External User Authenticaion
Hi all - I'm trying to use external user authentication with Galaxy. The external authentication passes to Galaxy the username with the mail domain at HTTP_USER. In galaxy.ini, I enable: use_remote_user = True When I try to access Galaxy, I get the message: Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. But nothing in paster.log indicating what the error is. How do I track this down?
Hi Ryan, It may be that Galaxy is looking for a different remote user header than your proxy is setting. I believe by default we look for HTTP_REMOTE_USER, but this is configurable in galaxy.ini (so, you could set yours to HTTP_USER there). Let me know if this doesn't sort it out for you and we can dig deeper! -Dannon On Mon, Aug 31, 2015 at 3:42 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
Hi all - I'm trying to use external user authentication with Galaxy. The external authentication passes to Galaxy the username with the mail domain at HTTP_USER.
In galaxy.ini, I enable: use_remote_user = True
When I try to access Galaxy, I get the message: Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
But nothing in paster.log indicating what the error is.
How do I track this down?
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
It turns out our authentication system passes a header 'HTTP_MAIL' which contains the users email address. In galaxy.ini, I have use_remote_user = True remote_user_header = HTTP_MAIL After restarting,Galaxy still gives the same error. On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker <dannon.baker@gmail.com> wrote:
Hi Ryan,
It may be that Galaxy is looking for a different remote user header than your proxy is setting. I believe by default we look for HTTP_REMOTE_USER, but this is configurable in galaxy.ini (so, you could set yours to HTTP_USER there). Let me know if this doesn't sort it out for you and we can dig deeper!
-Dannon
On Mon, Aug 31, 2015 at 3:42 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
Hi all - I'm trying to use external user authentication with Galaxy. The external authentication passes to Galaxy the username with the mail domain at HTTP_USER.
In galaxy.ini, I enable: use_remote_user = True
When I try to access Galaxy, I get the message: Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
But nothing in paster.log indicating what the error is.
How do I track this down?
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
Do you have a way to verify the "HTTP_MAIL" header is actually being passed through your proxy server? The problem is that Galaxy still doesn't think it's receiving the expected headers, so there isn't a good way that it can tell you more about what might be going on. If you're able to tweak Galaxy (using a test server) and add a few logging statements the code, this would be good places to check what's going on (print the `environ` dictionary associated with that request, along with self.remote_user_header to see what Galaxy is actually trying to use): https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/mi... -Dannon On Thu, Sep 3, 2015 at 1:51 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
It turns out our authentication system passes a header 'HTTP_MAIL' which contains the users email address. In galaxy.ini, I have
use_remote_user = True remote_user_header = HTTP_MAIL
After restarting,Galaxy still gives the same error.
On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker <dannon.baker@gmail.com> wrote:
Hi Ryan,
It may be that Galaxy is looking for a different remote user header than your proxy is setting. I believe by default we look for HTTP_REMOTE_USER, but this is configurable in galaxy.ini (so, you could set yours to HTTP_USER there). Let me know if this doesn't sort it out for you and we can dig deeper!
-Dannon
On Mon, Aug 31, 2015 at 3:42 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
Hi all - I'm trying to use external user authentication with Galaxy. The external authentication passes to Galaxy the username with the mail domain at HTTP_USER.
In galaxy.ini, I enable: use_remote_user = True
When I try to access Galaxy, I get the message: Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
But nothing in paster.log indicating what the error is.
How do I track this down?
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
Yes, I have a test server I'm going to check this one. thanks for the link, that's perfect...I'll add some debugging code in here to see what's going on. On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker <dannon.baker@gmail.com> wrote:
Do you have a way to verify the "HTTP_MAIL" header is actually being passed through your proxy server?
The problem is that Galaxy still doesn't think it's receiving the expected headers, so there isn't a good way that it can tell you more about what might be going on. If you're able to tweak Galaxy (using a test server) and add a few logging statements the code, this would be good places to check what's going on (print the `environ` dictionary associated with that request, along with self.remote_user_header to see what Galaxy is actually trying to use):
https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/mi...
-Dannon
On Thu, Sep 3, 2015 at 1:51 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
It turns out our authentication system passes a header 'HTTP_MAIL' which contains the users email address. In galaxy.ini, I have
use_remote_user = True remote_user_header = HTTP_MAIL
After restarting,Galaxy still gives the same error.
