On this topic, I'm seeing the following in sentry: A new event has been recorded in Sentry: User logged in as 'none@' externally, but has a cookie as 'esr@DOMAIN' invalidating session I'm /pretty/ sure this is for the history requests from the browser as there were 18 of these. Cheers, Eric On 08/19/2014 01:44 PM, Eric Rasche wrote:
Hi All,
Digging up an ancient thread because it is, once again, relevant to me. As per Iyad's suggestion, we added a special apache conf section for the API access which sets REMOTE_USER, and API access works, but it introduces a whole new set of issues!
History is (now?) accessed through the API, so after switching apache over to providing a 'default' REMOTE_USER value, I can no longer access my histories, every attempt to switch histories generates a new "Unnamed history".
Additionally, history issue aside, this leads us to an issue with bioblend; while we can access and interact with the API, we cannot download datasets through the API, those are served on separate routes, not covered by API access. During download attempts, authentication information is required, and BioBlend returns with a 401 Unauthorized. Upload seems to work just fine though.
Wondering if anyone had suggestions here.
For reference: https://github.com/bgruening/galaxy-ipython/issues/17
Cheers, Eric
On 06/12/2014 09:40 AM, John Chilton wrote:
Hey Eric,
I am pretty sure Iyad's configuration is right - here is a similar config for nginx with some discussion of the API problem
http://production-galaxy-instances-with-cloudman-and-cloudbiolinux.readthedo....
It is fine if it is "empty" it just has to be set and in fact it should use the real remote user if available so the UI elements that target the API without a key continue to function properly (which I guess is slowly becoming all of the UI). This is what that apache config and my nginx config do I believe.
Does this answer your question, do you have lingering concerns?
-John
On Thu, Jun 12, 2014 at 9:24 AM, Eric Rasche <rasche.eric@yandex.ru> wrote: Hi Iyad,
Thanks for posting configs! I'm very curious how this actually works for you.
I'm running the API scripts from the galaxy server itself, and I made requests to http://fqdn/galaxy/, http://localhost:####/, and http://localhost:####/galaxy/
The request to the fqdn unsurprisingly fails as apache answers it, and apache requires authentication. Both of the localhost requests also fail (403), indicating that galaxy was forbidding me due to lack of a REMOTE_USER variable being set:
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server.
- From my tests, I conclude that the routes under /api/ also have the requirement on REMOTE_USER being set. (Maybe a dev can chime in on this?) I'm fairly certain the only way to get the /api/ route to work with the apache config presented is to statically set REMOTE_USER, such that it's always a valid galaxy user. You don't set a static REMOTE_USER variable in your apache config, so when galaxy is serving requests from outside users, in my understanding, the REMOTE_USER var will be unset, and galaxy should refuse to answer it.
Cheers, Eric
On 06/12/2014 08:31 AM, Kandalaft, Iyad wrote:
Hi Eric,
It's not broken per se but the documentation is lacking on this front. You need to route your /galaxy/api folder to a proxy that does not require authentication. Maybe this isn't the best way but it works for AAFC's production galaxy. See my apache configuration file below:
# Function for LowerCase conversion used in rewriterule directive RewriteMap lc int:tolower
# Setup the load balancer and force LDAP authentication with group file authorization <Proxy balancer://galaxy-prod/*> BalancerMember http://localhost:60000 BalancerMember http://localhost:60001 BalancerMember http://localhost:60002
# LDAP based authentication AuthName "Galaxy - Login with AAFC credentials" AuthType Basic AuthBasicAuthoritative off AuthBasicProvider ldap
AuthLDAPURL "REDACTED" AuthLDAPBindDN 'REDACTED' AuthLDAPBindPassword "REDACTED"
# File based authorization AuthGroupFile /home/galaxy/permitted_users Require group galaxy-users
RewriteEngine on
# Convert the sAMAccountName to lower case RewriteRule ^ - [E=AUTHENTICATE_sAMAccountName:${lc:%{ENV:AUTHENTICATE_sAMAccountName}}] # Set the REMOTE_USER header to the contents of the LDAP query response's "sAMAccountName" attribute RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e </Proxy>
<Proxy balancer://galaxy-prod-noauth/*> BalancerMember http://localhost:60000 BalancerMember http://localhost:60001 BalancerMember http://localhost:60002
# Required to allow unauthenticated access # Not clear why this is so Satisfy any </Proxy>
# Bypass authentication for the api endpoints when a "key" get variable is provided by proxying directly to the galaxy web server RewriteCond %{QUERY_STRING} key= RewriteRule ^/galaxy/api/(.*) balancer://galaxy-prod-noauth/api/$1 [P]
# Bypass authentication for display servers RewriteCond HTTP_HOST =hgw1.cse.ucsc.edu [OR,NC] RewriteCond HTTP_HOST =hgw2.cse.ucsc.edu [OR,NC] RewriteCond HTTP_HOST =hgw3.cse.ucsc.edu [OR,NC] RewriteCond HTTP_HOST =hgw4.cse.ucsc.edu [OR,NC] RewriteCond HTTP_HOST =hgw5.cse.ucsc.edu [OR,NC] RewriteCond HTTP_HOST =hgw7.cse.ucsc.edu [OR,NC] RewriteCond HTTP_HOST =hgw8.cse.ucsc.edu [NC] RewriteRule ^/galaxy/root/display_as(.*) balancer://galaxy-prod-noauth/root/display_as$1 [P] # Serve static content directly from apache RewriteRule ^/galaxy/static/style/(.*) /home/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/galaxy/static/scripts/(.*) /home/galaxy/galaxy-dist/static/scripts/packed/$1 [L] RewriteRule ^/galaxy/static/(.*) /home/galaxy/galaxy-dist/static/$1 [L] RewriteRule ^/galaxy/favicon.ico /home/galaxy/galaxy-dist/static/favicon.ico [L] RewriteRule ^/galaxy/robots.txt /home/galaxy/galaxy-dist/static/robots.txt [L] # Route all other traffic through the load balancer RewriteRule ^/galaxy/(.*)$ balancer://galaxy-prod/$1 [P]
Regards,
Iyad Kandalaft Microbial Biodiversity Bioinformatics Agriculture and Agri-Food Canada | Agriculture et Agroalimentaire
Canada
960 Carling Ave.| 960 Ave. Carling Ottawa, ON| Ottawa (ON) K1A 0C6 E-mail Address / Adresse courriel Iyad.Kandalaft@agr.gc.ca Telephone | Téléphone 613-759-1228 Facsimile | Télécopieur 613-759-1701 Teletypewriter | Téléimprimeur 613-773-2600 Government of Canada | Gouvernement du Canada
-----Original Message----- From: galaxy-dev-bounces@lists.bx.psu.edu [mailto:galaxy-dev-bounces@lists.bx.psu.edu] On Behalf Of Eric Rasche Sent: Wednesday, June 11, 2014 8:43 PM To: galaxy-dev@lists.bx.psu.edu Subject: [galaxy-dev] bug: API broken under remote_user
https://trello.com/c/AGKePuHZ/1630-expose-use-remote-user-via-configuration-...
I don't know if this is the correct card (it's been a long day and I may be misreading it) but the API is completely broken under REMOTE_USER authentication. running ./scripts/api/display.py {key} http://localhost:8300 returns 403 forbidden. running ./scripts/api/display.py {key} https://fqdn/galaxy/ returns 401 Authorization Required ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
-- Eric Rasche Programmer II Center for Phage Technology Texas A&M University College Station, TX 77843 404-692-2048 <tel:4046922048> esr@tamu.edu <mailto:esr@tamu.edu>