Hi Nate,

I just updated my copy and the changes you pushed are in. However, the auth part is not working still. I added

remote_user_header = 'HTTP_AUTH_USER'

to universe_wsgi.ini and restarted Galaxy. When I hit the site, after logging into the front end proxy server, I get this.

Access to Galaxy is denied

Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.

Please contact your local Galaxy administrator.


I am capturing all the header variables in a file and this is what the contents of the file is after the above DENIED message.

[srv-galaxy@bmigalaxyp1 galaxy-dist]$ cat file.py 
HTTP_X_FORWARDED_SERVER: galaxy.research.cchmc.org
HTTP_COOKIE: galaxysession=c6ca0ddb55be603ac556311ffa6257cd21da46c2083580c93cee9aaaf9c0c67c8e80f388ebf98dff; BIGipServerbmigw-pool=626771722.20480.0000; ObSSOCookie=QF4kYG5VvhHej14EN4XRqPVEgJ7ukfSLFWTmDjibS5YUstElLeDIwcxFAgtZhGi3uJGhh4f6lFQcmAl2B1%2FM%2BptbBKwkCGNQGkJhKhu1Pz4x7bjDOaifC9t%2Fhgy%2FN3FAoXSQUFFg0cVkXnKKhoA5Hxkt%2BcvkQObSn7Mr1Vi0xPakNoRcEC7k%2BhhR3Vp8oGUEkODLotLSAvkPfj8xL0rfzgYuLI3aY8F77M2Sj7vcDiOB03VOiBddelvOqLTHfYwlktQ81MlQq%2BjQPMX5wo9g7DhD7nwtSBgvozJ0VvmNmMfn%2BKvkgEXo8YbyQakY5PXg2pJE6IjUJTF%2FpKOfO5W2IKYzkqbDgicaMjTKq1Q7zr%2BW0BQKzhsEIjhHkneH2NRiIUiriemEbJVVo9nrMsxviT8Hah7X5YZ5kVGjBpX5owA%3D
HTTP_ACCEPT_LANGUAGE: en-us
paste.recursive.include: <paste.recursive.Includer from />
SCRIPT_NAME:
REQUEST_METHOD: GET
PATH_INFO: /
HTTP_ORIGIN: https://login.research.cchmc.org
SERVER_PROTOCOL: HTTP/1.1
QUERY_STRING:
paste.throw_errors: True
CONTENT_LENGTH: 0
weberror.evalexception: <weberror.evalexception.middleware.EvalException object at 0x8d02d50>
HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4) AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1
HTTP_CONNECTION: Keep-Alive
SERVER_NAME: 0.0.0.0
REMOTE_ADDR: 10.199.194.17
ORGINAL_REMOTE_ADDR: 10.199.92.37
wsgi.url_scheme: http
SERVER_PORT: 8080
paste.recursive.forward: <paste.recursive.Forwarder from />
paste.recursive.script_name:
paste.evalexception: <weberror.evalexception.middleware.EvalException object at 0x8d02d50>
wsgi.input: <socket._fileobject object at 0x8d9eb50 length=0>
HTTP_HOST: galaxy.research.cchmc.org
paste.recursive.include_app_iter: <paste.recursive.IncluderAppIter from />
wsgi.multithread: True
HTTP_CONFVER: 1
HTTP_CACHE_CONTROL: max-age=0
HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
wsgi.version: (1, 0)
HTTP_AUTH_USER: Prakash.Velayutham@cchmc.org
wsgi.run_once: False
wsgi.errors: <galaxy.util.pastescript.serve.LazyWriter object at 0x239db10>
wsgi.multiprocess: False
HTTP_X_FORWARDED_HOST: galaxy.research.cchmc.org
HTTP_X_FORWARDED_FOR: 10.199.194.17
CONTENT_TYPE:
request_id: 34e3f63274a611e3aaf1005056a84587
paste.httpserver.thread_pool: <paste.httpserver.ThreadPool object at 0x8da5750>
ORGINAL_HTTP_HOST: bmigalaxyp1.chmcres.cchmc.org:8080
HTTP_UID: VELGE9
[srv-galaxy@bmigalaxyp1 galaxy-dist]$

Obviously, I am logging in using HTTP_AUTH_USER, which does exist in the file, but auth is not going forward.

Please note that without the recent changes, I was able to change every instance of REMOTE_USER in the source code with AUTH_USER and that worked without issues.

Thanks,
Prakash

On Jan 3, 2014, at 11:45 AM, Nate Coraor <nate@bx.psu.edu> wrote:

Hi Prakash,

This was not previously possible, but I have added a config option for it:

    https://bitbucket.org/galaxy/galaxy-central/commits/e92e13e9c103cc1f36dff65e1523479bf5cb17ed

If you're running the stable branch, you can apply the changes from this commit manually.

--nate


On Thu, Jan 2, 2014 at 11:09 AM, Jennifer Jackson <jen@bx.psu.edu> wrote:
Hello Prakash,
I am going to move this over to the galaxy-dev@bx.psu.edu mailing list where it will have greater visibility within our development community.
Best,
Jen
Galaxy team
https://wiki.galaxyproject.org/MailingLists#The_lists


On 1/2/14 7:27 AM, Velayutham, Prakash (Prakash) wrote:
Hi,

We have a SSO environment provided by Oracle Fusion products and for some reason, they don't like to send over HTTP_REMOTE_USER as a header variable to downstream servers. I have seen it before with other web sites I have integrated with Oracle Access Manager. Is there a way Galaxy can accept another HEADER variable than REMOTE_USER for its external authentication?

As an extension:

  • With just enabling HTTP_REMOTE_USER as a header variable from an external authenticator, Galaxy works without any issues. I tried this with a default Apache/mod_ldap/mod_authnz_ldap setup.
  • However, when I mix the Oracle gateways into the mix, things break down.
    • I made OAM send HTTP_AUTH_USER over to Galaxy.
    • I changed all instances of REMOTE_USER to AUTH_USER in the installed location of Galaxy in my server.
    • Authentication works fine, but I get issues with HISTORY part of Galaxy (below), when I access a workflow or basically any part of Galaxy that depends on HISTORY

Error Traceback:

View as:   Interactive  |  Text  |  XML (full)
 AttributeError: 'NoneType' object has no attribute 'user'
URL: http://xxx.xxx.xxx/dataset/list?sort=-update_time&f-name=All&f-tags=All&f-deleted=False
Module weberror.evalexception.middleware:364 in respond     <Mail Attachment.jpeg>     view
>>  app_iter = self.application(environ, detect_start_response)
Module paste.recursive:84 in __call__     <Mail Attachment.jpeg>     view
>>  return self.application(environ, start_response)
Module galaxy.web.framework.middleware.remoteuser:91 in __call__     <Mail Attachment.jpeg>     view
>>  return self.app( environ, start_response )
Module paste.httpexceptions:633 in __call__     <Mail Attachment.jpeg>     view
>>  return self.application(environ, start_response)
Module galaxy.web.framework.base:132 in __call__     <Mail Attachment.jpeg>     view
>>  return self.handle_request( environ, start_response )
Module galaxy.web.framework.base:190 in handle_request     <Mail Attachment.jpeg>     view
>>  body = method( trans, **kwargs )
Module galaxy.web.framework:98 in decorator     <Mail Attachment.jpeg>     view
>>  return func( self, trans, *args, **kwargs )
Module galaxy.webapps.galaxy.controllers.dataset:555 in list     <Mail Attachment.jpeg>     view
>>  status, message = self._copy_datasets( trans, hda_ids, target_histories )
Module galaxy.webapps.galaxy.controllers.dataset:1127 in _copy_datasets     <Mail Attachment.jpeg>     view
>>  if user != history.user:
AttributeError: 'NoneType' object has no attribute 'user'

Thanks,
Prakash


___________________________________________________________
The Galaxy User list should be used for the discussion of
Galaxy analysis and other features on the public server
at usegalaxy.org.  Please keep all replies on the list by
using "reply all" in your mail client.  For discussion of
local Galaxy instances and the Galaxy source code, please
use the Galaxy Development list:

  http://lists.bx.psu.edu/listinfo/galaxy-dev

To manage your subscriptions to this and other Galaxy lists,
please use the interface at:

  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:

  http://galaxyproject.org/search/mailinglists/

-- 
Jennifer Hillman-Jackson
http://galaxyproject.org

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/