On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker <dannon.baker@gmail.com> wrote:
Hi Ryan,
It may be that Galaxy is looking for a different remote user header than your proxy is setting. I believe by default we look for HTTP_REMOTE_USER, but this is configurable in galaxy.ini (so, you could set yours to HTTP_USER there). Let me know if this doesn't sort it out for you and we can dig deeper!
-Dannon
On Mon, Aug 31, 2015 at 3:42 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
Hi all - I'm trying to use external user authentication with Galaxy. The external authentication passes to Galaxy the username with the mail domain at HTTP_USER.
In galaxy.ini, I enable: use_remote_user = True
When I try to access Galaxy, I get the message: Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
But nothing in paster.log indicating what the error is.
How do I track this down?
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
I finally got around to this and all is working well. I submitted 2 patches to remoteuser.py to assist in debugging incorrect set ups. Last question - When a user logs out, they get the page ""Access to Galaxy user controls is disabled". I've set the remote_user_logout_href parameter to a different website, but they still get the "Access to Galaxy user controls is disabled". I see it in lib/galaxy/webapps/galaxy/controllers/user.py, but I think at that point its too late. On Tue, Sep 8, 2015 at 4:05 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
Yes, I have a test server I'm going to check this one. thanks for the link, that's perfect...I'll add some debugging code in here to see what's going on.
On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker <dannon.baker@gmail.com> wrote:
Do you have a way to verify the "HTTP_MAIL" header is actually being passed through your proxy server?
The problem is that Galaxy still doesn't think it's receiving the expected headers, so there isn't a good way that it can tell you more about what might be going on. If you're able to tweak Galaxy (using a test server) and add a few logging statements the code, this would be good places to check what's going on (print the `environ` dictionary associated with that request, along with self.remote_user_header to see what Galaxy is actually trying to use):
https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/mi...
-Dannon
On Thu, Sep 3, 2015 at 1:51 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
It turns out our authentication system passes a header 'HTTP_MAIL' which contains the users email address. In galaxy.ini, I have
use_remote_user = True remote_user_header = HTTP_MAIL
After restarting,Galaxy still gives the same error.
On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker <dannon.baker@gmail.com> wrote:
Hi Ryan,
It may be that Galaxy is looking for a different remote user header than your proxy is setting. I believe by default we look for HTTP_REMOTE_USER, but this is configurable in galaxy.ini (so, you could set yours to HTTP_USER there). Let me know if this doesn't sort it out for you and we can dig deeper!
-Dannon
On Mon, Aug 31, 2015 at 3:42 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
Hi all - I'm trying to use external user authentication with Galaxy. The external authentication passes to Galaxy the username with the mail domain at HTTP_USER.
In galaxy.ini, I enable: use_remote_user = True
When I try to access Galaxy, I get the message: Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
But nothing in paster.log indicating what the error is.
How do I track this down?
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
Hi all - In regards to external user authentication that I have working now (see thread below). When users try to go to the actual Galaxy page, they get the message: On Thu, Oct 1, 2015 at 4:10 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
I finally got around to this and all is working well. I submitted 2 patches to remoteuser.py to assist in debugging incorrect set ups.
Last question - When a user logs out, they get the page ""Access to Galaxy user controls is disabled". I've set the remote_user_logout_href parameter to a different website, but they still get the "Access to Galaxy user controls is disabled".
I see it in lib/galaxy/webapps/galaxy/controllers/user.py, but I think at that point its too late.
On Tue, Sep 8, 2015 at 4:05 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
Yes, I have a test server I'm going to check this one. thanks for the link, that's perfect...I'll add some debugging code in here to see what's going on.
On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker <dannon.baker@gmail.com> wrote:
Do you have a way to verify the "HTTP_MAIL" header is actually being passed through your proxy server?
The problem is that Galaxy still doesn't think it's receiving the expected headers, so there isn't a good way that it can tell you more about what might be going on. If you're able to tweak Galaxy (using a test server) and add a few logging statements the code, this would be good places to check what's going on (print the `environ` dictionary associated with that request, along with self.remote_user_header to see what Galaxy is actually trying to use):
https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/mi...
-Dannon
On Thu, Sep 3, 2015 at 1:51 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
It turns out our authentication system passes a header 'HTTP_MAIL' which contains the users email address. In galaxy.ini, I have
use_remote_user = True remote_user_header = HTTP_MAIL
After restarting,Galaxy still gives the same error.
