MMF-1458 Port SONAR-space docs to embedded docs

6 files changed, 838 insertions, 0 deletions

diff --git a/server/sonar-docs/src/pages/instance-administration/configuring-portfolios-and-applications.md b/server/sonar-docs/src/pages/instance-administration/configuring-portfolios-and-applications.md
new file mode 100644
index 00000000000..c7892295f32
--- /dev/null
+++ b/server/sonar-docs/src/pages/instance-administration/configuring-portfolios-and-applications.md
@@ -0,0 +1,51 @@
+---
+title: Configuring Portfolios and Applications
+url: /instance-administration/configuring-portfolios-and-applications/
+---
+
+*Portfolios and Applications are available as part of the [Enterprise Edition](https://redirect.sonarsource.com/editions/enterprise.html).*
+
+* **UI Path** : **Administration > Configuration > Portfolios**
+* **Permission** : you must have the Global Permission "Administer System" to access this page
+
+The Portfolios management interface allows you to configure both Portfolios and Applications. It is divided into two or three columns. On the left is the list of top-level Portfolios and Applications. If a Portfolio is chosen, two more columns will be shown: sub-Portfolios, and projects. If an Application is chosen, only the projects column will be available.
+
+From here, you can edit or delete an existing Portfolio or Application, or create a new one.
+
+### Creating
+Use the “Create” button at the top-left of the interface to open the creation dialog. You’re required to provide a name. You can optionally specify a description and key. Visibility defaults to Public, but Private may be chosen. Private Portfolios and Applications are only visible to those explicitly granted the right.
+
+### Populating Portfolios
+Once your Portfolio exists, you can populate it with any mix of projects, Applications, and sub-portfolios. Applications may only be populated with projects.
+
+### Adding a Sub-portfolio
+To add a sub-portfolio, click on “Add Portfolio” at the top of the third column, and choose:
+
+* **Standard** - This option allows you to create a new sub-Portfolio from scratch. Once created, you can add projects, applications, and more layers of sub-portfolios.
+* **Local Reference** - This option allows you to reference an existing Portfolio/Application as a sub-portfolio. Once added, it is not editable here, but must be chosen in the left-most column to be edited.
+
+### Adding Projects to a Portfolio
+To add projects directly to a Portfolio or standard sub-Portfolio, first select the Portfolio in the left column, and the sub-Portfolio (if necessary) in the middle column.
+There are four project selection modes:
+
+* **Manual** – choose the projects individually.
+* **Tags** - select one or more project tags. Projects with those tags will automatically be included.
+* **Regular Expression** – specify a regular expression and projects with a matching name OR key will be included.
+* **All Remaining Projects** – choose this option to add all projects not already included in this Portfolio (directly or via sub-Portfolio).
+
+[[info]]
+|**Project unicity under a portfolio**<br/><br/>
+|Projects, applications and sub-portfolios can only appear once in any given hierarchy in order to avoid magnifying their impacts on aggregated ratings. The portfolio configuration interface has some logic to prevent obvious duplications (e.g. manually adding the same project), however in case of more subtle duplications (e.g. due to regex, or other bulk definition), then the calculation of that portfolio will fail with a helpful error message.
+### Populating Applications
+
+Once your application exists, you can populate it with manually-selected projects. By default, the configuration interface shows the list of projects currently selected for the application. To add additional projects, choose the "Unselected" or "All" filter.
+
+### Creating branches
+
+Once your application is populated with projects, you can create application branches by choosing long-lived branches from the application's component projects. This option is available in the Application's **Administration > Edit Definition** interface, or from the global administration interface.
+
+### After Computation
+
+When you launch the Computation, the real work is done on {instance} server side.  
+
+For each Portfolio, a “Background Task” is created and you can follow the progress on each in the **Administration > Projects > Background Tasks** by looking at the logs available for each Portfolio.
diff --git a/server/sonar-docs/src/pages/instance-administration/delegated-auth.md b/server/sonar-docs/src/pages/instance-administration/delegated-auth.md
new file mode 100644
index 00000000000..768f131328b
--- /dev/null
+++ b/server/sonar-docs/src/pages/instance-administration/delegated-auth.md
@@ -0,0 +1,167 @@
+---
+title: Delegating Authentication
+url: /instance-administration/delegated-auth/
+---
+
+## Table of Contents
+
+
+SonarQube comes with an onboard user database, as well as the ability to delegate authentication via HTTP Headers, or LDAP.
+
+## HTTP Header Authentication
+This feature is designed to delegate user authentication to third-party systems (proxies/servers).
+
+When this feature is activated, SonarQube expects that the authentication is handled prior any query reaching the server. 
+The tool that handles the authentication should:
+
+* intercept calls to the SonarQube server
+* take care of the authentication
+* update the HTTP request header with the relevant SonarQube user information
+* re-route the request to SonarQube with the appropriate header information
+
+![HTTP Header Authentication flow](/images/http-header-authentication.png)
+
+All the parameters required to activate and configure this feature are available in SonarQube server configuration file (in _$SONARQUBE_HOME/conf/sonar.properties_).
+
+Using Http header authentication is an easy way integrate your SonarQube deployment with an in-house SSO implementation.
+
+## LDAP Authentication
+You can configure SonarQube authentication and authorization to an LDAP server (including LDAP Service of Active Directory) by configuring the correct values in your _$SONARQUBE_HOME/conf/sonar.properties_ file.
+
+The main features are:
+
+* Password checking against the external authentication engine.
+* Automatic synchronization of usernames and emails.
+* Automatic synchronization of relationships between users and groups (authorization).
