Hi there, Galaxy newbie here. I have a brand new v20.01 instance but am having a problem getting user PAM based user logins to work correctly. The problem it seems to me has to do with the service not having sufficient permissions to create a 'new' user account folder because it wants to append our org's email suffix to the folder name instead of just detecting that the correctly named username folder without the suffix in fact already exists (mounted via NFS), and therefore does not need to be created. Note that this mechanism was previously working in v19.05. Here is the issue: galaxy.webapps.galaxy.controllers.user DEBUG 2020-04-30 16:25:49,481 [p:86293,w:1,m:0] [uWSGIWorker1Core0] trans.app.config.auth_config_file: /hpc/software/installed/galaxy/20.01/config/auth_conf.xml galaxy.auth.providers.pam_auth DEBUG 2020-04-30 16:25:49,482 [p:86293,w:1,m:0] [uWSGIWorker1Core0] use username: True use email False email None username sandra galaxy.auth.providers.pam_auth DEBUG 2020-04-30 16:25:49,482 [p:86293,w:1,m:0] [uWSGIWorker1Core0] PAM auth: will use external helper: False galaxy.auth.providers.pam_auth DEBUG 2020-04-30 16:25:49,868 [p:86293,w:1,m:0] [uWSGIWorker1Core0] PAM authentication successful for sandra galaxy.auth.util DEBUG 2020-04-30 16:25:49,873 [p:86293,w:1,m:0] [uWSGIWorker1Core0] Email: sandra@mcri.edu.au, auto-register with username: sandra galaxy.web.framework.decorators ERROR 2020-04-30 16:25:50,042 [p:86293,w:1,m:0] [uWSGIWorker1Core0] Uncaught exception in exposed API method: Traceback (most recent call last): File "lib/galaxy/web/framework/decorators.py", line 282, in decorator rval = func(self, trans, *args, **kwargs) File "lib/galaxy/webapps/galaxy/controllers/user.py", line 122, in login return self.__validate_login(trans, payload, **kwd) File "lib/galaxy/webapps/galaxy/controllers/user.py", line 147, in __validate_login message, user = self.__autoregistration(trans, login, password) File "lib/galaxy/webapps/galaxy/controllers/user.py", line 105, in __autoregistration trans.handle_user_login(user) File "lib/galaxy/web/framework/webapp.py", line 720, in handle_user_login self.user_checks(user) File "lib/galaxy/web/framework/webapp.py", line 665, in user_checks self.check_user_library_import_dir(user) File "lib/galaxy/web/framework/webapp.py", line 657, in check_user_library_import_dir safe_makedirs(os.path.join(self.app.config.user_library_import_dir, user.email)) File "lib/galaxy/util/path/__init__.py", line 114, in safe_makedirs makedirs(path) File "/hpc/software/installed/galaxy/20.01/.venv/lib64/python3.6/os.py", line 220, in makedirs mkdir(name, mode) PermissionError: [Errno 13] Permission denied: '/home/sandra@mcri.edu.au' Here is the auth_conf.xml: <?xml version="1.0"?> <auth> <authenticator> <type>PAM</type> <options> <auto-register>True</auto-register> <maildomain>mcri.edu.au</maildomain> <login-use-username>True</login-use-username> <pam-service>sshd</pam-service> </options> </authenticator> </auth> FYI in case it's relevant the server's sssd.conf has also been customised to drop the domain suffix. Any ideas? Is there perhaps some additional config in the v20.01 galaxy.yml that I've missed? Thanks, Sandra Maksimovic Systems Administrator Information Technology Murdoch Children's Research Institute The Royal Children's Hospital, 50 Flemington Road Parkville, Victoria 3052 Australia T +61 3 8341 6498 E sandra.maksimovic@mcri.edu.au<mailto:sandra.maksimovic@mcri.edu.au> W mcri.edu.au<https://www.mcri.edu.au/> Disclaimer This e-mail and any attachments to it (the "Communication") are, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Murdoch Children’s Research Institute (MCRI) ABN 21 006 566 972 or any of its related entities. MCRI does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.