On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker <dannon.baker@gmail.com> wrote:
Hi Ryan,
It may be that Galaxy is looking for a different remote user header than your proxy is setting. I believe by default we look for HTTP_REMOTE_USER, but this is configurable in galaxy.ini (so, you could set yours to HTTP_USER there). Let me know if this doesn't sort it out for you and we can dig deeper!
-Dannon
On Mon, Aug 31, 2015 at 3:42 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
Hi all - I'm trying to use external user authentication with Galaxy. The external authentication passes to Galaxy the username with the mail domain at HTTP_USER.
In galaxy.ini, I enable: use_remote_user = True
When I try to access Galaxy, I get the message: Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
But nothing in paster.log indicating what the error is.
How do I track this down?
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
Hi all - In regards to external user authentication that I have working now (see thread below). When users try to go to the actual Galaxy page, they get the message: Access to Galaxy is denied Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but no shared secret key was provided by the upstream (proxy) server. Please contact your local Galaxy administrator. The variable remote_user_secret and GX_SECRET header must be set before you may access Galaxy. That's fine and all but I'd like to have them redirected to the real login page. Is there a way to do this? I didn't see anything obvious and was thinking of adding a parameter to galaxy.ini and have Galaxy automatically forward them after 5 seconds or so. Ryan On Tue, Oct 13, 2015 at 10:49 AM, Ryan G <ngsbioinformatics@gmail.com> wrote:
Hi all - In regards to external user authentication that I have working now (see thread below). When users try to go to the actual Galaxy page, they get the message:
On Thu, Oct 1, 2015 at 4:10 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
I finally got around to this and all is working well. I submitted 2 patches to remoteuser.py to assist in debugging incorrect set ups.
Last question - When a user logs out, they get the page ""Access to Galaxy user controls is disabled". I've set the remote_user_logout_href parameter to a different website, but they still get the "Access to Galaxy user controls is disabled".
I see it in lib/galaxy/webapps/galaxy/controllers/user.py, but I think at that point its too late.
On Tue, Sep 8, 2015 at 4:05 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
Yes, I have a test server I'm going to check this one. thanks for the link, that's perfect...I'll add some debugging code in here to see what's going on.
On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker <dannon.baker@gmail.com> wrote:
Do you have a way to verify the "HTTP_MAIL" header is actually being passed through your proxy server?
The problem is that Galaxy still doesn't think it's receiving the expected headers, so there isn't a good way that it can tell you more about what might be going on. If you're able to tweak Galaxy (using a test server) and add a few logging statements the code, this would be good places to check what's going on (print the `environ` dictionary associated with that request, along with self.remote_user_header to see what Galaxy is actually trying to use):
https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/mi...
-Dannon
On Thu, Sep 3, 2015 at 1:51 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
It turns out our authentication system passes a header 'HTTP_MAIL' which contains the users email address. In galaxy.ini, I have
use_remote_user = True remote_user_header = HTTP_MAIL
After restarting,Galaxy still gives the same error.
On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker <dannon.baker@gmail.com> wrote:
Hi Ryan,
It may be that Galaxy is looking for a different remote user header than your proxy is setting. I believe by default we look for HTTP_REMOTE_USER, but this is configurable in galaxy.ini (so, you could set yours to HTTP_USER there). Let me know if this doesn't sort it out for you and we can dig deeper!
-Dannon
On Mon, Aug 31, 2015 at 3:42 PM, Ryan G <ngsbioinformatics@gmail.com> wrote:
> Hi all - I'm trying to use external user authentication with > Galaxy. The external authentication passes to Galaxy the username with the > mail domain at HTTP_USER. > > In galaxy.ini, I enable: > use_remote_user = True > > > When I try to access Galaxy, I get the message: > Galaxy is configured to authenticate users via an external method > (such as HTTP authentication in Apache), but a username was not provided by > the upstream (proxy) server. This is generally due to a misconfiguration in > the upstream server. > > But nothing in paster.log indicating what the error is. > > How do I track this down? > > > > ___________________________________________________________ > Please keep all replies on the list by using "reply all" > in your mail client. To manage your subscriptions to this > and other Galaxy lists, please use the interface at: > https://lists.galaxyproject.org/ > > To search Galaxy mailing lists use the unified search at: > http://galaxyproject.org/search/mailinglists/ >
Hi Ryan, On 10/13/2015 09:50 AM, Ryan G wrote:
Hi all - In regards to external user authentication that I have working now (see thread below). When users try to go to the actual Galaxy page, they get the message:
Access to Galaxy is denied
That's expected for External User Auth if you don't have the REMOTE_USER header set properly.
