Hi,
I'm currently using one of those hacks, and it seems to work nicely for the user (Chrome + FF at least) but it does need some messy setting up in Apache and some cunning redirects in place. I've pasted the relevant file fragments below. It's somewhat confounded with my stuff to enable SFTP uploads but hopefully you get the idea and the original explanation on Stackoverflow is pretty good. The remote_user_logout_href is something I got to by trial and error.
Cheers,
TIM
===
% cat /usr/share/galaxy-server/logout/.htaccess # HaCk based on http://stackoverflow.com/questions/4163122/http-basic-authentication-log-out # Authname must match the one in ../proxy/.htaccess
AuthType Basic AuthName Galaxy_Server
AuthUserFile /usr/share/galaxy-server/logout/.htpasswd Require user logout
===
% cat /usr/share/galaxy-server/logout/.htpasswd #Password is logout. This in not a secret. logout:$apr1$0eB1iURY$kwqa0c8tXksbjPQLYqr6s.
===
% cat /usr/share/galaxy-server/proxy/.htaccess # Security settings for Galaxy proxied via Apache. Note the actual # proxy config is under /etc/apache2/conf.d/galaxy. If for some # reason you wanted Apache proxy with internal Galaxy authentication # then you could remove this file and Apache would no longer insist on # authentication. AuthBasicProvider external AuthExternal pwauth AuthType Basic AuthName Galaxy_Server
#I'd like to do this, but it upsets Firefox. Use ErrorDocument instead. # AuthName "Galaxy Server: \ # Log in with regular username and password. \ # Users need to be in the galaxy system group."
ErrorDocument 401 "<html>\ <title>401 Authorization Required</title>\ <h1>Log-in to Galaxy failed</h1>\ <p>You should have been prompted to log into the Galaxy server. \ You need to give your regular system username and password. \ Please reload this page to try again.</p>\ <p>If this fails, check that you are a member of the galaxy system group, by \ running <code>groups</code> on the command line.</p>\ <p>To add a user, eg. user1, to this group, you may use the command:</p>\ <ul><li><code>sudo usermod -aG galaxy user1</code></ul></li>\ </html>"
# You may want to comment these 2 lines out or to # change the group required, but users still need to # be in the galaxy group for SFTP uploads to work properly. AuthzUnixgroup on Require group galaxy
# This is needed to tell Galaxy about the remote # user. RequestHeader set REMOTE_USER %{RU}e env=RU RequestHeader unset Authorization env=RU
===
% cat /etc/galaxy-server/universe_wsgi.d/31_apache-proxy.ini # Settings added by debian-galaxy-apache-proxy to switch Galaxy over to # authenticating by real user accounts and also permitting uploads.
[app:main]
# Other scripts assume that maildomain is localhsot, so you can't just # change the setting below and expect everythig to work. use_remote_user = True remote_user_maildomain = localhost
# Users may copy files here directly or upload via SFTP/SCP ftp_upload_dir = /var/lib/galaxy-server/transfer ftp_upload_site = *** Transfer files via SCP or SFTP to /var/lib/galaxy-server/transfer/... ***
# There is no neat way to log out a user with Basic Auth, but here is a non-neat way. # Not yet tested on IE. remote_user_logout_href = javascript:var r=new XMLHttpRequest();r.onreadystatechange=function(){if(r.readyState==4)window.location.replace('logout.html')};r.open('get','logout.html',true,'logout','logout');r.send();
===
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Tim,
Amazing! Thank you for sharing that code. That'll save me some work when I get around to implementing it on my galaxies. I'll add a Wiki page for it later today, lest this knowledge be lost to the mailing list.
Cheers, Eric
On 01/27/2014 06:27 AM, Tim Booth wrote:
Hi,
I'm currently using one of those hacks, and it seems to work nicely for the user (Chrome + FF at least) but it does need some messy setting up in Apache and some cunning redirects in place. I've pasted the relevant file fragments below. It's somewhat confounded with my stuff to enable SFTP uploads but hopefully you get the idea and the original explanation on Stackoverflow is pretty good. The remote_user_logout_href is something I got to by trial and error.
Cheers,
TIM
===
% cat /usr/share/galaxy-server/logout/.htaccess # HaCk based on http://stackoverflow.com/questions/4163122/http-basic-authentication-log-out # Authname must match the one in ../proxy/.htaccess
AuthType Basic AuthName Galaxy_Server
AuthUserFile /usr/share/galaxy-server/logout/.htpasswd Require user logout
===
% cat /usr/share/galaxy-server/logout/.htpasswd #Password is logout. This in not a secret. logout:$apr1$0eB1iURY$kwqa0c8tXksbjPQLYqr6s.
===
% cat /usr/share/galaxy-server/proxy/.htaccess # Security settings for Galaxy proxied via Apache. Note the actual # proxy config is under /etc/apache2/conf.d/galaxy. If for some # reason you wanted Apache proxy with internal Galaxy authentication # then you could remove this file and Apache would no longer insist on # authentication. AuthBasicProvider external AuthExternal pwauth AuthType Basic AuthName Galaxy_Server
#I'd like to do this, but it upsets Firefox. Use ErrorDocument instead. # AuthName "Galaxy Server: \ # Log in with regular username and password. \ # Users need to be in the galaxy system group."