Solution: Disable all user_library_import settings. From: Sandra Maksimovic [mailto:sandra.maksimovic@mcri.edu.au] Sent: Thursday, 30 April 2020 4:28 PM To: galaxy-dev@lists.galaxyproject.org Subject: [galaxy-dev] pam login issue Hi there, Galaxy newbie here. I have a brand new v20.01 instance but am having a problem getting user PAM based user logins to work correctly. The problem it seems to me has to do with the service not having sufficient permissions to create a 'new' user account folder because it wants to append our org's email suffix to the folder name instead of just detecting that the correctly named username folder without the suffix in fact already exists (mounted via NFS), and therefore does not need to be created. Note that this mechanism was previously working in v19.05. Here is the issue: galaxy.webapps.galaxy.controllers.user DEBUG 2020-04-30 16:25:49,481 [p:86293,w:1,m:0] [uWSGIWorker1Core0] trans.app.config.auth_config_file: /hpc/software/installed/galaxy/20.01/config/auth_conf.xml galaxy.auth.providers.pam_auth DEBUG 2020-04-30 16:25:49,482 [p:86293,w:1,m:0] [uWSGIWorker1Core0] use username: True use email False email None username sandra galaxy.auth.providers.pam_auth DEBUG 2020-04-30 16:25:49,482 [p:86293,w:1,m:0] [uWSGIWorker1Core0] PAM auth: will use external helper: False galaxy.auth.providers.pam_auth DEBUG 2020-04-30 16:25:49,868 [p:86293,w:1,m:0] [uWSGIWorker1Core0] PAM authentication successful for sandra galaxy.auth.util DEBUG 2020-04-30 16:25:49,873 [p:86293,w:1,m:0] [uWSGIWorker1Core0] Email: sandra@mcri.edu.au<mailto:sandra@mcri.edu.au>, auto-register with username: sandra galaxy.web.framework.decorators ERROR 2020-04-30 16:25:50,042 [p:86293,w:1,m:0] [uWSGIWorker1Core0] Uncaught exception in exposed API method: Traceback (most recent call last): File "lib/galaxy/web/framework/decorators.py", line 282, in decorator rval = func(self, trans, *args, **kwargs) File "lib/galaxy/webapps/galaxy/controllers/user.py", line 122, in login return self.__validate_login(trans, payload, **kwd) File "lib/galaxy/webapps/galaxy/controllers/user.py", line 147, in __validate_login message, user = self.__autoregistration(trans, login, password) File "lib/galaxy/webapps/galaxy/controllers/user.py", line 105, in __autoregistration trans.handle_user_login(user) File "lib/galaxy/web/framework/webapp.py", line 720, in handle_user_login self.user_checks(user) File "lib/galaxy/web/framework/webapp.py", line 665, in user_checks self.check_user_library_import_dir(user) File "lib/galaxy/web/framework/webapp.py", line 657, in check_user_library_import_dir safe_makedirs(os.path.join(self.app.config.user_library_import_dir, user.email)) File "lib/galaxy/util/path/__init__.py", line 114, in safe_makedirs makedirs(path) File "/hpc/software/installed/galaxy/20.01/.venv/lib64/python3.6/os.py", line 220, in makedirs mkdir(name, mode) PermissionError: [Errno 13] Permission denied: '/home/sandra@mcri.edu.au' Here is the auth_conf.xml: <?xml version="1.0"?> <auth> <authenticator> <type>PAM</type> <options> <auto-register>True</auto-register> <maildomain>mcri.edu.au</maildomain> <login-use-username>True</login-use-username> <pam-service>sshd</pam-service> </options> </authenticator> </auth> FYI in case it's relevant the server's sssd.conf has also been customised to drop the domain suffix. Any ideas? Is there perhaps some additional config in the v20.01 galaxy.yml that I've missed? Thanks, Sandra Maksimovic Systems Administrator Information Technology Murdoch Children's Research Institute The Royal Children's Hospital, 50 Flemington Road Parkville, Victoria 3052 Australia T +61 3 8341 6498 E sandra.maksimovic@mcri.edu.au<mailto:sandra.maksimovic@mcri.edu.au<mailto:sandra.maksimovic@mcri.edu.au%3cmailto:sandra.maksimovic@mcri.edu.au>> W mcri.edu.au<https://www.mcri.edu.au/<https://www.mcri.edu.au>> Disclaimer This e-mail and any attachments to it (the "Communication") are, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Murdoch Children’s Research Institute (MCRI) ABN 21 006 566 972 or any of its related entities. MCRI does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication. ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: %(web_page_url)s To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/<http://galaxyproject.org/search>
participants (1)
-
Sandra Maksimovic