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but no shared secret key was provided by the upstream (proxy) server.
Please contact your local Galaxy administrator. The variable |remote_user_secret| and |GX_SECRET| header must be set before you may access Galaxy.
That's fine and all but I'd like to have them redirected to the real login page. Is there a way to do this? I didn't see anything obvious and was thinking of adding a parameter to galaxy.ini and have Galaxy automatically forward them after 5 seconds or so.
What external auth mechanism are you using?
Ryan
On Tue, Oct 13, 2015 at 10:49 AM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> wrote:
Hi all - In regards to external user authentication that I have working now (see thread below). When users try to go to the actual Galaxy page, they get the message:
On Thu, Oct 1, 2015 at 4:10 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> wrote:
I finally got around to this and all is working well. I submitted 2 patches to remoteuser.py to assist in debugging incorrect set ups.
Last question - When a user logs out, they get the page ""Access to Galaxy user controls is disabled". I've set the remote_user_logout_href parameter to a different website, but they still get the "Access to Galaxy user controls is disabled".
I see it in lib/galaxy/webapps/galaxy/controllers/user.py, but I think at that point its too late.
On Tue, Sep 8, 2015 at 4:05 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> wrote:
Yes, I have a test server I'm going to check this one. thanks for the link, that's perfect...I'll add some debugging code in here to see what's going on.
On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>> wrote:
Do you have a way to verify the "HTTP_MAIL" header is actually being passed through your proxy server?
The problem is that Galaxy still doesn't think it's receiving the expected headers, so there isn't a good way that it can tell you more about what might be going on. If you're able to tweak Galaxy (using a test server) and add a few logging statements the code, this would be good places to check what's going on (print the `environ` dictionary associated with that request, along with self.remote_user_header to see what Galaxy is actually trying to use):
https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/mi...
-Dannon
On Thu, Sep 3, 2015 at 1:51 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> wrote:
It turns out our authentication system passes a header 'HTTP_MAIL' which contains the users email address. In galaxy.ini, I have
use_remote_user = True remote_user_header = HTTP_MAIL
After restarting,Galaxy still gives the same error.
On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>> wrote:
Hi Ryan,
It may be that Galaxy is looking for a different remote user header than your proxy is setting. I believe by default we look for HTTP_REMOTE_USER, but this is configurable in galaxy.ini (so, you could set yours to HTTP_USER there). Let me know if this doesn't sort it out for you and we can dig deeper!
-Dannon
On Mon, Aug 31, 2015 at 3:42 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> wrote:
Hi all - I'm trying to use external user authentication with Galaxy. The external authentication passes to Galaxy the username with the mail domain at HTTP_USER.
In galaxy.ini, I enable: use_remote_user = True
When I try to access Galaxy, I get the message: Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
But nothing in paster.log indicating what the error is.
How do I track this down?
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
-- Eric Rasche Programmer II Center for Phage Technology Rm 312A, BioBio Texas A&M University College Station, TX 77843 404-692-2048 esr@tamu.edu
We have Apache set up to authenticate users off our LDAP. If they authenticate correctly, they are then forwarded on through the proxy. What I want is to prevent users from hitting the galaxy URL directly. If they, do I want to automatically redirect them to the proxy. On Tue, Oct 13, 2015 at 11:10 AM, Eric Rasche <esr@tamu.edu> wrote:
Hi Ryan,
On 10/13/2015 09:50 AM, Ryan G wrote:
Hi all - In regards to external user authentication that I have working now (see thread below). When users try to go to the actual Galaxy page, they get the message:
Access to Galaxy is denied
That's expected for External User Auth if you don't have the REMOTE_USER header set properly.
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but no shared secret key was provided by the upstream (proxy) server.
Please contact your local Galaxy administrator. The variable |remote_user_secret| and |GX_SECRET| header must be set before you may access Galaxy.
That's fine and all but I'd like to have them redirected to the real login page. Is there a way to do this? I didn't see anything obvious and was thinking of adding a parameter to galaxy.ini and have Galaxy automatically forward them after 5 seconds or so.
What external auth mechanism are you using?