+* Ability to authenticate against both the external and the internal authentication systems. There is an automatic fallback on SonarQube internal system if the LDAP server is down.
+* During the first authentication trial, if the user's password is correct, the SonarQube database is automatically populated with the new user. Each time a user logs into SonarQube, the username, the email and the groups this user belongs to that are refreshed in the SonarQube database. You can choose to have group membership synchronized as well, but this is not the default.
+
+
+&nbsp;| Apache DS | OpenLDAP | Open DS | Active Directory
+----|-----------|----------|---------|-----------------
+Anonymous | ![](/images/check.svg) |![](/images/check.svg) |![](/images/check.svg) |  &nbsp;
+Simple|![](/images/check.svg)|![](/images/check.svg)|![](/images/check.svg)|![](/images/check.svg)
+LDAPS|![](/images/check.svg)|![](/images/check.svg)|  |![](/images/check.svg)
+DIGEST-MD5|![](/images/check.svg)|  |![](/images/check.svg)|![](/images/check.svg)
+CRAM-MD5|![](/images/check.svg)|  |![](/images/check.svg)|![](/images/check.svg)
+GSSAPI|![](/images/check.svg)|  |  |  
+![](/images/check.svg) = successfully tested
+
+### Setup
+1. Configure the LDAP plugin by editing the _$SONARQUBE_HOME/conf/sonar.properties_ file (see table below)
+2. Restart the SonarQube server and check the log file for:
+```
+INFO org.sonar.INFO Security realm: LDAP ...
+INFO o.s.p.l.LdapContextFactory Test LDAP connection: OK
+```
+1. Log into SonarQube
+1. On logout users will be presented a login page (_/sessions/login_), where they can choose to login as technical user or a domain user by passing appropriate credentials
+
+From SonarQube Scanners, we recommend using [local technical users](/instance-administration/security/) for authentication against SonarQube Server.
+
+**General Configuration**
+
+Property|Description|Default value|Required|Example
+---|---|---|---|---
+`sonar.security.realm`|Set this to `LDAP` authenticate first against the external sytem. If the external system is not reachable or if the user is not defined in the external system, authentication will be performed against SonarQube's internal database.| none |Yes|`LDAP` (only possible value)
+`sonar.authenticator.downcase`|Set to true when connecting to a LDAP server using a case-insensitive setup.|`false`|No
+`ldap.url`|URL of the LDAP server. If you are using ldaps, you should install the server certificate into the Java truststore.| none |Yes|`ldap://localhost:10389`
+`ldap.bindDn`|The username of an LDAP user to connect (or bind) with. Leave this blank for anonymous access to the LDAP directory.|none|No|`cn=sonar,ou=users,o=mycompany`
+`ldap.bindPassword`|The password of the user to connect with. Leave this blank for anonymous access to the LDAP directory.|none|No|`secret`
+`ldap.authentication`|Possible values: `simple`, `CRAM-MD5`, `DIGEST-MD5`, `GSSAPI`. See [the tutorial on authentication mechanisms](http://java.sun.com/products/jndi/tutorial/ldap/security/auth.html)|`simple`|No
+`ldap.realm`|See [Digest-MD5 Authentication](http://java.sun.com/products/jndi/tutorial/ldap/security/digest.html), [CRAM-MD5 Authentication](http://java.sun.com/products/jndi/tutorial/ldap/security/crammd5.html)| none|No|example.org
+`ldap.contextFactoryClass`|Context factory class.|`com.sun.jndi.ldap.LdapCtxFactory`|No
+`ldap.StartTLS`|Enable use of `StartTLS`|`false`|No
+`ldap.followReferrals`|Follow referrals or not. See [Referrals in the JNDI](http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html)|`true`
+
+**User Mapping**
+
+Property|Description|Default value|Required|Example for Active Directory
+---|---|---|---|---
+`ldap.user.baseDn`|Distinguished Name (DN) of the root node in LDAP from which to search for users.|None|Yes|`cn=users,dc=example,dc=org`
+`ldap.user.request`|LDAP user request.|`(&(objectClass=inetOrgPerson)(uid={login}))`|No|`(&(objectClass=user)(sAMAccountName={login}))`
+`ldap.user.realNameAttribute`|Attribute in LDAP defining the user’s real name.|`cn`|No|  
+`ldap.user.emailAttribute`|Attribute in LDAP defining the user’s email.|`mail`|No| 
+
+**Group Mapping**
+Only [groups](http://identitycontrol.blogspot.fr/2007/07/static-vs-dynamic-ldap-groups.html) are supported (not [roles](http://identitycontrol.blogspot.fr/2007/07/static-vs-dynamic-ldap-groups.html)). Only [static groups](http://identitycontrol.blogspot.fr/2007/07/static-vs-dynamic-ldap-groups.html) are supported (not [dynamic groups](http://identitycontrol.blogspot.fr/2007/07/static-vs-dynamic-ldap-groups.html)).
+
+[[warning]]
+|When group mapping is configured (i.e the below `ldap.group.*` properties are configured), membership in LDAP server will override any membership locally configured in SonarQube. LDAP server becomes the one and only place to manage group membership (and the info is fetched each time the user logs in).
+
+For the delegation of authorization, [groups must be first defined in SonarQube](/instance-administration/security/). Then, the following properties must be defined to allow SonarQube to automatically synchronize the relationships between users and groups.
