Integrating Galaxy into our Kerberos auth
Hi everyone I'm busy integrating Galaxy (installed locally on galaxy.sanbi.ac.za) with our Kerberos authentication. To do this, in the Apache virtualhost configuration, I install mdo_auth_kerb and specify: <Location /> AuthType Kerberos Krb5Keytab /etc/krb5.keytab KrbServiceName http KrbAuthRealms SANBI Require valid-user </Location> in my virtualhost config. Now, our Kerberos users show up as <user>@SANBI (SANBI is our realm). Their email addresses are of the form <user>@sanbi.ac.za. So this causes a problem with the default Galaxy config. The solution I've got is to throw away that @SANBI, then set remote_user_maildomain to sanbi.ac.za. And add this to the virtualhost config: RewriteEngine on <Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy> RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} ^([^@]+)@ RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e Note the ^([^@]+)@ - this is different to the (.*) which is on the wiki, and has the effect that %1 in the RewriteRule only contains the <user> part. The remote_user_maildomain is then used to get <user>@sanbi.ac.za. So far this setup seems to work. BTW. why, in templates/webapps/galaxy/base_panels.mako does it only show the "Logged in as" if you are not using remote_user ? Since user_email is always generated somehow, surely it is safe to show it whether you're logged in via remote_user or not. And finally, I see that after the first few uploads, there aren't any new sets of slides being put up on the dev2010 page. I'm looking forward to seeing a full set of slides so I can show them to people at SANBI! Peter
Peter van Heusden wrote:
Hi everyone
I'm busy integrating Galaxy (installed locally on galaxy.sanbi.ac.za) with our Kerberos authentication. To do this, in the Apache virtualhost configuration, I install mdo_auth_kerb and specify:
<Location /> AuthType Kerberos Krb5Keytab /etc/krb5.keytab KrbServiceName http KrbAuthRealms SANBI Require valid-user </Location>
in my virtualhost config.
Now, our Kerberos users show up as <user>@SANBI (SANBI is our realm). Their email addresses are of the form <user>@sanbi.ac.za. So this causes a problem with the default Galaxy config. The solution I've got is to throw away that @SANBI, then set remote_user_maildomain to sanbi.ac.za. And add this to the virtualhost config:
RewriteEngine on <Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy> RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} ^([^@]+)@ RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e
Note the ^([^@]+)@ - this is different to the (.*) which is on the wiki, and has the effect that %1 in the RewriteRule only contains the <user> part. The remote_user_maildomain is then used to get <user>@sanbi.ac.za. So far this setup seems to work.
Great, I can add this example to the wiki. Since authentication is handled entirely outside of Galaxy there's not a lot we can do in Galaxy to handle these sorts of issues.
BTW. why, in templates/webapps/galaxy/base_panels.mako does it only show the "Logged in as" if you are not using remote_user ? Since user_email is always generated somehow, surely it is safe to show it whether you're logged in via remote_user or not.
Good point, I've changed this in changeset 3854:384c809db93e.
And finally, I see that after the first few uploads, there aren't any new sets of slides being put up on the dev2010 page. I'm looking forward to seeing a full set of slides so I can show them to people at SANBI!
Sorry about this, I'll coordinate an effort to get everything posted. --nate
Peter _______________________________________________ galaxy-dev mailing list galaxy-dev@lists.bx.psu.edu http://lists.bx.psu.edu/listinfo/galaxy-dev
participants (2)
-
Nate Coraor -
Peter van Heusden