Re: [galaxy-dev] bug: API broken under remote_user

Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server.

Hi Eric, It's not broken per se but the documentation is lacking on this front. You need to route your /galaxy/api folder to a proxy that does not require authentication. Maybe this isn't the best way but it works for AAFC's production galaxy. See my apache configuration file below: -------------------------------------------------------------------------------------- # Function for LowerCase conversion used in rewriterule directive RewriteMap lc int:tolower # Setup the load balancer and force LDAP authentication with group file authorization <Proxy balancer://galaxy-prod/*> BalancerMember http://localhost:60000 BalancerMember http://localhost:60001 BalancerMember http://localhost:60002 # LDAP based authentication AuthName "Galaxy - Login with AAFC credentials" AuthType Basic AuthBasicAuthoritative off AuthBasicProvider ldap AuthLDAPURL "REDACTED" AuthLDAPBindDN 'REDACTED' AuthLDAPBindPassword "REDACTED" # File based authorization AuthGroupFile /home/galaxy/permitted_users Require group galaxy-users RewriteEngine on # Convert the sAMAccountName to lower case RewriteRule ^ - [E=AUTHENTICATE_sAMAccountName:${lc:%{ENV:AUTHENTICATE_sAMAccountName}}] # Set the REMOTE_USER header to the contents of the LDAP query response's "sAMAccountName" attribute RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e </Proxy> <Proxy balancer://galaxy-prod-noauth/*> BalancerMember http://localhost:60000 BalancerMember http://localhost:60001 BalancerMember http://localhost:60002 # Required to allow unauthenticated access # Not clear why this is so Satisfy any </Proxy> # Bypass authentication for the api endpoints when a "key" get variable is provided by proxying directly to the galaxy web server RewriteCond %{QUERY_STRING} key= RewriteRule ^/galaxy/api/(.*) balancer://galaxy-prod-noauth/api/$1 [P] # Bypass authentication for display servers RewriteCond HTTP_HOST =hgw1.cse.ucsc.edu [OR,NC] RewriteCond HTTP_HOST =hgw2.cse.ucsc.edu [OR,NC] RewriteCond HTTP_HOST =hgw3.cse.ucsc.edu [OR,NC] RewriteCond HTTP_HOST =hgw4.cse.ucsc.edu [OR,NC] RewriteCond HTTP_HOST =hgw5.cse.ucsc.edu [OR,NC] RewriteCond HTTP_HOST =hgw7.cse.ucsc.edu [OR,NC] RewriteCond HTTP_HOST =hgw8.cse.ucsc.edu [NC] RewriteRule ^/galaxy/root/display_as(.*) balancer://galaxy-prod-noauth/root/display_as$1 [P] # Serve static content directly from apache RewriteRule ^/galaxy/static/style/(.*) /home/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/galaxy/static/scripts/(.*) /home/galaxy/galaxy-dist/static/scripts/packed/$1 [L] RewriteRule ^/galaxy/static/(.*) /home/galaxy/galaxy-dist/static/$1 [L] RewriteRule ^/galaxy/favicon.ico /home/galaxy/galaxy-dist/static/favicon.ico [L] RewriteRule ^/galaxy/robots.txt /home/galaxy/galaxy-dist/static/robots.txt [L] # Route all other traffic through the load balancer RewriteRule ^/galaxy/(.*)$ balancer://galaxy-prod/$1 [P] ------------------------------------------------------------------------------ Regards, Iyad Kandalaft Microbial Biodiversity Bioinformatics Agriculture and Agri-Food Canada | Agriculture et Agroalimentaire Canada 960 Carling Ave.| 960 Ave. Carling Ottawa, ON| Ottawa (ON) K1A 0C6 E-mail Address / Adresse courriel Iyad.Kandalaft(a)agr.gc.ca Telephone | Téléphone 613-759-1228 Facsimile | Télécopieur 613-759-1701 Teletypewriter | Téléimprimeur 613-773-2600 Government of Canada | Gouvernement du Canada -----Original Message----- From: galaxy-dev-bounces(a)lists.bx.psu.edu [mailto:galaxy-dev-bounces@lists.bx.psu.edu] On Behalf Of Eric Rasche Sent: Wednesday, June 11, 2014 8:43 PM To: galaxy-dev(a)lists.bx.psu.edu Subject: [galaxy-dev] bug: API broken under remote_user https://trello.com/c/AGKePuHZ/1630-expose-use-remote-user-via-configurati... I don't know if this is the correct card (it's been a long day and I may be misreading it) but the API is completely broken under REMOTE_USER authentication. running ./scripts/api/display.py {key} http://localhost:8300 returns 403 forbidden. running ./scripts/api/display.py {key} https://fqdn/galaxy/ returns 401 Authorization Required ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/

-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQIcBAEBAgAGBQJTmbgwAAoJEMqDXdrsMcpVAVoP/31HFgmBOf4/SbGKpvubjXyP LXKGNqsCVi3TTmWnlnjQDJbZEfA7i045iMIWGPb/wWnDAKiG4kEx6GAx+Uc/F5zj vLmZIpKUSyAl9mvFlHHA4SMpY69lShDssOOL9q7o1NSxfRV+RAZjMKByHPX8mbwf j2bjAuvZHDhqXVjNPD/9ODtDgxSNkxSXSc2rssTkJCqNlWsDsjNGyQj+T7uTIr4f n8Hb/pfSrE7kX+ww02rYBuUSFBtF6EGiJoalF1VGxBvUbTlHHmucZp350epA615C 0sTZxWgY2CHXrDijnkXbAu2xBzjZuOEoQeCQSXHewY8EaLa1pQ7ZxXWUeq02IZww XhNnbpsii3SMoYr8K0TP3bncJcfgQIla4C3J1Sa1qBk7IjeO/meoDTbTmC47/aS3 NR9DwIsqY4BIqbEeUtrkdH1SGuh4iXIQHMLCnfV6KUk7ruDyCfMrECtnh9QJfaME tN84HqdxME38VK3LpsJr6h/r1imft4NnwrGm2XArFWo3329QEF1dVhjccHpkRcu6 QKHOkOeJAchFDHxdz9yI8zUMCR8EdqUTDCbN02zQWVun/x4YDr/JP5gxbGp1sPkM wxwyTCBthsh21WooSW5pqVC7swLh59e/30CwfvnYl+cpGkcZebeo33MW7ck4vgbx LNWgIcYF/PvESHfQtXAg =CNnW -----END PGP SIGNATURE-----