.. asset:: debian:apt-authentication Category: ``debian:apt-authentication`` ======================================= This asset stores authentication data that can be used by tasks that need to authenticate to an external APT repository, such as :task:`APTMirror`. * Data: * ``auth_scheme`` (string): the authentication scheme; at present this may only be ``basic``, but this field exists in case APT adds other authentication schemes in future * ``name`` (string): the name of these credentials, used to identify the asset in tasks * ``credentials`` (dictionary): secret scheme-dependent credentials For ``auth_scheme: basic``, the ``credentials`` field is as follows: * ``username`` (string) * ``password`` (string) This asset must be in a workspace, and only a single asset with a given name can exist in a given workspace. In task data, the asset may be identified either as ``name`` (in which case it is looked up in the same workspace as the task) or as ``workspace:name`` (in which case it is looked up in the named workspace in the same scope as the task). This asset may be used by the owner of that workspace, or by members of groups to which the ``APT_AUTHENTICATOR`` role has been granted via an ``AssetUsage`` row. To ensure that credentials are not exposed in logs, tasks must take care to provide them to APT using the `apt_auth.conf(5) `__ mechanism. Since Basic authentication is sent in cleartext (see `RFC 7617 `__), APT will only use it with repositories accessed over HTTPS (unless an explicit protocol is specified in ``/etc/apt/auth.conf.d/``, which tasks should not do). Tasks may add their own checks for this in order to provide better error handling.