On Jun 20, 2011, at 4:10 PM, Shantanu Pavgi wrote:
On Jun 20, 2011, at 2:40 PM, Nate Coraor wrote:
> Shantanu Pavgi wrote:
>> We have a galaxy server setup using external shibboleth authentication. While we
would like to have site behind authentication realm, there are instances when our galaxy
datasets/histories need to be accessible publicly from other websites. We tried adding an
exception to auth rule for /datasets path using Location directive in apache web server
configuration, however galaxy server returned an error as:
>> Access to Galaxy is denied
>> Galaxy is configured to authenticate users via an external method (such as HTTP
authentication in Apache), but a username was not provided by the upstream (proxy) server.
This is generally due to a misconfiguration in the upstream server.
>> Is there any way to share public histories and datasets when galaxy is using
external authentication mechanism? I have thought about setting up (fake) anonymous
REMOTE_USER variable for /datasets path, but not sure whether this is correct approach.
Also, would it require any galaxy code changes? Any thoughts?
> Hi Shantanu,
> That's about all you can do, or modify
> lib/galaxy/web/framework/middleware/remoteuser.py to let these
> connections through. I would suggest the former solution of setting a
> header in Apache, but only set it if the user is not authenticated.
Thanks for the reply Nate. That's helpful.
I did a test by excluding following URLs from Apache-Shibboleth external authentication
and it seems to be working:
Do I need to exclude any other URLs so that published histories and datasets can be
accessed from remote sites without authentication? Also, will it offer read-only access to
the galaxy interface? Does it expose any job submission, file-uploads or any other
modification/execution operations using web interface?
Also, can we prevent particular galaxy-user from carrying out certain actions, e.g.
running jobs, file uploads etc.? Since galaxy will create 'anonymous' user account
based on the REMOTE_USER variable set for unauthenticated requests, I am wondering if such
locked-down mode will be possible for a particular galaxy-user.