+
+Property|Description|Default value|Required|Example for Active Directory
+---|---|---|---|---
+`ldap.group.baseDn`|Distinguished Name (DN) of the root node in LDAP from which to search for groups.|none|No|`cn=groups,dc=example,dc=org`
+`ldap.group.request`|LDAP group request.|`(&(objectClass=groupOfUniqueNames)(uniqueMember={dn}))`|No|`(&(objectClass=group)(member={dn}))`
+`ldap.group.idAttribute`|Property used to specifiy the attribute to be used for returning the list of user groups in the compatibility mode.|`cn`|No|`sAMAccountName`
+
+### Sample Configuration
+```
+# LDAP configuration
+# General Configuration
+sonar.security.realm=LDAP
+ldap.url=ldap://myserver.mycompany.com
+ldap.bindDn=my_bind_dn
+ldap.bindPassword=my_bind_password
+  
+# User Configuration
+ldap.user.baseDn=ou=Users,dc=mycompany,dc=com
+ldap.user.request=(&(objectClass=inetOrgPerson)(uid={login}))
+ldap.user.realNameAttribute=cn
+ldap.user.emailAttribute=mail
+ 
+# Group Configuration
+ldap.group.baseDn=ou=Groups,dc=sonarsource,dc=com
+ldap.group.request=(&(objectClass=posixGroup)(memberUid={uid}))
+```
+
+## Advanced LDAP Topics
+### Authentication Methods
+* **`Anonymous`** -  Used when only read-only access to non-protected entries and attributes is needed when binding to the LDAP server.
+* **`Simple`** Simple authentication is not recommended for production deployments not using the ldaps secure protocol since it sends a cleartext password over the network.
+* **`CRAM-MD5`** - The Challenge-Response Authentication Method (CRAM) based on the HMAC-MD5 MAC algorithm ([RFC 2195](http://tools.ietf.org/html/rfc2195)).
+* **`DIGEST-MD5`** - This is an improvement on the CRAM-MD5 authentication method ([RFC 2831](http://www.ietf.org/rfc/rfc2831.txt)).
+* **`GSSAPI`** - GSS-API is Generic Security Service API ([RFC 2744](http://www.ietf.org/rfc/rfc2744.txt)). One of the most popular security services available for GSS-API is the Kerberos v5, used in Microsoft's Windows 2000 platform.
+
+For a full discussion of LDAP authentication approaches, see [RFC 2829](http://www.ietf.org/rfc/rfc2829.txt) and [RFC 2251](http://www.ietf.org/rfc/rfc2251.txt).
+
+### Multiple Servers
+To configure multiple servers:
+```
+# List the different servers
+ldap.servers=server1,server2
+  
+# Configure server1
+ldap.server1.url=ldap://server1:1389
+ldap.server1.user.baseDn=dc=dept1,dc=com
+...
+ 
+# Configure server2
+ldap.server2.url=ldap://server2:1389
+ldap.server2.user.baseDn=dc=dept2,dc=com
+...
+```
+
+Authentication will be tried on each server, in the order they are listed in the configurations, until one succeeds. User/Group mapping will be performed against the first server on which the user is found.
+
+Note that all the LDAP servers must be available while (re)starting the SonarQube server.
+
+### Troubleshooting
+* Detailed connection logs (and potential error codes received from LDAP server) are output to SonarQube's _$SONARQUBE_HOME/logs/web.log_, when logging is in `DEBUG` mode.
+
+* Time out when running SonarQube analysis using LDAP
+Java parameters are documented here: http://docs.oracle.com/javase/jndi/tutorial/ldap/connect/config.html. Such parameters can be set in `sonar.web.javaAdditionalOpts` in _$SONARQUBE_HOME/conf/sonar.properties_.
+
+* Kerberos Troubleshooting resources
+   * [Enabling Kerberos Logging](http://support.microsoft.com/kb/262177/en-us)
+   * [Troubleshooting Kerberos Delegation](https://gallery.technet.microsoft.com/Troubleshooting-Kerberos-72837743)
+* Troubleshooting NTLM
+   * [Enabling NTLM Logging](http://blogs.technet.com/b/askds/archive/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7.aspx)
+
+## Authenticating Via Other Systems
+Additionally, several plugins are available to allow delegation to other providers: 
+* Crowd - [SonarQube Crowd Plugin](https://github.com/SonarCommunity/sonar-crowd)
+* GitHub - [GitHub Authentication Plugin](https://redirect.sonarsource.com/plugins/authgithub.html)
+* Bitbucket - [Bitbucket Authentication Plugin](https://github.com/SonarQubeCommunity/sonar-auth-bitbucket)
diff --git a/server/sonar-docs/src/pages/instance-administration/git-integration.md b/server/sonar-docs/src/pages/instance-administration/git-integration.md
new file mode 100644
index 00000000000..aa9a19bde05
--- /dev/null
+++ b/server/sonar-docs/src/pages/instance-administration/git-integration.md
@@ -0,0 +1,27 @@
+---
+title: Git Integration
+url: /instance-administration/git-integration/
+---
+
+[Git](http://www.git-scm.com/) integration is supported out of the box with a pure Java implementation so there's no need to have Git command line tool installed on the machine where analysis is performed.
+
+Auto-detection of Git during analysis will happen if there is a .git folder in the project root directory or in one of its parent folders. Otherwise you can force the provider using `-Dsonar.scm.provider=git`. A full clone is required for this integration to be able to collect the required blame information (see Known Issues). If a shallow clone is detected, a warning will be logged and no attempt will be made to retrieve blame information..
+
+### Known Issues
+
+* Git doesn't consider old "Mac" line ends (CR) as new lines. As a result the blame operation will contain fewer lines than expected by SonarQube and analysis will fail. The solution is to fix line ends to use either Windows (CR/LF) or Unix (LF) line ends.
