1.3.2.1 Local User auth
Local User auth is a primitive username/password-based auth mechanism. All users and passwords are configured statically.
In general, we recommend configuring one of the other providers instead, but for small deployments with only a few users, local user auth may be all you need.
Authentication
Local users are configured on the web
node by setting the following env:
CONCOURSE_ADD_LOCAL_USER=myuser:mypass,anotheruser:anotherpass
This configures two users, myuser
and anotheruser
, with their corresponding passwords. The literal password can be provided, or a bcrypt hash of the password.
When local users are configured, the log-in page in the web UI will show a username/password prompt.
Local users can also log in via fly login
with the --username
and --password
flags.
Bcrypt Hashing Passwords
Instead of passing in user passwords in plaintext, you can provide Concourse with a bcrypt hash of the passwords.
There aren't any great CLI tools for quickly hashing passwords with bcrypt. Here's a simple Go program that can do the hashing for you.
package main
import (
"fmt"
"golang.org/x/crypto/bcrypt"
)
func main() {
password := []byte("mypass")
hash, _ := bcrypt.GenerateFromPassword(password, 12)
fmt.Println(string(hash))
}
Put that in a main.go
then run go run main.go
and it will output a hash for your password. You can run this program in the Go Playground if you want to avoid installing Go.
Hashing the passwords for the previous example, you would then set CONCOURSE_ADD_LOCAL_USER
to the following:
CONCOURSE_ADD_LOCAL_USER='myuser:$2a$12$L8Co5QYhD..S1l9mIIVHlucvRjfte4tuymMCk9quln0H/eol16d5W,anotheruser:$2a$12$VWSSfrsTIisf96q7UVsvyOBbrcP88kh5CLtuXYSXGwnSnM3ClKxXu'
Authorization
Local users are granted access to teams via fly set-team
, using the --local-user
flag:
$ fly set-team -n my-team \
--local-user some_username
...or via --config
for setting user roles:
roles:
- name: member
local:
users: ["some_username"]