Ryan
On Tue, Oct 13, 2015 at 10:49 AM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> wrote:
Hi all - In regards to external user authentication that I have working now (see thread below). When users try to go to the actual Galaxy page, they get the message:
On Thu, Oct 1, 2015 at 4:10 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> wrote:
I finally got around to this and all is working well. I submitted 2 patches to remoteuser.py to assist in debugging incorrect set ups.
Last question - When a user logs out, they get the page ""Access to Galaxy user controls is disabled". I've set the remote_user_logout_href parameter to a different website, but they still get the "Access to Galaxy user controls is disabled".
I see it in lib/galaxy/webapps/galaxy/controllers/user.py, but I think at that point its too late.
On Tue, Sep 8, 2015 at 4:05 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> wrote:
Yes, I have a test server I'm going to check this one. thanks for the link, that's perfect...I'll add some debugging code in here to see what's going on.
On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>
wrote:
Do you have a way to verify the "HTTP_MAIL" header is actually being passed through your proxy server?
The problem is that Galaxy still doesn't think it's receiving the expected headers, so there isn't a good way that it can tell you more about what might be going on. If you're able to tweak Galaxy (using a test server) and add a few logging statements the code, this would be good places to check what's going on (print the `environ` dictionary associated with that request, along with self.remote_user_header to see what Galaxy is actually trying to use):
https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/mi...
-Dannon
On Thu, Sep 3, 2015 at 1:51 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> wrote:
It turns out our authentication system passes a header 'HTTP_MAIL' which contains the users email address. In galaxy.ini, I have
use_remote_user = True remote_user_header = HTTP_MAIL
After restarting,Galaxy still gives the same error.
On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>> wrote:
Hi Ryan,
It may be that Galaxy is looking for a different remote user header than your proxy is setting. I believe by default we look for HTTP_REMOTE_USER, but this is configurable in galaxy.ini (so, you could set yours to HTTP_USER there). Let me know if this doesn't sort it out for you and we can dig deeper!
-Dannon
On Mon, Aug 31, 2015 at 3:42 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> wrote:
Hi all - I'm trying to use external user authentication with Galaxy. The external authentication passes to Galaxy the username with the mail domain at HTTP_USER.
In galaxy.ini, I enable: use_remote_user = True
When I try to access Galaxy, I get the
message:
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
But nothing in paster.log indicating what the error is.
How do I track this down?
___________________________________________________________
Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at:
http://galaxyproject.org/search/mailinglists/
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
-- Eric Rasche Programmer II
Center for Phage Technology Rm 312A, BioBio Texas A&M University College Station, TX 77843 404-692-2048 esr@tamu.edu ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
On 10/13/2015 11:34 AM, Ryan G wrote:
We have Apache set up to authenticate users off our LDAP. If they authenticate correctly, they are then forwarded on through the proxy.
So, mod_auth_ldap? Or not? You say "forwarded" so I'm thinking you may not mean this.
What I want is to prevent users from hitting the galaxy URL directly. If they, do I want to automatically redirect them to the proxy.
Under mod_auth_ldap this should be done for you. (Worst case scenario you could write some mod_rewrite logic that checks for the remote_user header and returns a 301 if it's missing with the location of your login page)
On Tue, Oct 13, 2015 at 11:10 AM, Eric Rasche <esr@tamu.edu <mailto:esr@tamu.edu>> wrote:
Hi Ryan,
On 10/13/2015 09:50 AM, Ryan G wrote: > Hi all - In regards to external user authentication that I have working > now (see thread below). When users try to go to the actual Galaxy page, > they get the message: > > > Access to Galaxy is denied
That's expected for External User Auth if you don't have the REMOTE_USER header set properly.
> > Galaxy is configured to authenticate users via an external method (such > as HTTP authentication in Apache), but no shared secret key was provided > by the upstream (proxy) server. > > Please contact your local Galaxy administrator. The variable > |remote_user_secret| and |GX_SECRET| header must be set before you may > access Galaxy. > > > > That's fine and all but I'd like to have them redirected to the real > login page. Is there a way to do this? I didn't see anything obvious > and was thinking of adding a parameter to galaxy.ini and have Galaxy > automatically forward them after 5 seconds or so.
What external auth mechanism are you using?