+* JGit doesn't support .mailmap file to "clean" email adress during the blame
+
+### Advanced information
+The plugin uses [JGit](https://www.eclipse.org/jgit/) 4.9.0. JGit is a pure Java implementation of Git client.
+
+### How to investigate error during blame (only possible on Unix/Linux)?
+
+If you get an error when blame is executed on a file, it may be a limitation or a bug in JGit. To confirm please follow these steps:
+
+1. Download the standalone JGit command line distribution
+
+2. Try to execute the blame command on the offending file:  
+    `chmod +x /path/to/org.eclipse.jgit.pgm-4.9.0.201710071750-r.sh /path/to/org.eclipse.jgit.pgm-4.9.0.201710071750-r.sh blame -w /path/to/offending/file`
+
+3. If you get the same error as during analysis, then this really looks like a bug in JGit (especially if you don't have an issue with the native git command line tool). Please try to do previous steps with latest version of JGit and report all information to the [SonarQube Community Forum](https://community.sonarsource.com/).
diff --git a/server/sonar-docs/src/pages/instance-administration/project-move.md b/server/sonar-docs/src/pages/instance-administration/project-move.md
new file mode 100644
index 00000000000..e4ce1de9219
--- /dev/null
+++ b/server/sonar-docs/src/pages/instance-administration/project-move.md
@@ -0,0 +1,48 @@
+---
+title: Project Move
+url: /instance-administration/project-move/
+---
+
+_Project Move is available as part of [Enterprise Edition](https://redirect.sonarsource.com/editions/enterprise.html)_
+
+## Table of Contents
+
+Project Move allows you to export a project from one SonarQube instance and import it into another, identically configured SonarQube instance. To use Project Move, you must have the Administer permission on the project in the source instance, and access to the file systems of both instances.
+
+## When to Use "Project Move"
+In the following cases:
+
+* you want to create a central SonarQube instance at enterprise level and you want to keep the history created on N instances used previously at the team level
+* your company is acquiring another company that already has a central SonarQube instance
+* an application is transferred from one team to another in a large company and that company has several SonarQube instances
+
+## Prerequisites
+In order to be able to export and then load your Project's data, the two SonarQube instances must have:
+
+* the exact same version
+* the same plugins with the same versions
+* the same custom metrics
+* the same custom rules
+
+## How To Export
+On the source instance:
+* reanalyze the project one last time to make sure it is populated with data corresponding to your current SonarQube installation
+* navigate to the project and at the project level, choose **Administration > Import / Export**
+* click on the **Export** button to generate a zip file containing the settings and history of your Project (but not the source code). Note that if you need to change the Project's key, you must to do it before performing the export.
+
+A zip file containing all project data ex is generated in _$SONAR_SOURCE_HOME/data/governance/project_dumps/export/_ named _<project_key>.zip_
+
+## How To Import
+On the target instance:
+
+* With a user having the "Administer System" and "Create Projects" permissions, go to **[Administration > Projects > Management](/#sonarqube-admin#/admin/projects_management/)** and [provision the project](/project-administration/project-existence/) using the same key the project had in the source instance.
+* Configure the Project's permissions, and the Quality Profiles and Quality Gate associated to the Project
+* Put the generated zip file into the directory _$SONAR_TARGET_HOME/data/governance/project_dumps/import_
+* Go to the Project's Home Page and choose **Administration > Import / Export**
+* Click on the Import button to start importing your data
+** Source code is not included in the zip file. Once the import is finished, trigger an analysis to import source files into the new instance.
+
+Notes:
+
+* If the import is successful, the zip file will automatically be deleted.
+* It is not possible to import a Project that has been already analyzed on the target instance.
diff --git a/server/sonar-docs/src/pages/instance-administration/security.md b/server/sonar-docs/src/pages/instance-administration/security.md
new file mode 100644
index 00000000000..126b989a258
--- /dev/null
+++ b/server/sonar-docs/src/pages/instance-administration/security.md
@@ -0,0 +1,151 @@
+---
+title: Security
+url: /instance-administration/security/
+---
+
+## Table of Contents
+
+## Overview
+
+SonarQube comes with a number of global security features:
+
+* on-board authentication and authorization mechanisms
+* the ability to force users to authenticate before they can see any part of a SonarQube instance
+* the ability to delegate to authentication (for more see [Delegating Authentication](/instance-administration/delegated-auth/))
+
+Additionally, you can configure at a group or user level who can:
+* see that a project even exists
+* access a project's source code 
+* administer a project (set exclusion patterns, tune plugin configuration for that project, etc.)
+* administer Quality Profiles, Quality Gates, and the SonarQube instance itself.
+
+
+Another aspect of security is the encryption of settings such as passwords. SonarQube provides a built-in mechanism to encrypt settings.
+
+## Authentication
+The first question that should be answered when setting the security strategy for SonarQube is: Can anonymous users browse the SonarQube instance or is authentication be required? 
+
+To force user authentication, log in as a system administrator, go to **[Administration > Configuration > General Settings > Security](/#sonarqube-admin#/admin/settings?category=security)**, and set the **Force user authentication** property to true. 
+
+### Authentication Mechanisms
+Authentication can be managed through a number of mechanisms:
+
+* Via the SonarQube built-in users/groups database
+* Via external identity providers such as an LDAP server (including LDAP Service of Active Directory), GitHub etc. See the Authentication & Authorization section of the Plugin Library.
+* Via HTTP headers
+
+### Technical Users
+When you create a user in SonarQube's own database, it is considered local and will only be authenticated against SonarQube's own user/group database rather than against any external tool (LDAP, Active Directory, Crowd, etc.). By default `admin` is a local account.
