in Sonarqube that allows to generate a token for authentication. The way I see it this is a mere workaround to not have to update my password as often as I should - which is a bad thing.
Starting from Sonarqube 6.2 it is possible to authenticate to Sonarqube Server via RUT (https://jira.sonarsource.com/browse/SONAR-5430).
This enables us to put a proxy in front of Sonarqube that handles Kerberos login with a ticket that is granted at Windows Login. This frees the developers from the constant hassle to authenticate against every piece of build infrastructure.
My proposal: If SonarLint would be able to hand over the Kerberos Ticket to Sonarqube then developers wouldn't have to worry about authentication after Windows Login.
What do you think: Would you use that feature? Are there alternative solutions? (How) do you use them?
Kind regards,
Jörg
--
You received this message because you are subscribed to the Google Groups "SonarQube" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sonarqube+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sonarqube/7620c812-e4e3-4ee9-8fde-c1790b4c7804%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
1. We hand over the kerberos token from SonarLint (as Http-header) to a Kerberos-Valve (http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SPNEGO_Valve) in our Http-proxy.
2. The proxy then hands on the authentication as Http-header (RUT) to the Sonarqubeserver.
See, it is totally easy ;-)
How are the chances of that happening?Depends on the way you pass your ticket (see previous question). If ticket is a replacement for SQ username/password or token (ie passed as a Basic authentication credential) that could be quite easy to do (transparent for sonarlint-core / sonar-ws libraries). If we need to do modifications in the whole stack to support SSO, that's unlikely to happen.
[...]