Basic auth - this is a method of authenticating individual HTTP requests by providing a header like Authorization: Basic <username:password in base64>. Concourse doesn't do this anymore and it's generally considered an insecure and unacceptable way to enforce access control, particularly in enterprise settings.
Local auth - this refers to the virtual 'local connector' used by dex which uses the configured storage backend (postgres, in the case of concourse's embedded dex server) to store usernames and bcrypted passwords, i.e. where dex itself is the identity provider. This is what actually gets configured when you employ the basic-auth.yml operations file.
Solution suggestion
Seems like the most interesting thing about this ops file is a "local user", but it also sets this local user as an owner of the main team.
Renaming the file to something like local-user.yml, local-admin.yml, admin-username-password.yml or local-auth.yml might be nice.
A proper deprecation plan would need to be followed, including updating all the existing references to this file in documentation and standard configurations.
Problem
Basic auth - this is a method of authenticating individual HTTP requests by providing a header like
Authorization: Basic <username:password in base64>. Concourse doesn't do this anymore and it's generally considered an insecure and unacceptable way to enforce access control, particularly in enterprise settings.Local auth - this refers to the virtual 'local connector' used by dex which uses the configured storage backend (postgres, in the case of concourse's embedded dex server) to store usernames and bcrypted passwords, i.e. where dex itself is the identity provider. This is what actually gets configured when you employ the
basic-auth.ymloperations file.Solution suggestion
Seems like the most interesting thing about this ops file is a "local user", but it also sets this local user as an owner of the main team.
Renaming the file to something like
local-user.yml,local-admin.yml,admin-username-password.ymlorlocal-auth.ymlmight be nice.Backwards compatibility will be a key concern because many consumers of this repo have scripts/configuration that follows the instructions from https://docs.pivotal.io/p-concourse/v5/installation/install-concourse-bosh/#deploy-concourse-with-bosh-deploy, or maybe from some official tanzu platform automation docs (I'm less familiar with those).
A proper deprecation plan would need to be followed, including updating all the existing references to this file in documentation and standard configurations.