+
+Similarly, all non-local accounts will be authenticated only against the external tool. 
+
+An Administrator can manage tokens on a user's behalf via **[Administration > Security > Users](/#sonarqube-admin#/admin/users)**. From here, click in the user's **Tokens** column to see the user's existing tokens, and either revoke existing tokens or generate new ones. Once established, a token is the only credential needed to run an analysis. Tokens should be passed as the value of the `sonar.login` property.
+
+### Default Admin Credentials
+When installing SonarQube, a default user with Administer System permission is created automatically:
+
+* Login: admin
+* Password: admin
+
+## Reinstating Admin Access
+If you changed and then lost the `admin` password, you can reset it using the following query:
+```
+update users set crypted_password = '$2a$12$uCkkXmhW5ThVK8mpBvnXOOJRLd64LJeHTeCkSuB3lfaR2N0AYBaSi', salt=null, hash_method='BCRYPT' where login = 'admin'
+```
+If you've deleted `admin` and subsequently locked out the other users with global administrative permissions, you'll need to re-grant `admin` to a user with the following query:
+```
+INSERT INTO user_roles(user_id, role) VALUES ((select id from users where login='mylogin'), 'admin');
+```
+
+## Authorization
+The way authorization is implemented in SonarQube is pretty standard. It is possible to create as many users and groups of users as needed. The users can then be attached (or not) to (multiple) groups. Groups and / or users are then given (multiple) permissions. The permissions grant access to projects, services and functionalities.
+
+To administer groups and users, choose **Administration > Security**, and use the sub-menu items.
+
+### User
+Multiple integrations that allow the delegation of authentication are available (see the [Plugin Library](https://redirect.sonarsource.com/doc/plugin-library.html) and [Other Plugins](https://docs.sonarqube.org/display/PLUG/Other+Plugins), but you can manually create and edit users at **[Settings > Security > Users](/#sonarqube-admin#/admin/users)**. For manually-created users, login and password can be set at creation. Manually-created users can edit their passwords.
+
+During both user creation and edit, you can set an account's screen name, email address. User login and email address will be implicitly recognized by the Issue Assignment feature as SCM accounts if applicable, but you can set additional SCM accounts explicitly. 
+
+### Group
+A group is a set of users.
+
+To administer groups, go to **[Administration > Security > Groups](/#sonarqube-admin#/admin/groups)**.
+
+To edit the membership of a group, click the icon next to the membership total.
+
+Two groups have a special meaning:
+
+* **Anyone** is a group that exists in the system, but that cannot be managed. Every user belongs to this group, including Anonymous user.
+* **sonar-users** is the default group to which users are automatically added.
+
+### Global Permissions
+To set global permissions, log in as a System administrator and go to **[Administration > Security > Global Permissions](/#sonarqube-admin#/admin/permissions)**. 
+
+* **Administer System**: All administration functions for the instance: global configuration.
+* **Administer Quality Profiles**: Any action on quality profiles.
+* **Administer Quality Gates**: Any action on quality gates
+* **Execute Analysis**: Execute analyses (project, view, report, developer), and to get all settings required to perform the analysis, even the secured ones like the scm account password, and so on.
+* **Create Projects**: Initialize the structure of a new project before its first analysis. This permission is also required when doing the very first analysis of a project that has not already been created via the GUI. 
+* **Create Applications**: Create a new Application.
+* **Create Portfolios**: Create a new Portfolio.
+
+### Project Permissions
+Project permissions are available from the project-level Administration menu: **Administration > Permissions**.
+
+Project visibility may be toggled between public or private. Making a project private hides its source code and measures from the `Anyone` group. For both public and private projects, four different permissions can be set:
+
+* **Administer Issues**: Change the type and severity of issues, resolve issues as being "Won't Fix" or "False Positive" (users also need "Browse" permission).
+* **Administer Security Hotspots**: "Detect" (convert) a Vulnerability from a "Security Hotspot", reject, clear, accept or reopen a "Security Hotspot" (users also need "Browse" permission).
+* **Administer**: Access project settings and perform administration tasks (users also need "Browse" permission).
+* **Execute Analysis**: Execute analyses (project, view, report, developer), and to get all settings required to perform the analysis, even the secured ones like the scm account password, the jira account password, and so on.
+
+Private projects have two additional permissions:
+* **Browse**: Access a project, browse its measures, issues and perform some issue edits (confirm/resolve/reopen, assignment, comment).
+* **See Source Code**: View the project's source code.
+
+Note that permissions _are not_ cumulative. For instance, if you want to be able to administer the project, you also have to be granted the Browse permission to be able to access the project (which is the default for Public project).
+
+You can either manually grant permissions for each project to some users and groups or apply permission templates to projects. 
+
+## Permission Templates for Default Permissions
+SonarQube ships with a default permissions template, which automatically grants specific permissions to certain groups when a project, portfolio, or application is created. It is possible to edit this template, and to create additional templates. A separate template can be set for each type of resource. Further, for projects you can have a template apply only to a subset of new projects using a project key regular expression (the template's **Project Key Pattern**). By default, every new project with a key that matches the supplied pattern will have template's permissions applied.
+
+Templates are empty immediately after creation. Clicking on the template name will take you to its permission editing interface.
+
+Templates are administered through **[Administration > Security > Permission Templates](/#sonarqube-admin#/admin/permission_templates)**.
+
+### Creators permissions
+**Creators** is a special group that appears only in the permission template editing interface. Any permissions assigned to this group will at the time of project/portfolio/application creation be granted to the single user account used to create the project. This allows SonarQube administrators to let users autonomously create and administer their own projects.
