Hi, how can I restrict the access of a Galaxy tool to a specific user in an login free instance of Galaxy? I see a suggestion in this post http://gmod.827538.n3.nabble.com/Galaxy-Tool-permission-Access-td3348890.htm... but it's really workround, I was seeking for a cleaner solution... Thanks, Ivan
Hi, in order to restrict the access of a tool to logged users I'm trying to use Cheetah for editing the xml config file. I was wondering if a solution like the one below should work. Although no errors are reported while loading the tool it does not perform the check on the email address and anonymous users still see the tool. Any ideas of what it's wrong with this solution? Cheers, I. <?xml version="1.0"?> <tool name="RSS site" id="rss1" tool_type="data_source"> <description>RSS site</description> #if $__user_email__ == "" <display>You are not authorized to use this tool</display> #else <command interpreter="python"> data_source.py $output $__app__.config.output_size_limit </command> .... <options sanitize="False" refresh="True"/> #end if </tool> -------- Messaggio originale -------- Oggetto: [galaxy-dev] tool restrict access Data: Mon, 02 Jan 2012 18:36:53 +0100 Mittente: Ivan Merelli <ivan.merelli@itb.cnr.it> A: galaxy-dev@lists.bx.psu.edu <galaxy-dev@lists.bx.psu.edu> Hi, how can I restrict the access of a Galaxy tool to a specific user in an login free instance of Galaxy? I see a suggestion in this post http://gmod.827538.n3.nabble.com/Galaxy-Tool-permission-Access-td3348890.htm... but it's really workround, I was seeking for a cleaner solution... Thanks, Ivan ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
Ivan,
#if $__user_email__ == "" <display>You are not authorized to use this tool</display> #else
<command interpreter="python"> data_source.py $output $__app__.config.output_size_limit </command>
To make this approach work, the email check should go in the command tag. More information: If you're looking to require users to login before using any tools, you can use this flag in the universe config file: # Force everyone to log in (disable anonymous access). #require_login = False If you're looking to implement tool-based access control, the best approach is probably to use the same role-based approach that libraries use: https://bitbucket.org/galaxy/galaxy-central/issue/269/use-galaxy-security-to... Thanks, J.
Hi Jeremy, thank you for your answer. I followed your hint modifyng (for example) the ucsc_tablebrowser.xml as follows (not sure about the <display> tag to have a simple error message, but this is another problem): <tool name="UCSC Main" id="ucsc_table_direct1" tool_type="data_source"> <description>table browser</description> <command interpreter="python"> #if $__user_email__ == "" <display>You are not authorized to use this tool</display> #else data_source.py $output $__app__.config.output_size_limit #end if </command> ... and I got the error below, which seems connected to the cheetah syntax. Any idea of what I'm doing wrong? Cheers, I. Traceback (most recent call last): File "/home/galaxy/galaxy-dist/lib/galaxy/jobs/runners/local.py", line 58, in run_job job_wrapper.prepare() File "/home/galaxy/galaxy-dist/lib/galaxy/jobs/__init__.py", line 411, in prepare self.command_line = self.tool.build_command_line( param_dict ) File "/home/galaxy/galaxy-dist/lib/galaxy/tools/__init__.py", line 1691, in build_command_line command_line = fill_template( self.command, context=param_dict ) File "/home/galaxy/galaxy-dist/lib/galaxy/util/template.py", line 9, in fill_template return str( Template( source=template_text, searchList=[context] ) ) File "/home/galaxy/galaxy-dist/eggs/Cheetah-2.2.2-py2.5-linux-x86_64-ucs4.egg/Cheetah/Template.py", line 1244, in __init__ self._compile(source, file, compilerSettings=compilerSettings) File "/home/galaxy/galaxy-dist/eggs/Cheetah-2.2.2-py2.5-linux-x86_64-ucs4.egg/Cheetah/Template.py", line 1538, in _compile keepRefToGeneratedCode=True) File "/home/galaxy/galaxy-dist/eggs/Cheetah-2.2.2-py2.5-linux-x86_64-ucs4.egg/Cheetah/Template.py", line 745, in compile