In your Apache configuration exactly how did you set up an anonymous
REMOTE_USER just for specific locations like the /datasets/ path? I'm just
looking at the Apache docs and the RequestHeader directive has a context of
the entire VirtualHost and cannot be put into a Location container so I'm
not sure how to do it.
On Wed, Jun 22, 2011 at 9:40 PM, Shantanu Pavgi <pavgi(a)uab.edu> wrote:
On Jun 20, 2011, at 4:10 PM, Shantanu Pavgi wrote:
> On Jun 20, 2011, at 2:40 PM, Nate Coraor wrote:
>> Shantanu Pavgi wrote:
>>> We have a galaxy server setup using external shibboleth authentication.
While we would like to have site behind authentication realm, there are
instances when our galaxy datasets/histories need to be accessible publicly
from other websites. We tried adding an exception to auth rule for /datasets
path using Location directive in apache web server configuration, however
galaxy server returned an error as:
>>> Access to Galaxy is denied
>>> Galaxy is configured to authenticate users via an external method (such
as HTTP authentication in Apache), but a username was not provided by the
upstream (proxy) server. This is generally due to a misconfiguration in the
>>> Is there any way to share public histories and datasets when galaxy is
using external authentication mechanism? I have thought about setting up
(fake) anonymous REMOTE_USER variable for /datasets path, but not sure
whether this is correct approach. Also, would it require any galaxy code
changes? Any thoughts?
>> Hi Shantanu,
>> That's about all you can do, or modify
>> lib/galaxy/web/framework/middleware/remoteuser.py to let these
>> connections through. I would suggest the former solution of setting a
>> header in Apache, but only set it if the user is not authenticated.
> Thanks for the reply Nate. That's helpful.
I did a test by excluding following URLs from Apache-Shibboleth external
authentication and it seems to be working:
Do I need to exclude any other URLs so that published histories and
datasets can be accessed from remote sites without authentication? Also,
will it offer read-only access to the galaxy interface? Does it expose any
job submission, file-uploads or any other modification/execution operations
using web interface?
Also, can we prevent particular galaxy-user from carrying out certain
actions, e.g. running jobs, file uploads etc.? Since galaxy will create
'anonymous' user account based on the REMOTE_USER variable set for
unauthenticated requests, I am wondering if such locked-down mode will be
possible for a particular galaxy-user.
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at: