-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Iyad,
Thanks for posting configs! I'm very curious how this actually works for
you.
I'm running the API scripts from the galaxy server itself, and I made
requests to
http://fqdn/galaxy/,
http://localhost:####/, and
http://localhost:####/galaxy/
The request to the fqdn unsurprisingly fails as apache answers it, and
apache requires authentication. Both of the localhost requests also fail
(403), indicating that galaxy was forbidding me due to lack of a
REMOTE_USER variable being set:
Galaxy is configured to authenticate users via an external method
(such as HTTP authentication in Apache), but a username was not
provided by the upstream (proxy) server.
- From my tests, I conclude that the routes under /api/ also have the
requirement on REMOTE_USER being set. (Maybe a dev can chime in on
this?) I'm fairly certain the only way to get the /api/ route to work
with the apache config presented is to statically set REMOTE_USER, such
that it's always a valid galaxy user. You don't set a static REMOTE_USER
variable in your apache config, so when galaxy is serving requests from
outside users, in my understanding, the REMOTE_USER var will be unset,
and galaxy should refuse to answer it.
Cheers,
Eric
On 06/12/2014 08:31 AM, Kandalaft, Iyad wrote:
Hi Eric,
It's not broken per se but the documentation is lacking on this front. You need to
route your /galaxy/api folder to a proxy that does not require authentication. Maybe this
isn't the best way but it works for AAFC's production galaxy. See my apache
configuration file below:
--------------------------------------------------------------------------------------
# Function for LowerCase conversion used in rewriterule directive
RewriteMap lc int:tolower
# Setup the load balancer and force LDAP authentication with group file authorization
<Proxy balancer://galaxy-prod/*>
BalancerMember
http://localhost:60000
BalancerMember
http://localhost:60001
BalancerMember
http://localhost:60002
# LDAP based authentication
AuthName "Galaxy - Login with AAFC credentials"
AuthType Basic
AuthBasicAuthoritative off
AuthBasicProvider ldap
AuthLDAPURL "REDACTED"
AuthLDAPBindDN 'REDACTED'
AuthLDAPBindPassword "REDACTED"
# File based authorization
AuthGroupFile /home/galaxy/permitted_users
Require group galaxy-users
RewriteEngine on
# Convert the sAMAccountName to lower case
RewriteRule ^ -
[E=AUTHENTICATE_sAMAccountName:${lc:%{ENV:AUTHENTICATE_sAMAccountName}}]
# Set the REMOTE_USER header to the contents of the LDAP query response's
"sAMAccountName" attribute
RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
</Proxy>
<Proxy balancer://galaxy-prod-noauth/*>
BalancerMember
http://localhost:60000
BalancerMember
http://localhost:60001
BalancerMember
http://localhost:60002
# Required to allow unauthenticated access
# Not clear why this is so
Satisfy any
</Proxy>
# Bypass authentication for the api endpoints when a "key" get variable is
provided by proxying directly to the galaxy web server
RewriteCond %{QUERY_STRING} key=
RewriteRule ^/galaxy/api/(.*) balancer://galaxy-prod-noauth/api/$1 [P]
# Bypass authentication for display servers
RewriteCond HTTP_HOST =hgw1.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw2.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw3.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw4.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw5.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw7.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw8.cse.ucsc.edu [NC]
RewriteRule ^/galaxy/root/display_as(.*) balancer://galaxy-prod-noauth/root/display_as$1
[P]
# Serve static content directly from apache
RewriteRule ^/galaxy/static/style/(.*)
/home/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L]
RewriteRule ^/galaxy/static/scripts/(.*)
/home/galaxy/galaxy-dist/static/scripts/packed/$1 [L]
RewriteRule ^/galaxy/static/(.*) /home/galaxy/galaxy-dist/static/$1 [L]
RewriteRule ^/galaxy/favicon.ico /home/galaxy/galaxy-dist/static/favicon.ico [L]
RewriteRule ^/galaxy/robots.txt /home/galaxy/galaxy-dist/static/robots.txt [L]
# Route all other traffic through the load balancer
RewriteRule ^/galaxy/(.*)$ balancer://galaxy-prod/$1 [P]
------------------------------------------------------------------------------
Regards,
Iyad Kandalaft
Microbial Biodiversity Bioinformatics
Agriculture and Agri-Food Canada | Agriculture et Agroalimentaire Canada
960 Carling Ave.| 960 Ave. Carling
Ottawa, ON| Ottawa (ON) K1A 0C6
E-mail Address / Adresse courriel Iyad.Kandalaft(a)agr.gc.ca
Telephone | Téléphone 613-759-1228
Facsimile | Télécopieur 613-759-1701
Teletypewriter | Téléimprimeur 613-773-2600
Government of Canada | Gouvernement du Canada
-----Original Message-----
From: galaxy-dev-bounces(a)lists.bx.psu.edu [mailto:galaxy-dev-bounces@lists.bx.psu.edu] On
Behalf Of Eric Rasche
Sent: Wednesday, June 11, 2014 8:43 PM
To: galaxy-dev(a)lists.bx.psu.edu
Subject: [galaxy-dev] bug: API broken under remote_user
https://trello.com/c/AGKePuHZ/1630-expose-use-remote-user-via-configurati...
I don't know if this is the correct card (it's been a long day and I may be
misreading it) but the API is completely broken under REMOTE_USER authentication.
running ./scripts/api/display.py {key}
http://localhost:8300 returns 403 forbidden.
running ./scripts/api/display.py {key}
https://fqdn/galaxy/ returns 401 Authorization
Required
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this and other Galaxy lists, please
use the interface at:
http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at:
http://galaxyproject.org/search/mailinglists/
- --
Эрик Раше
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
iQIcBAEBAgAGBQJTmbgwAAoJEMqDXdrsMcpVAVoP/31HFgmBOf4/SbGKpvubjXyP
LXKGNqsCVi3TTmWnlnjQDJbZEfA7i045iMIWGPb/wWnDAKiG4kEx6GAx+Uc/F5zj
vLmZIpKUSyAl9mvFlHHA4SMpY69lShDssOOL9q7o1NSxfRV+RAZjMKByHPX8mbwf
j2bjAuvZHDhqXVjNPD/9ODtDgxSNkxSXSc2rssTkJCqNlWsDsjNGyQj+T7uTIr4f
n8Hb/pfSrE7kX+ww02rYBuUSFBtF6EGiJoalF1VGxBvUbTlHHmucZp350epA615C
0sTZxWgY2CHXrDijnkXbAu2xBzjZuOEoQeCQSXHewY8EaLa1pQ7ZxXWUeq02IZww
XhNnbpsii3SMoYr8K0TP3bncJcfgQIla4C3J1Sa1qBk7IjeO/meoDTbTmC47/aS3
NR9DwIsqY4BIqbEeUtrkdH1SGuh4iXIQHMLCnfV6KUk7ruDyCfMrECtnh9QJfaME
tN84HqdxME38VK3LpsJr6h/r1imft4NnwrGm2XArFWo3329QEF1dVhjccHpkRcu6
QKHOkOeJAchFDHxdz9yI8zUMCR8EdqUTDCbN02zQWVun/x4YDr/JP5gxbGp1sPkM
wxwyTCBthsh21WooSW5pqVC7swLh59e/30CwfvnYl+cpGkcZebeo33MW7ck4vgbx
LNWgIcYF/PvESHfQtXAg
=CNnW
-----END PGP SIGNATURE-----