Hi Shantanu,

In your Apache configuration exactly how did you set up an anonymous REMOTE_USER just for specific locations like the /datasets/ path?  I'm just looking at the Apache docs and the RequestHeader directive has a context of the entire VirtualHost and cannot be put into a Location container so I'm not sure how to do it.


On Wed, Jun 22, 2011 at 9:40 PM, Shantanu Pavgi <pavgi@uab.edu> wrote:

On Jun 20, 2011, at 4:10 PM, Shantanu Pavgi wrote:

> On Jun 20, 2011, at 2:40 PM, Nate Coraor wrote:
>> Shantanu Pavgi wrote:
>>> Hi,
>>> We have a galaxy server setup using external shibboleth authentication. While we would like to have site behind authentication realm, there are instances when our galaxy datasets/histories need to be accessible publicly from other websites. We tried adding an exception to auth rule for /datasets  path using Location directive in apache web server configuration, however galaxy server returned an error as:
>>> {{{
>>> Access to Galaxy is denied
>>> Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
>>> }}}
>>> Is there any way to share public histories and datasets when galaxy is using external authentication mechanism? I have thought about setting up (fake) anonymous REMOTE_USER variable for /datasets path, but  not sure whether this is correct approach. Also, would it require any galaxy code changes? Any thoughts?
>> Hi Shantanu,
>> That's about all you can do, or modify
>> lib/galaxy/web/framework/middleware/remoteuser.py to let these
>> connections through.  I would suggest the former solution of setting a
>> header in Apache, but only set it if the user is not authenticated.
>> --nate
> Thanks for the reply Nate. That's helpful.
> --
> Shantanu.

I did a test by excluding following URLs from Apache-Shibboleth external authentication and it seems to be working:
-  /datasets/
-  /u/<username>/h/<history-name>
- /static/  (css and javascript)

Do I need to exclude any other URLs so that published histories and datasets can be accessed from remote sites without authentication? Also, will it offer read-only access to the galaxy interface? Does it expose any job submission, file-uploads or any other modification/execution operations using web interface?

Also, can we prevent particular galaxy-user from carrying out certain actions, e.g. running jobs, file uploads etc.? Since galaxy will create 'anonymous' user account based on the REMOTE_USER variable set for unauthenticated requests, I am wondering if such locked-down mode will be possible for a particular galaxy-user.


Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at: