Hi Alex and Peter, On Nov 24, 2010, at 8:32 PM, Bossers, Alex wrote:
Indeed if you are talking plugging in real tools that require binaries or perl scripts to be installed on the server that might / that is a serious security issue. We had the same discussion internally about a tool we have that allows the load and execution of ANY uploaded R script for testing... That tool will never make it to the production server :)
It might be an option to allow this kind of actions by restricting it to dedicated galaxy admins (as specified in the galaxy universe_wsgi.ini file). I haven't figured out how to restrict tools to this GROUP of users in galaxy though....
Sure, being able to plug any tool is a security risk, but if I understood correctly, tools published in the 3rd party tool shed need to be approved by the Galaxy team 2 Penn State. So, I can imagine a system where users can only add approved and signed 3rd party tools from the tool shed. There needs to be a balance between allowing users to experiment as freely as possible - after all most of us are into science :) - and preventing users from destroying the infrastructure. Restricting dynamic tool plugging to admins would be another option, but the less end users need to beg admins for customizations, upgrades, etc., the better! Cheers, Pi
Alex ________________________________________ Van: galaxy-dev-bounces@lists.bx.psu.edu [galaxy-dev-bounces@lists.bx.psu.edu] namens Peter [peter@maubp.freeserve.co.uk] Verzonden: woensdag 24 november 2010 17:04 Aan: Pieter Neerincx CC: Galaxy Dev Onderwerp: Re: [galaxy-dev] dynamic loading of tools?
On Wed, Nov 24, 2010 at 12:13 AM, Pieter Neerincx wrote:
Hi,
I'd love to have the ability to load tools dynamically as it would remove what I experience as the biggest draw back of web portals: in most cases you see 9 out of 10 tools that would be required for a job, but there's always a small piece of the puzzle missing. So you google for another web portal where this missing step is present just to figure out that over there it's another step that is missing.
I don't think the enhancements being discussed will change that (see below).
Bugging sys admins to install that missing piece to complete the workflow is in many cases too much of a hassle, so it would be really nice to be able for end users to plug a web service for example from the BioCatalogue dynamically into Galaxy. Being able to dynamically plug a 3rd party package from the tool shed would also be great, but I can imagine this only works for simple scripts that install easily without too many dependencies.
In my opinion there is no way ordinary Galaxy users should be allowed to install arbitrary Galaxy tools from 3rd party websites. It would be a massive security hole as a malicious Galaxy tool could easily erase all the user data, or worse - if coupled with a security privilege escalation attack, the malicious tool could take over the whole server.
What we are talking about is making it easier for the administrators of a Galaxy instance to install/update/remove tools without restarting Galaxy. I would find this quite useful to testing my own tool wrappers.
So I happy to see there's a ticket for this :)... I was just wondering where this ticket is on the priority list? More in general is there a way to see how the Galaxy team prioritizes tickets? This will influence whether I want to wait for the issue to be solved upstream or whether I'll hack my Galaxy based on the work from the University of Georgia...
I don't see any priority field, but issues on bitbucket can be marked with a target milestone, however that doesn't currently seem to be used for Galaxy: http://bitbucket.org/galaxy/galaxy-central/issues?status=new&status=open
Regards,
Peter _______________________________________________ galaxy-dev mailing list galaxy-dev@lists.bx.psu.edu http://lists.bx.psu.edu/listinfo/galaxy-dev
------------------------------------------------------------- mobile: +31 6 143 66 783 e-mail: pieter.neerincx@gmail.com skype: pieter.online -------------------------------------------------------------