Local User Auth
Local User auth is a primitive username/password-based auth mechanism. All users and passwords are configured statically.
In general, we recommend configuring one of the other providers instead, but for small deployments with only a few users, local user auth may be all you need.
Authentication
Local users are configured on the web node by setting the following env:
This configures two users, myuser and anotheruser, with their corresponding passwords. The literal password can be
provided, or a bcrypt hash of the password.
When local users are configured, the log-in page in the web UI will show a username/password prompt.
Local users can also log in via fly login with the --username and
--password flags.
Bcrypt Hashing Passwords
Instead of passing in user passwords in plaintext, you can provide Concourse with a bcrypt hash of the passwords.
There aren't any great CLI tools for quickly hashing passwords with bcrypt. Here's a simple Go program that can do the hashing for you.
package main
import (
"fmt"
"golang.org/x/crypto/bcrypt"
)
func main() {
password := []byte("mypass")
hash, _ := bcrypt.GenerateFromPassword(password, 12)
fmt.Println(string(hash))
}
Put that in a main.go then run go run main.go and it will output a hash for your password. You can run this program
in the Go Playground if you want to avoid installing Go.
Hashing the passwords for the previous example, you would then set CONCOURSE_ADD_LOCAL_USER to the following:
CONCOURSE_ADD_LOCAL_USER='myuser:$2a$12$L8Co5QYhD..S1l9mIIVHlucvRjfte4tuymMCk9quln0H/eol16d5W,anotheruser:$2a$12$VWSSfrsTIisf96q7UVsvyOBbrcP88kh5CLtuXYSXGwnSnM3ClKxXu'
Authorization
Local users are granted access to teams via fly set-team,
using the --local-user flag:
...or via --config for setting user roles:
Configuring main Team Authorization
Local users can be added to the main team authorization config by setting the following env on
the web node:
Multiple users may be specified by comma-separating them.