Re: [galaxy-dev] Remote User Logout
Hi, I'm currently using one of those hacks, and it seems to work nicely for the user (Chrome + FF at least) but it does need some messy setting up in Apache and some cunning redirects in place. I've pasted the relevant file fragments below. It's somewhat confounded with my stuff to enable SFTP uploads but hopefully you get the idea and the original explanation on Stackoverflow is pretty good. The remote_user_logout_href is something I got to by trial and error. Cheers, TIM === % cat /usr/share/galaxy-server/logout/.htaccess # HaCk based on http://stackoverflow.com/questions/4163122/http-basic-authentication-log-out # Authname must match the one in ../proxy/.htaccess AuthType Basic AuthName Galaxy_Server AuthUserFile /usr/share/galaxy-server/logout/.htpasswd Require user logout === % cat /usr/share/galaxy-server/logout/.htpasswd #Password is logout. This in not a secret. logout:$apr1$0eB1iURY$kwqa0c8tXksbjPQLYqr6s. === % cat /usr/share/galaxy-server/proxy/.htaccess # Security settings for Galaxy proxied via Apache. Note the actual # proxy config is under /etc/apache2/conf.d/galaxy. If for some # reason you wanted Apache proxy with internal Galaxy authentication # then you could remove this file and Apache would no longer insist on # authentication. AuthBasicProvider external AuthExternal pwauth AuthType Basic AuthName Galaxy_Server #I'd like to do this, but it upsets Firefox. Use ErrorDocument instead. # AuthName "Galaxy Server: \ # Log in with regular username and password. \ # Users need to be in the galaxy system group." ErrorDocument 401 "<html>\ <title>401 Authorization Required</title>\ <h1>Log-in to Galaxy failed</h1>\ <p>You should have been prompted to log into the Galaxy server. \ You need to give your regular system username and password. \ Please reload this page to try again.</p>\ <p>If this fails, check that you are a member of the galaxy system group, by \ running <code>groups</code> on the command line.</p>\ <p>To add a user, eg. user1, to this group, you may use the command:</p>\ <ul><li><code>sudo usermod -aG galaxy user1</code></ul></li>\ </html>" # You may want to comment these 2 lines out or to # change the group required, but users still need to # be in the galaxy group for SFTP uploads to work properly. AuthzUnixgroup on Require group galaxy # This is needed to tell Galaxy about the remote # user. RequestHeader set REMOTE_USER %{RU}e env=RU RequestHeader unset Authorization env=RU === % cat /etc/galaxy-server/universe_wsgi.d/31_apache-proxy.ini # Settings added by debian-galaxy-apache-proxy to switch Galaxy over to # authenticating by real user accounts and also permitting uploads. [app:main] # Other scripts assume that maildomain is localhsot, so you can't just # change the setting below and expect everythig to work. use_remote_user = True remote_user_maildomain = localhost # Users may copy files here directly or upload via SFTP/SCP ftp_upload_dir = /var/lib/galaxy-server/transfer ftp_upload_site = *** Transfer files via SCP or SFTP to /var/lib/galaxy-server/transfer/... *** # There is no neat way to log out a user with Basic Auth, but here is a non-neat way. # Not yet tested on IE. remote_user_logout_href = javascript:var r=new XMLHttpRequest();r.onreadystatechange=function(){if(r.readyState==4)window.location.replace('logout.html')};r.open('get','logout.html',true,'logout','logout');r.send(); === -- Tim Booth <tbooth@ceh.ac.uk> NERC Environmental Bioinformatics Centre Centre for Ecology and Hydrology Maclean Bldg, Benson Lane Crowmarsh Gifford Wallingford, England OX10 8BB http://nebc.nerc.ac.uk +44 1491 69 2705
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Tim, Amazing! Thank you for sharing that code. That'll save me some work when I get around to implementing it on my galaxies. I'll add a Wiki page for it later today, lest this knowledge be lost to the mailing list. Cheers, Eric On 01/27/2014 06:27 AM, Tim Booth wrote:
Hi,
I'm currently using one of those hacks, and it seems to work nicely for the user (Chrome + FF at least) but it does need some messy setting up in Apache and some cunning redirects in place. I've pasted the relevant file fragments below. It's somewhat confounded with my stuff to enable SFTP uploads but hopefully you get the idea and the original explanation on Stackoverflow is pretty good. The remote_user_logout_href is something I got to by trial and error.
Cheers,
TIM
===
% cat /usr/share/galaxy-server/logout/.htaccess # HaCk based on http://stackoverflow.com/questions/4163122/http-basic-authentication-log-out # Authname must match the one in ../proxy/.htaccess
AuthType Basic AuthName Galaxy_Server
AuthUserFile /usr/share/galaxy-server/logout/.htpasswd Require user logout
===
% cat /usr/share/galaxy-server/logout/.htpasswd #Password is logout. This in not a secret. logout:$apr1$0eB1iURY$kwqa0c8tXksbjPQLYqr6s.
