Skip to content
Support Downloads Contact Us Sign In

Learn more about the Concourse 4.2.x release

Authentication

Version 4.2.x of Concourse introduces a completely refactored system for authentication.

In contrast to previous releases of Concourse, users are now central to the authentication flow. Instead of logging in as a team, you now log in as a user and can belong to one or more teams. Users can be added to a team by configuring the team's whitelist as described in Configuring Auth.

This is the first step on our march towards full role-based access control.

In addition, it is now much easier to extend Concourse to support more providers. We're leveraging CoreOS's Dex project for all the moving parts, which already supports a ton of providers (Dex calls them "connectors"). The only delta required for Concourse to support a Dex connector is a tiny bit of glue code in our new Skymarshal component to provide higher-level flags for our CLI.

This was a large change and it was pretty difficult to make backwards-compatible.

Breaking Changes in 4.2.x

  • There are different flags to pass to the binary distribution, and the BOSH deployment requires manifest changes. Consult Configuring Auth for more information for the binaries, and the Concourse BOSH deployment repo for information about BOSH.

  • There is no support for configuring the same provider multiple times (say, multiple GitHub Enterprise instances). The migration will fail when trying to upgrade an instance with teams having different configurations for the same provider.

    At the moment, you'll have to deploy multiple Concourse instances. This may be something we can support in the future.

  • There is no longer support for BitBucket authentication. However we do support generic LDAP, oAuth, and OIDC connectors, which you may be able to use instead.

  • If you have multiple teams configured with the same basic auth username, the migration will fail. This is because "basic auth" is now gone and in its place is local user configuration. Logging in with basic auth is now actually logging in as the configured user, so there can't be multiple.

  • The flags for fly set-team have been split between set-team and concourse web. This is because part of the config is now global.

You may also need to download and install the latest 4.0.0 fly CLI. In the past you would have been able to fly sync your way to the latest version of fly but the new auth in 4.0.0 will cause the old fly to error out.

You should definitely check for these conditions and take a database backup before attempting the upgrade. In practice, our two largest environments upgraded just fine with no intervention required, but if you're not sure, it can't hurt to be careful.