ErrorDocument 401 "<html>\
<title>401 Authorization Required</title>\ <h1>Log-in to Galaxy failed</h1>\ <p>You should have been prompted to log into the Galaxy server. \ You need to give your regular system username and password. \ Please reload this page to try again.</p>\ <p>If this fails, check that you are a member of the galaxy system group, by \ running <code>groups</code> on the command line.</p>\ <p>To add a user, eg. user1, to this group, you may use the command:</p>\ <ul><li><code>sudo usermod -aG galaxy user1</code></ul></li>\ </html>"
# You may want to comment these 2 lines out or to # change the group required, but users still need to # be in the galaxy group for SFTP uploads to work properly. AuthzUnixgroup on Require group galaxy
# This is needed to tell Galaxy about the remote # user. RequestHeader set REMOTE_USER %{RU}e env=RU RequestHeader unset Authorization env=RU
===
% cat /etc/galaxy-server/universe_wsgi.d/31_apache-proxy.ini # Settings added by debian-galaxy-apache-proxy to switch Galaxy over to # authenticating by real user accounts and also permitting uploads.
[app:main]
# Other scripts assume that maildomain is localhsot, so you can't just # change the setting below and expect everythig to work. use_remote_user = True remote_user_maildomain = localhost
# Users may copy files here directly or upload via SFTP/SCP ftp_upload_dir = /var/lib/galaxy-server/transfer ftp_upload_site = *** Transfer files via SCP or SFTP to /var/lib/galaxy-server/transfer/... ***
# There is no neat way to log out a user with Basic Auth, but here is a non-neat way. # Not yet tested on IE. remote_user_logout_href = javascript:var r=new XMLHttpRequest();r.onreadystatechange=function(){if(r.readyState==4)window.location.replace('logout.html')};r.open('get','logout.html',true,'logout','logout');r.send();
===
- -- Eric Rasche Programmer II Center for Phage Technology Texas A&M University
Hi Eric, Tim,
Hi Tim,
Amazing! Thank you for sharing that code. That'll save me some work when I get around to implementing it on my galaxies. I'll add a Wiki page for it later today, lest this knowledge be lost to the mailing list.
That is an excellent suggestion. I've created a log board entry for it.:
https://wiki.galaxyproject.org/Community/Logs
The first for 2014. Feel free to edit, or send me revisions.
Thanks,
Dave C.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I figured this was as good of a time as any... I moved the AD/LDAP/External authentication out of the Apache Proxy page (who would think to look there?) and into its own page. I added my organisation's information on mod_auth_kerb while I was at it.
That seemed like a reasonable place to put this sort of information. I've also reduced the solution to just the necessary portions, but it would need to be tested by someone.
https://wiki.galaxyproject.org/Admin/Config/ExternalUserDatbases#Logging_out...
I suggest we re-link the community log page to that subsection as it has more related information, if that is amenable to everyone.
On 01/27/2014 11:47 AM, Dave Clements wrote:
Hi Eric, Tim,
Hi Tim,
Amazing! Thank you for sharing that code. That'll save me some work when I get around to implementing it on my galaxies. I'll add a Wiki page for it later today, lest this knowledge be lost to the mailing list.
That is an excellent suggestion. I've created a log board entry for it.:
https://wiki.galaxyproject.org/Community/Logs
The first for 2014. Feel free to edit, or send me revisions.
Thanks,
Dave C.
Cheers, Eric
- -- Eric Rasche Programmer II Center for Phage Technology Texas A&M University College Station, TX 77843 404-692-2048 tel:4046922048 esr@tamu.edu mailto:esr@tamu.edu
Hi Eric,
I figured this was as good of a time as any... I moved the AD/LDAP/External authentication out of the Apache Proxy page (who would think to look there?) and into its own page. I added my organisation's information on mod_auth_kerb while I was at it.
That seemed like a reasonable place to put this sort of information. I've also reduced the solution to just the necessary portions, but it would need to be tested by someone.
https://wiki.galaxyproject.org/Admin/Config/ExternalUserDatbases#Logging_out...
Thanks for updating the admin wiki pages. The admin wiki pages are
sprawling and any efforts to keep them current and well organized are *dearly appreciated*.
I suggest we re-link the community log page to that subsection as it has more related information, if that is amenable to everyone.
I've updated https://wiki.galaxyproject.org/Community/Log/2014/LDAPRemoteUserLogout and added links to the two wiki pages. I left the content on the log page, although I'm not at all certain that is wise:
The log pages are meant to be a quick and easy way to document stuff and make it easy to find. I think that leaving this log page (mostly) as it was will encourage contribution more than stripping it. Most people are not going to be willing to locate the right pages in the wiki for all their content. However, I'm hoping that if they can just drop content into one, time-stamped, no-commitment-to-keep-it-current, place then they will be way more likely to contribute.
That's my theory anyway. So far, my theory hasn't particularly panned out, but the log board is still less than 2 months old.
Thanks again,
Dave C
galaxy-dev@lists.galaxyproject.org