+
+While templates can be applied after project creation, applying a template that includes "Creators" permissions to an existing project/portfolio/application will not grant the relevant permissions to the project's original creator because that association is not stored.
+
+### Reset project permissions to a template
+To apply permission templates to projects go to **[Administration > Projects > Management](/#sonarqube-admin#/admin/projects_management)**. You can  either apply a template to a specific project using the project-specific **Actions > Apply Permission Template** option or use the Bulk Apply Permission Template to apply a template to all selected projects.
+
+Note that there is no relation between a project and a permission template, meaning that:
+* the permissions of a project can be modified after a permission template has been applied to this project
+* none of the project permissions is changed when a permission template is modified
+
+## Settings Encryption
+Encryption is mostly used to remove clear passwords from settings (database or SCM credentials for instance). The implemented solution is based on a symetric key algorithm. The key point is that the secret key is stored in a secured file on disk. This file must owned by and readable only by the system account that runs the SonarQube server.
+
+The algorithm is AES 128 bits. Note that 256 bits cipher is not used because it's not supported by default on all Java Virtual Machines ([see this article](https://confluence.terena.org/display/~visser/No+256+bit+ciphers+for+Java+apps)).
+
+1. **Generate the secret key**  
+A unique secret key must be shared between all parts of the SonarQube infrastructure (server and analyzers). To generate it, go to **[Administration > Configuration > Encryption](/#sonarqube-admin#/admin/settings/encryption)** and click on Generate Secret Key.
+1. **Store the secret key on the SonarQube server**  
+   * Copy the generated secred key to a file on the machine hosting the SonarQube server. The default location is _~/.sonar/sonar-secret.txt_. If you want to store it somewhere else, set its path through the `sonar.secretKeyPath` property in _$SONARQUBE_HOME/conf/sonar.properties_
+   * Restrict file permissions to the account running the SonarQube server (ownership and read-access only).
+   * Restart your SonarQube server
+1. **Generate the encrypted values of your settings**  
+Go back to **[Administration > Configuration > Encryption](/#sonarqube-admin#/admin/settings/encryption)** and use the form that has been added to the interface to generated encrypted versions of your values.
+![Encrypt values through the admin interface](/images/encrypt-value.png)
+1. **Use the encrypted values in your SonarQube server configuration**  
+Simply copy these encrypted values into `$SONARQUBE_HOME/conf/sonar.properties`
+```
+sonar.jdbc.password={aes}CCGCFg4Xpm6r+PiJb1Swfg==  # Encrypted DB password
+...
+sonar.secretKeyPath=C:/path/to/my/secure/location/my_secret_key.txt
+```
+
diff --git a/server/sonar-docs/src/pages/instance-administration/system-info.md b/server/sonar-docs/src/pages/instance-administration/system-info.md
new file mode 100644
index 00000000000..8598e522599
--- /dev/null
+++ b/server/sonar-docs/src/pages/instance-administration/system-info.md
@@ -0,0 +1,394 @@
+---
+title: Server Logs & System Info
+url: /instance-administration/system-info/
+---
+
+## Table of Contents
+
+The System Info page is found at **[Administration > System](/#sonarqube-admin#/admin/system)**. It gives you access to detailed information on the state of your SonarQube instance. 
+
+## System Info
+You can browse details about your running instance on this page. Additionally, if you have a Support contract, you might be asked by a Support representative to send in your System Info, which can be downloaded from this page using the eponymously named button at the top.
+
+### Server Id
+Your server id can be obtained from this page by expanding the **System** section. If you're running a commercial instance, you can also find this value on the License page (**[Administration > Configuration > License Manager](/#sonarqube-admin#/admin/extension/license/app)**
+
+## Logs
+Server-side logging is controlled by properties set in _$SONARQUBE_HOME/conf/sonar.properties_.
+
+4 logs files are created: one per SonarQube process.
+
+### Log Level
+The server-side log level can be customized via the `sonar.log.level` property. Supported values are:
+
+* **`INFO`** - the default
+* **`DEBUG`** - for advanced logs.
+* **`TRACE`** - show advanced logs and all SQL and Elasticsearch requests. `TRACE` level logging slows down the server environment, and should be used only for tracking web request performance problems.
+
+### Log Level by Process
+The server-side log level can be adjusted more precisely for the 4 processes of SonarQube Server via the following property:
+
+* **`sonar.log.level.app`** - for the Main process of SonarQube (aka WrapperSimpleApp, the bootstrapper process starting the 3 others) 
+* **`sonar.log.level.web`** - for the WebServer
+* **`sonar.log.level.ce`** - for the ComputeEngineServer
+* **`sonar.log.level.es`** - for the SearchServer
+
+### Log Rotation
+To control log rolling, use the `sonar.log.rollingPolicy`
+
+* **`time:[value]`** - for time-based rotation. For example, use `time:yyyy-MM-dd` for daily rotation, and * `time:yyyy-MM` for monthly rotation.
+* **`size:[value]`** - for size-based rotation. For example, `size:10MB`.
+* **`none`** - for no rotation. Typically this would be used when logs are handled by an external system like logrotate.
+
+`sonar.log.maxFiles` is the maximum number of files to keep. This property is ignored if `sonar.log.rollingPolicy=none`.
+
+### UI Access to Logs and Log Levels
+
+The System Info page gives you the ability to download your instance's current log files (log files rotate on a regular basis), and to tune the log level via controls at the top of the page. Changes made here are temporary, and last only until the next time the instance is restarted, at which point the level will be reset to the more permanent value set in _$SONARQUBE_HOME/conf/sonar.properties`. Regardless, if you change your log level _from_ `INFO`, but sure to change it back as soon as is practical; log files can get very large very quickly at lower log levels.