===
% cat /usr/share/galaxy-server/proxy/.htaccess # Security settings for Galaxy proxied via Apache. Note the actual # proxy config is under /etc/apache2/conf.d/galaxy. If for some # reason you wanted Apache proxy with internal Galaxy authentication # then you could remove this file and Apache would no longer insist on # authentication. AuthBasicProvider external AuthExternal pwauth AuthType Basic AuthName Galaxy_Server
#I'd like to do this, but it upsets Firefox. Use ErrorDocument instead. # AuthName "Galaxy Server: \ # Log in with regular username and password. \ # Users need to be in the galaxy system group."
ErrorDocument 401 "<html>\ <title>401 Authorization Required</title>\ <h1>Log-in to Galaxy failed</h1>\ <p>You should have been prompted to log into the Galaxy server. \ You need to give your regular system username and password. \ Please reload this page to try again.</p>\ <p>If this fails, check that you are a member of the galaxy system group, by \ running <code>groups</code> on the command line.</p>\ <p>To add a user, eg. user1, to this group, you may use the command:</p>\ <ul><li><code>sudo usermod -aG galaxy user1</code></ul></li>\ </html>"
# You may want to comment these 2 lines out or to # change the group required, but users still need to # be in the galaxy group for SFTP uploads to work properly. AuthzUnixgroup on Require group galaxy
# This is needed to tell Galaxy about the remote # user. RequestHeader set REMOTE_USER %{RU}e env=RU RequestHeader unset Authorization env=RU
===
% cat /etc/galaxy-server/universe_wsgi.d/31_apache-proxy.ini # Settings added by debian-galaxy-apache-proxy to switch Galaxy over to # authenticating by real user accounts and also permitting uploads.
[app:main]
# Other scripts assume that maildomain is localhsot, so you can't just # change the setting below and expect everythig to work. use_remote_user = True remote_user_maildomain = localhost
# Users may copy files here directly or upload via SFTP/SCP ftp_upload_dir = /var/lib/galaxy-server/transfer ftp_upload_site = *** Transfer files via SCP or SFTP to /var/lib/galaxy-server/transfer/... ***
# There is no neat way to log out a user with Basic Auth, but here is a non-neat way. # Not yet tested on IE. remote_user_logout_href = javascript:var r=new XMLHttpRequest();r.onreadystatechange=function(){if(r.readyState==4)window.location.replace('logout.html')};r.open('get','logout.html',true,'logout','logout');r.send();
===
- -- Eric Rasche Programmer II Center for Phage Technology Texas A&M University -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQIcBAEBAgAGBQJS5nOgAAoJEMqDXdrsMcpVunUQAL1SwYf3Rux5wFKEkt35c7yc YLrscQm0dTK3P/mzin29D/mr1qFYJbBBKx1wk4e4mG6qeLlX97x1JH/YdeNtT/9l E2nFt4H/BKH4/5N6WDLnR4A+fkkbG3oXeBXf07s70vqQFrfhtDrA42VH2SfEWfVn xp6O4hg72M7p07QiYe3B/jUerKxJ6Z354GDGjpbuoDNDMvJlbiD79hIZAkHltsJS ubsyV3eiL0v+YwY4XV4oL8Lf72023P/38SizLgRbT0MRhQCzotpVlxEV55IT/KNd Sj0/ggBQmy+uQv81J6qZ+dQILhPYiWR39jJq2IhfsQ06TyASrSs2sOuXZG33k//L /aScLX2wOqjpgL5UOETqFSm1CzLUdJ+S9pR/cxmVGE8v92w/mnVwxYQrEzdmSpfw 1ouw77rOXtrVuL4GrcHoXeXQZIIumf7PrdLeTJzorrD/QKi7qh/M5ohMeoZqivkM 0yYXQpOOEat86f1HoLspWVH0kLUk0CCx9V0YxbL6sZ9xfMOJovWWPF+Ih4o3Xb+J 8NQn+NW7VROGQbx8nBaltx5WwZuq9KrAdQOduGbD6wWoHCO0P+Ix/O6hdjeHampu eloRLoSJWP03XyKnsrrDpzrf+JbVkbN+5rJz6O+u6JyEFuF1MJssjAQ0FqxvaC2w Zc89sZrfuOXE8krggNLJ =gZ/s -----END PGP SIGNATURE-----
Hi Eric, Tim,
Hi Tim,
Amazing! Thank you for sharing that code. That'll save me some work when I get around to implementing it on my galaxies. I'll add a Wiki page for it later today, lest this knowledge be lost to the mailing list.
