We have Apache set up to authenticate users off our LDAP. If they authenticate correctly, they are then forwarded on through the proxy. What I want is to prevent users from hitting the galaxy URL directly. If they, do I want to automatically redirect them to the proxy. On Tue, Oct 13, 2015 at 11:10 AM, Eric Rasche <esr@tamu.edu> wrote:
Hi Ryan,
On 10/13/2015 09:50 AM, Ryan G wrote:
Hi all - In regards to external user authentication that I have working now (see thread below). When users try to go to the actual Galaxy page, they get the message:
Access to Galaxy is denied
That's expected for External User Auth if you don't have the REMOTE_USER header set properly.
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but no shared secret key was provided by the upstream (proxy) server.
Please contact your local Galaxy administrator. The variable |remote_user_secret| and |GX_SECRET| header must be set before you may access Galaxy.
That's fine and all but I'd like to have them redirected to the real login page. Is there a way to do this? I didn't see anything obvious and was thinking of adding a parameter to galaxy.ini and have Galaxy automatically forward them after 5 seconds or so.
What external auth mechanism are you using?
Ryan
On Tue, Oct 13, 2015 at 10:49 AM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> wrote:
Hi all - In regards to external user authentication that I have working now (see thread below). When users try to go to the actual Galaxy page, they get the message:
On Thu, Oct 1, 2015 at 4:10 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> wrote:
I finally got around to this and all is working well. I submitted 2 patches to remoteuser.py to assist in debugging incorrect set ups.
Last question - When a user logs out, they get the page ""Access to Galaxy user controls is disabled". I've set the remote_user_logout_href parameter to a different website, but they still get the "Access to Galaxy user controls is disabled".
I see it in lib/galaxy/webapps/galaxy/controllers/user.py, but I think at that point its too late.
On Tue, Sep 8, 2015 at 4:05 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> wrote:
Yes, I have a test server I'm going to check this one. thanks for the link, that's perfect...I'll add some debugging code in here to see what's going on.
On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>
wrote:
Do you have a way to verify the "HTTP_MAIL" header is actually being passed through your proxy server?
The problem is that Galaxy still doesn't think it's receiving the expected headers, so there isn't a good way that it can tell you more about what might be going on. If you're able to tweak Galaxy (using a test server) and add a few logging statements the code, this would be good places to check what's going on (print the `environ` dictionary associated with that request, along with self.remote_user_header to see what Galaxy is actually trying to use):
https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/mi...
-Dannon
On Thu, Sep 3, 2015 at 1:51 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> wrote:
It turns out our authentication system passes a header 'HTTP_MAIL' which contains the users email address. In galaxy.ini, I have
use_remote_user = True remote_user_header = HTTP_MAIL
After restarting,Galaxy still gives the same error.
On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>> wrote:
Hi Ryan,
It may be that Galaxy is looking for a different remote user header than your proxy is setting. I believe by default we look for HTTP_REMOTE_USER, but this is configurable in galaxy.ini (so, you could set yours to HTTP_USER there). Let me know if this doesn't sort it out for you and we can dig deeper!
-Dannon
On Mon, Aug 31, 2015 at 3:42 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> wrote:
Hi all - I'm trying to use external user authentication with Galaxy. The external authentication passes to Galaxy the username with the mail domain at HTTP_USER.
In galaxy.ini, I enable: use_remote_user = True
When I try to access Galaxy, I get the
message:
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
But nothing in paster.log indicating what the error is.
How do I track this down?
___________________________________________________________
Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at:
http://galaxyproject.org/search/mailinglists/
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
-- Eric Rasche Programmer II
Center for Phage Technology Rm 312A, BioBio Texas A&M University College Station, TX 77843 404-692-2048 esr@tamu.edu ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/