+
+## Total Lines of Code
+
+### SonarQube 6.7 LTS and newer
+The number of Lines of Code (for licensing purposes) in an instance can be found in the **System** section of the System Info page on, and on the License page (**[Administration > Configuration > License Manager](/#sonarqube-admin#/admin/extension/license/app)** in commercial editions. 
+
+If you're on a commercial edition and using Branch or PR analysis, rest assured that only lines from the single largest branch in a project are considered for licensing purposes. The Lines of Code in the rest of the branches are ignored.
+
+### Versions older than 6.7
+The best approach there is to query the database. The actual query varies based on the version of SonarQube and the database engine. Two queries are provided:
+
+* one query that counts LOCs across *all* projects
+& one query that filters out project branches (i.e. projects analysed with the `sonar.branch` parameter). However, this query is accurate only if projects with branches are also analysed once without sonar.branch.
+
+**SonarQube LTS v5.6.x**
+
+[[collapse]]
+| ## MySQL
+| Global LOCs
+| ```
+| select sum(pm.value) as global_loc from projects p
+| inner join snapshots s on s.project_id = p.id
+| inner join project_measures pm on pm.snapshot_id = s.id
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = true
+| and p.enabled = true
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_resource_id is null
+| and pm.person_id is null
+| and m.name='ncloc';
+| ```
+| LOCs without `sonar.branch`
+|```
+| select sum(pm.value) as loc_without_branch from projects p
+| inner join snapshots s on s.project_id = p.id
+| inner join project_measures pm on pm.snapshot_id = s.id
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = true
+| and p.enabled = true
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_resource_id is null
+| and pm.person_id is null
+| and m.name='ncloc'
+| and (
+| INSTR(p.kee, ':') = 0 or not exists(
+| select * from projects p_root where p_root.kee = SUBSTR(p.kee, 1, LENGTH(p.kee) - INSTR(REVERSE(p.kee), ':'))
+| ));
+|```
+
+[[collapse]]
+| ## PostgreSQL 8.0-9.0
+| Global LOCs
+| ```
+| select sum(pm.value) as global_loc from projects p
+| inner join snapshots s on s.project_id = p.id
+| inner join project_measures pm on pm.snapshot_id = s.id
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = true
+| and p.enabled = true
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_resource_id is null
+| and pm.person_id is null
+| and m.name='ncloc';
+| ```
+| LOCs without `sonar.branch`
+| Not feasible on this specific database
+
+[[collapse]]
+| ## PostgreSQL 9.1+
+| Global LOCs
+| ```
+| select sum(pm.value) as global_loc from projects p
+| inner join snapshots s on s.project_id = p.id
+| inner join project_measures pm on pm.snapshot_id = s.id
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = true
+| and p.enabled = true
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_resource_id is null
+| and pm.person_id is null
+| and m.name='ncloc';
+| ```
+| LOCs without `sonar.branch`
+| ```
+| select sum(pm.value) as loc_without_branch from projects p
+| inner join snapshots s on s.project_id = p.id
+| inner join project_measures pm on pm.snapshot_id = s.id
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = true
+| and p.enabled = true
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_resource_id is null
+| and pm.person_id is null
+| and m.name='ncloc'
+| and (
+| POSITION(':' IN p.kee) = 0 or not exists(
+| select * from projects p_root where p_root.kee = SUBSTRING(p.kee, 0, LENGTH(p.kee) - POSITION(':' in REVERSE(p.kee)) + 1)
+| ));
+| ```
+
+[[collapse]]
+| ## Oracle
+| Global LOCs
+| ```
+| select sum(pm.value) as global_loc from projects p
+| inner join snapshots s on s.project_id = p.id
+| inner join project_measures pm on pm.snapshot_id = s.id
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = 1
+| and p.enabled = 1
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_resource_id is null
+| and pm.person_id is null
+| and m.name='ncloc';
+| ```
+| LOCs without `sonar.branch`
+| ```
+| select sum(pm.value) as loc_without_branch from projects p
+| inner join snapshots s on s.project_id = p.id
+| inner join project_measures pm on pm.snapshot_id = s.id
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = 1
+| and p.enabled = 1
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_resource_id is null
+| and pm.person_id is null
+| and m.name='ncloc'
+| and (
+| INSTR(p.kee, ':') = 0 or not exists(
+| select * from projects p_root where p_root.kee = SUBSTR(p.kee, 0, INSTR(p.kee, ':', -1) - 1)
+| ));
+| ```
+
+[[collapse]]
+| ## Microsoft SQL Server (a.k.a MSSQL)
+| Global LOCs
+| ```
+| select sum(pm.value) as global_loc from projects p
+| inner join snapshots s on s.project_id = p.id
+| inner join project_measures pm on pm.snapshot_id = s.id
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = 1
+| and p.enabled = 1
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_resource_id is null
+| and pm.person_id is null
+| and m.name='ncloc';
+| ```
+| LOCs without `sonar.branch`
+| ```
+| select sum(pm.value) as loc_without_branch from projects p
+| inner join snapshots s on s.project_id = p.id
+| inner join project_measures pm on pm.snapshot_id = s.id
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = 1
+| and p.enabled = 1
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_resource_id is null
+| and pm.person_id is null
+| and m.name='ncloc'
+| and (
+| CHARINDEX(':', p.kee) = 0 or not exists(
+| select * from projects p_root where p_root.kee = SUBSTRING(p.kee, 0, LEN(p.kee) - CHARINDEX(':', REVERSE(p.kee)) + 1 )
+| ));
+| ```
+
+**SonarQube 6.0-6.6**
+[[collapse]]
+| ## MySQL
+| Global LOCs
+| ```
+| select sum(pm.value) as global_loc from projects p
+| inner join snapshots s on s.component_uuid = p.uuid
+| inner join project_measures pm on pm.analysis_uuid = s.uuid
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = true
+| and p.enabled = true
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_component_uuid is null
+| and pm.component_uuid = p.uuid
+| and pm.person_id is null
+| and m.name='ncloc';
+| ```
+| LOCs without `sonar.branch`
+| ```
+| select sum(pm.value) as loc_without_branch from projects p
+| inner join snapshots s on s.component_uuid = p.uuid
+| inner join project_measures pm on pm.analysis_uuid = s.uuid
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = true
+| and p.enabled = true
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_component_uuid is null
+| and pm.component_uuid = p.uuid
+| and pm.person_id is null
+| and m.name='ncloc'
+| and (
+| INSTR(p.kee, ':') = 0 or not exists(
+| select * from projects p_root where p_root.kee = SUBSTR(p.kee, 1, LENGTH(p.kee) - INSTR(REVERSE(p.kee), ':'))
+| ));
+| ```
+
+[[collapse]]
+| ## PostgreSQL 8.0-9.0
+| Global LOCs
+| ```
+| select sum(pm.value) as global_loc from projects p
+| inner join snapshots s on s.component_uuid = p.uuid
+| inner join project_measures pm on pm.analysis_uuid = s.uuid
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = true
+| and p.enabled = true
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_component_uuid is null
+| and pm.component_uuid = p.uuid
+| and pm.person_id is null
+| and m.name='ncloc';
+| ```
+| LOCs without `sonar.branch`
+| Not feasible on this specific database
+
+
+[[collapse]]
+| ## PostgreSQL 9.1+
+| Global LOCs
+| ```
+| select sum(pm.value) as global_loc from projects p
+| inner join snapshots s on s.component_uuid = p.uuid
+| inner join project_measures pm on pm.analysis_uuid = s.uuid
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = true
+| and p.enabled = true
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_component_uuid is null
+| and pm.component_uuid = p.uuid
+| and pm.person_id is null
+| and m.name='ncloc';
+| ```
+| LOCs without `sonar.branch`
+| ```
+| select sum(pm.value) as loc_without_branch from projects p
+| inner join snapshots s on s.component_uuid = p.uuid
+| inner join project_measures pm on pm.analysis_uuid = s.uuid
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = true
+| and p.enabled = true
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_component_uuid is null
+| and pm.component_uuid = p.uuid
+| and pm.person_id is null
+| and m.name='ncloc' and (
+| POSITION(':' IN p.kee) = 0 or not exists(
+| select * from projects p_root where p_root.kee = SUBSTRING(p.kee, 0, LENGTH(p.kee) - POSITION(':' in REVERSE(p.kee)) + 1)
+| ));
+| ```
+
+
+[[collapse]]
+| ## Oracle
+| Global LOCs
+| ```
+| select sum(pm.value) as global_loc from projects p
+| inner join snapshots s on s.component_uuid = p.uuid
+| inner join project_measures pm on pm.analysis_uuid = s.uuid
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = 1
+| and p.enabled = 1
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_component_uuid is null
+| and pm.component_uuid = p.uuid
+| and pm.person_id is null
+| and m.name='ncloc';
+| ```
+| LOCs without `sonar.branch`
+| ```
+| select sum(pm.value) as loc_without_branch from projects p
+| inner join snapshots s on s.component_uuid = p.uuid
+| inner join project_measures pm on pm.analysis_uuid = s.uuid
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = 1
+| and p.enabled = 1
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_component_uuid is null
+| and pm.component_uuid = p.uuid
+| and pm.person_id is null
+| and m.name='ncloc' 
+| and (
+| INSTR(p.kee, ':') = 0 or not exists(
+| select * from projects p_root where p_root.kee = SUBSTR(p.kee, 0, INSTR(p.kee, ':', -1) - 1)
+| ));
+| ```
+
+
+[[collapse]]
+| ## Microsoft SQL Server (a.k.a. MSSQL)
+| Global LOCs
+| ```
+| select sum(pm.value) as global_loc from projects p
+| inner join snapshots s on s.component_uuid = p.uuid
+| inner join project_measures pm on pm.analysis_uuid = s.uuid
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = 1
+| and p.enabled = 1
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_component_uuid is null
+| and pm.component_uuid = p.uuid
+| and pm.person_id is null
+| and m.name='ncloc';
+| ```
+| LOCs without `sonar.branch`
+| ```
+| select sum(pm.value) as loc_without_branch from projects p
+| inner join snapshots s on s.component_uuid = p.uuid
+| inner join project_measures pm on pm.analysis_uuid = s.uuid
+| inner join metrics m on m.id=pm.metric_id
+| where s.islast = 1
+| and p.enabled = 1
+| and p.qualifier = 'TRK'
+| and p.scope = 'PRJ'
+| and p.copy_component_uuid is null
+| and pm.component_uuid = p.uuid
+| and pm.person_id is null
+| and m.name='ncloc' 
+| and (
+| CHARINDEX(':', p.kee) = 0 or not exists(
+| select * from projects p_root where p_root.kee = SUBSTRING(p.kee, 0, LEN(p.kee) - CHARINDEX(':', REVERSE(p.kee)) + 1 )
+| ));
+| ```
+
+