Re: [galaxy-dev] public datasets/histories with external auth
On Jun 30, 2011, at 6:34 AM, Leandro Hermida wrote:
Hi Nate and Shantanu,
Thanks so much for the clear guidance, this works and sorry I didn't
read the Apache docs properly
best,
Leandro
On Thu, Jun 30, 2011 at 6:14 AM, Shantanu Pavgi <pavgi(a)uab.edu> wrote:
>
> On Jun 29, 2011, at 12:21 PM, Nate Coraor wrote:
>
> Leandro Hermida wrote:
>
> Hi Shantanu,
>
> In your Apache configuration exactly how did you set up an anonymous
>
> REMOTE_USER just for specific locations like the /datasets/ path? I'm just
>
> looking at the Apache docs and the RequestHeader directive has a context of
>
> the entire VirtualHost and cannot be put into a Location container so I'm
>
> not sure how to do it.
>
> Hi Leandro,
>
> See the optional 'env=' argument and docs on the same for ways to make
> RequestHeader conditional:
>
> http://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader
>
> So, depending on the path accessed, you should be able to have
> mod_rewrite set an environment variable specifying which REMOTE_USER
> (real username or fake anonymouse user) should be set.
>
> You could also just set it as the anonymous user to start with and then
> use 'RequestHeader set' to overwrite it with the real username in the
> case that a real username is available.
>
> This is all just from glancing at the docs, though, I have not tried any
> of it out, and this sort of Apache trickery is always difficult to get
> right.
>
> --nate
>
>
>
> Leandro,
> The RequestHeader has a context of 'directory' as well, which includes
> <Directory>, <Location>, <Files>, and <Proxy> containers [1].
So you should
> be able to use it in Location directive.
> Following is a configuration snippet related to what Nate described in his
> earlier response. We are setting REMOTE_USER variable to anonymous when it's
> not set/empty.
> <Location ~ "/(datasets|history)/">
> AuthType shibboleth
> ShibRequireSession off
> Require shibboleth
> RewriteCond %{LA-U:REMOTE_USER} =""
> RequestHeader set REMOTE_USER "anonymous"
> </Location>
> Hope this helps.
>
> 1. http://httpd.apache.org/docs/current/mod/directive-dict.html#Context
> --
> Shantanu.
>
Leandro,
I realized that above mentioned configuration is wrong. It will set RequestHeader to
'anonymous' regardless of authentication status. I think following config should
work (still testing). In our case it resides outside of Location directive now. You may
need to adjust it according to your setup:
{{{
# Take the environment variable and set it as a header in the proxy request.
RewriteCond %{IS_SUBREQ} ^false$
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
# Set RU to anonymous if No REMOTE_USER
RewriteCond %{IS_SUBREQ} ^false$
RewriteCond %{LA-U:REMOTE_USER} =""
RewriteRule . - [E=RU:"anonymous"]
# Set RequestHeader
RequestHeader set REMOTE_USER %{RU}e
}}}
--
Shantanu.