1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/changeset/7d021b926344/ changeset: 7d021b926344 user: natefoo date: 2012-03-16 16:16:49 summary: Change the hardcoding of UCSC servers to a config file option, and remove the dependence on ucsc_display_sites, so any display server can be allowed. If you've modified your remoteuser.py, beware the merge. affected #: 3 files diff -r 143abc931cdb507bd1948b80c4078ce51e9e6386 -r 7d021b926344dc5b2766c6c634c5d7c54f2098e7 lib/galaxy/web/buildapp.py --- a/lib/galaxy/web/buildapp.py +++ b/lib/galaxy/web/buildapp.py @@ -183,9 +183,9 @@ # upstream server if asbool(conf.get( 'use_remote_user', False )): from galaxy.web.framework.middleware.remoteuser import RemoteUser - app = RemoteUser( app, maildomain=conf.get( 'remote_user_maildomain', None ), - ucsc_display_sites=conf.get( 'ucsc_display_sites', [] ), - admin_users=conf.get( 'admin_users', '' ).split( ',' ) ) + app = RemoteUser( app, maildomain = conf.get( 'remote_user_maildomain', None ), + display_servers = util.listify( conf.get( 'display_servers', '' ) ), + admin_users = conf.get( 'admin_users', '' ).split( ',' ) ) log.debug( "Enabling 'remote user' middleware" ) # The recursive middleware allows for including requests in other # requests or forwarding of requests, all on the server side. diff -r 143abc931cdb507bd1948b80c4078ce51e9e6386 -r 7d021b926344dc5b2766c6c634c5d7c54f2098e7 lib/galaxy/web/framework/middleware/remoteuser.py --- a/lib/galaxy/web/framework/middleware/remoteuser.py +++ b/lib/galaxy/web/framework/middleware/remoteuser.py @@ -35,42 +35,22 @@ </html> """ -UCSC_MAIN_SERVERS = ( - 'hgw1.cse.ucsc.edu', - 'hgw2.cse.ucsc.edu', - 'hgw3.cse.ucsc.edu', - 'hgw4.cse.ucsc.edu', - 'hgw5.cse.ucsc.edu', - 'hgw6.cse.ucsc.edu', - 'hgw7.cse.ucsc.edu', - 'hgw8.cse.ucsc.edu', -) -UCSC_ARCHAEA_SERVERS = ( - 'lowepub.cse.ucsc.edu', -) - class RemoteUser( object ): - def __init__( self, app, maildomain=None, ucsc_display_sites=[], admin_users=[] ): + def __init__( self, app, maildomain=None, display_servers=None, admin_users=None ): self.app = app self.maildomain = maildomain - self.allow_ucsc_main = False - self.allow_ucsc_archaea = False - self.admin_users = admin_users - if 'main' in ucsc_display_sites or 'test' in ucsc_display_sites: - self.allow_ucsc_main = True - if 'archaea' in ucsc_display_sites: - self.allow_ucsc_archaea = True + self.display_servers = display_servers or [] + self.admin_users = admin_users or [] def __call__( self, environ, start_response ): - # Allow through UCSC if the UCSC display links are enabled - if ( self.allow_ucsc_main or self.allow_ucsc_archaea ) and environ.has_key( 'REMOTE_ADDR' ): + # Allow display servers + if self.display_servers and environ.has_key( 'REMOTE_ADDR' ): try: host = socket.gethostbyaddr( environ[ 'REMOTE_ADDR' ] )[0] except( socket.error, socket.herror, socket.gaierror, socket.timeout ): # in the event of a lookup failure, deny access host = None - if ( self.allow_ucsc_main and host in UCSC_MAIN_SERVERS ) or \ - ( self.allow_ucsc_archaea and host in UCSC_ARCHAEA_SERVERS ): - environ[ 'HTTP_REMOTE_USER' ] = 'ucsc_browser_display@example.org' + if host in self.display_servers: + environ[ 'HTTP_REMOTE_USER' ] = 'remote_display_server@%s' % ( self.maildomain or 'example.org' ) return self.app( environ, start_response ) # Apache sets REMOTE_USER to the string '(null)' when using the # Rewrite* method for passing REMOTE_USER and a user is diff -r 143abc931cdb507bd1948b80c4078ce51e9e6386 -r 7d021b926344dc5b2766c6c634c5d7c54f2098e7 universe_wsgi.ini.sample --- a/universe_wsgi.ini.sample +++ b/universe_wsgi.ini.sample @@ -210,6 +210,20 @@ # GeneTrack servers: tool-data/shared/genetrack/genetrack_sites.txt #genetrack_display_sites = main,test +# If use_remote_user = True, display application servers will be denied access +# to Galaxy and so displaying datasets in these sites will fail. +# display_servers contains a list of hostnames which should be allowed to +# bypass security to display datasets. Please be aware that there are security +# implications if this is allowed. More details (including required changes to +# the proxy server config) are available in the Apache proxy documentation on +# the wiki. +# +# The list of servers in this sample config are for the UCSC Main, Test and +# Archaea browsers, but the default if left commented is to not allow any +# display sites to bypass security (you must uncomment the line below to allow +# them). +#display_servers = hgw1.cse.ucsc.edu,hgw2.cse.ucsc.edu,hgw3.cse.ucsc.edu,hgw4.cse.ucsc.edu,hgw5.cse.ucsc.edu,hgw6.cse.ucsc.edu,hgw7.cse.ucsc.edu,hgw8.cse.ucsc.edu,lowepub.cse.ucsc.edu + # -- Next gen LIMS interface on top of existing Galaxy Sample/Request management code. use_nglims = False Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.