compiler.compile() File "/home/galaxy/galaxy-dist/eggs/Cheetah-2.2.2-py2.5-linux-x86_64-ucs4.egg/Cheetah/Compiler.py", line 1670, in compile self._parser.parse() File "/home/galaxy/galaxy-dist/eggs/Cheetah-2.2.2-py2.5-linux-x86_64-ucs4.egg/Cheetah/Parser.py", line 1496, in parse self.assertEmptyOpenDirectivesStack() File "/home/galaxy/galaxy-dist/eggs/Cheetah-2.2.2-py2.5-linux-x86_64-ucs4.egg/Cheetah/Parser.py", line 2658, in assertEmptyOpenDirectivesStack raise ParseError(self, msg=errorMsg) ParseError: Some #directives are missing their corresponding #end ___ tag: if Line 2, column 8 Line|Cheetah Code ----|------------------------------------------------------------- 2 | ^
Ivan,
#if $__user_email__ == "" <display>You are not authorized to use this tool</display> #else
<command interpreter="python"> data_source.py $output $__app__.config.output_size_limit </command>
To make this approach work, the email check should go in the command tag.
More information:
If you're looking to require users to login before using any tools, you can use this flag in the universe config file:
# Force everyone to log in (disable anonymous access). #require_login = False
If you're looking to implement tool-based access control, the best approach is probably to use the same role-based approach that libraries use:
https://bitbucket.org/galaxy/galaxy-central/issue/269/use-galaxy-security-to...
Thanks, J.
Ivan,
<tool name="UCSC Main" id="ucsc_table_direct1" tool_type="data_source"> <description>table browser</description> <command interpreter="python"> #if $__user_email__ == "" <display>You are not authorized to use this tool</display> #else data_source.py $output $__app__.config.output_size_limit #end if </command>
... and I got the error below, which seems connected to the cheetah syntax. Any idea of what I'm doing wrong?
As is tradition in python, you need to put semi-colons after conditionals. E.g. -- #if $__user_email__ == "": <display>You are not authorized to use this tool</display> #else: data_source.py $output $__app__.config.output_size_limit #end if -- J.
Hi Jeremy, sorry for bother you again. I do some tests and the problem seems not in the semi-colons (the cheetah manual is not very clear in this sense, I put them but it did not solve the problem), but in the <display> tag which is simply incorrect in that position, a call to a python script is needed instead. May you suggest me how to sketch a simple python script that prints in the central section of the galaxy window a message like "you are not authorized to execute this tool" ? In this way maintainers of local instances of Galaxy can change the <command> section of the xml tools they want to hide like this: <command> #if $__user_email__ == "" not_auth.py #else data_source.py $output $__app__.config.output_size_limit #end if </command> Cheers, I.
Ivan,
<tool name="UCSC Main" id="ucsc_table_direct1" tool_type="data_source"> <description>table browser</description> <command interpreter="python"> #if $__user_email__ == "" <display>You are not authorized to use this tool</display> #else data_source.py $output $__app__.config.output_size_limit #end if </command>
... and I got the error below, which seems connected to the cheetah syntax. Any idea of what I'm doing wrong?
As is tradition in python, you need to put semi-colons after conditionals. E.g.
-- #if $__user_email__ == "": <display>You are not authorized to use this tool</display> #else: data_source.py $output $__app__.config.output_size_limit #end if --
J.
May you suggest me how to sketch a simple python script that prints in the central section of the galaxy window a message like "you are not authorized to execute this tool" ?
This isn't possible right now, hence my reference to the open Bitbucket issue regarding this limitation. The best you can do right now is (a) restrict tool access to non-anonymous users or (b) cause the tool not to run by manipulating the command line in the template and, by printing to stderr, cause Galaxy to report the job failed. Best, J.
participants (2)
-
Ivan Merelli -
Jeremy Goecks