That is an excellent suggestion. I've created a log board entry for it.: https://wiki.galaxyproject.org/Community/Logs The first for 2014. Feel free to edit, or send me revisions. Thanks, Dave C. -- http://galaxyproject.org/ http://getgalaxy.org/ http://usegalaxy.org/ http://wiki.galaxyproject.org/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I figured this was as good of a time as any... I moved the AD/LDAP/External authentication out of the Apache Proxy page (who would think to look there?) and into its own page. I added my organisation's information on mod_auth_kerb while I was at it. That seemed like a reasonable place to put this sort of information. I've also reduced the solution to just the necessary portions, but it would need to be tested by someone. https://wiki.galaxyproject.org/Admin/Config/ExternalUserDatbases#Logging_out... I suggest we re-link the community log page to that subsection as it has more related information, if that is amenable to everyone. On 01/27/2014 11:47 AM, Dave Clements wrote:
Hi Eric, Tim,
Hi Tim,
Amazing! Thank you for sharing that code. That'll save me some work when I get around to implementing it on my galaxies. I'll add a Wiki page for it later today, lest this knowledge be lost to the mailing list.
That is an excellent suggestion. I've created a log board entry for it.:
https://wiki.galaxyproject.org/Community/Logs
The first for 2014. Feel free to edit, or send me revisions.
Thanks,
Dave C.
Cheers, Eric - -- Eric Rasche Programmer II Center for Phage Technology Texas A&M University College Station, TX 77843 404-692-2048 <tel:4046922048> esr@tamu.edu <mailto:esr@tamu.edu> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJS5rnVAAoJEMqDXdrsMcpVG+oQAIdCRLGJKMvgsb9kVqbzeUGA kZcCfIqImxzpbKeCXFdTnb4nKQSFzY4zLXavox9VLjrr4sx76rxhF91hi8B8peLt EcwxSr9ytqOtjkkWSkI3bXIE9CKapzDTWcBa4ezHHoPoZvDznQ7OV9JBU0BGInpS Fa5IYfTdl7cAawxkaTlomTBAwthJ08UQp1DwJRmxcyYm5FN8ktvX7u0YK3RO1zXb ykfpslIlVIZMvRci0xtI5SsOHQWF63PJODLtnwl90759wYhZI8qFfdw/i0qc/HRU +Y0T79lE7eZf10FKhTXFDeweDkUc1xgc5JrCdVUmPcSS9NMR8MGL96Rm938PbJE6 fg/fM00BZ85T3BHDoIHKPRXdUIV0MDkmEw8Z0yeuKDYDPJ+SE+CjVPhHByeiB1hH 3kUeWbHrWgSdp0OYJuhHoUjBfJAlAUDSeYOy9vKi4LN1ZYG3acQl0LAfxYPgOE92 cs4+BqCgZ7vastYET5DqiLodrmNkDGwdnm3O5XVQS2fCZT7RePpmboMpHgDMDaO3 OgavZ9RpJdt5h68GAOE9Q/IK+Y7bblBfRrSrANpvUIWXfLei+IFaQZPTN59v9J8v OwHSq4H74l/MQ8b+q+bhjU472QJZ2m6otO1KkNG4pqOIgtiqYnWrp36uMqWsjYHK aoFRah4xHnutVPa0eh09 =xBnU -----END PGP SIGNATURE-----
Hi Eric,
I figured this was as good of a time as any... I moved the AD/LDAP/External authentication out of the Apache Proxy page (who would think to look there?) and into its own page. I added my organisation's information on mod_auth_kerb while I was at it.
That seemed like a reasonable place to put this sort of information. I've also reduced the solution to just the necessary portions, but it would need to be tested by someone.
https://wiki.galaxyproject.org/Admin/Config/ExternalUserDatbases#Logging_out...
Thanks for updating the admin wiki pages. The admin wiki pages are
sprawling and any efforts to keep them current and well organized are *dearly appreciated*.
I suggest we re-link the community log page to that subsection as it has more related information, if that is amenable to everyone.
I've updated https://wiki.galaxyproject.org/Community/Log/2014/LDAPRemoteUserLogout and added links to the two wiki pages. I left the content on the log page, although I'm not at all certain that is wise: The log pages are meant to be a quick and easy way to document stuff and make it easy to find. I think that leaving this log page (mostly) as it was will encourage contribution more than stripping it. Most people are not going to be willing to locate the right pages in the wiki for all their content. However, I'm hoping that if they can just drop content into one, time-stamped, no-commitment-to-keep-it-current, place then they will be way more likely to contribute. That's my theory anyway. So far, my theory hasn't particularly panned out, but the log board is still less than 2 months old. Thanks again, Dave C -- http://galaxyproject.org/ http://getgalaxy.org/ http://usegalaxy.org/ http://wiki.galaxyproject.org/
participants (3)
-
Dave Clements -
Eric Rasche -
Tim Booth