> > Ryan > > > On Tue, Oct 13, 2015 at 10:49 AM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>> wrote: > > Hi all - In regards to external user authentication that I have > working now (see thread below). When users try to go to the actual > Galaxy page, they get the message: > > > On Thu, Oct 1, 2015 at 4:10 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>> wrote: > > I finally got around to this and all is working well. I > submitted 2 patches to remoteuser.py to assist in debugging > incorrect set ups. > > Last question - When a user logs out, they get the page ""Access > to Galaxy user controls is disabled". I've set the > remote_user_logout_href parameter to a different website, but > they still get the "Access to Galaxy user controls is disabled". > > I see it in lib/galaxy/webapps/galaxy/controllers/user.py, but I > think at that point its too late. > > > > On Tue, Sep 8, 2015 at 4:05 PM, Ryan G > <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>> wrote: > > Yes, I have a test server I'm going to check this one. > thanks for the link, that's perfect...I'll add some > debugging code in here to see what's going on. > > On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker > <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com> <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>> wrote: > > Do you have a way to verify the "HTTP_MAIL" header is > actually being passed through your proxy server? > > The problem is that Galaxy still doesn't think it's > receiving the expected headers, so there isn't a good > way that it can tell you more about what might be going > on. If you're able to tweak Galaxy (using a test > server) and add a few logging statements the code, this > would be good places to check what's going on (print the > `environ` dictionary associated with that request, along > with self.remote_user_header to see what Galaxy is > actually trying to use): > > https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/mi... > > -Dannon > > On Thu, Sep 3, 2015 at 1:51 PM, Ryan G > <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>> wrote: > > It turns out our authentication system passes a > header 'HTTP_MAIL' which contains the users email > address. In galaxy.ini, I have > > use_remote_user = True > remote_user_header = HTTP_MAIL > > After restarting,Galaxy still gives the same error. > > On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker > <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com> > <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>> wrote: > > Hi Ryan, > > It may be that Galaxy is looking for a different > remote user header than your proxy is setting. > I believe by default we look for > HTTP_REMOTE_USER, but this is configurable in > galaxy.ini (so, you could set yours to HTTP_USER > there). Let me know if this doesn't sort it out > for you and we can dig deeper! > > -Dannon > > On Mon, Aug 31, 2015 at 3:42 PM, Ryan G > <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>> wrote: > > Hi all - I'm trying to use external user > authentication with Galaxy. The external > authentication passes to Galaxy the username > with the mail domain at HTTP_USER. > > In galaxy.ini, I enable: > use_remote_user = True > > > When I try to access Galaxy, I get the message: > Galaxy is configured to authenticate users > via an external method (such as HTTP > authentication in Apache), but a username > was not provided by the upstream (proxy) > server. This is generally due to a > misconfiguration in the upstream server. > > But nothing in paster.log indicating what > the error is. > > How do I track this down? > > > > ___________________________________________________________ > Please keep all replies on the list by using > "reply all" > in your mail client. To manage your > subscriptions to this > and other Galaxy lists, please use the > interface at: > https://lists.galaxyproject.org/ > > To search Galaxy mailing lists use the > unified search at: > http://galaxyproject.org/search/mailinglists/ > > > > > > > > > > > ___________________________________________________________ > Please keep all replies on the list by using "reply all" > in your mail client. To manage your subscriptions to this > and other Galaxy lists, please use the interface at: > https://lists.galaxyproject.org/ > > To search Galaxy mailing lists use the unified search at: > http://galaxyproject.org/search/mailinglists/ >
-- Eric Rasche Programmer II
Center for Phage Technology Rm 312A, BioBio Texas A&M University College Station, TX 77843 404-692-2048 <tel:404-692-2048> esr@tamu.edu <mailto:esr@tamu.edu> ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
-- Eric Rasche Programmer II Center for Phage Technology Rm 312A, BioBio Texas A&M University College Station, TX 77843 404-692-2048 esr@tamu.edu
Sorry, maybe I'm not being clear. Galaxy is listening on http://galaxy.mycompany.com:8080 Users access Galaxy via http://mycompay.com/galaxy If users go to http://galaxy.mycompany.com:8080, they get the External Authentication message. From here I want them to be redirected to http://mycompay.com/galaxy which is where they will be authenticated. Users never see http://galaxy.mycompany.com:8080....they will always see http://mycompay.com/galaxy On Tue, Oct 13, 2015 at 12:36 PM, Eric Rasche <esr@tamu.edu> wrote:
On 10/13/2015 11:34 AM, Ryan G wrote:
We have Apache set up to authenticate users off our LDAP. If they authenticate correctly, they are then forwarded on through the proxy.
So, mod_auth_ldap? Or not? You say "forwarded" so I'm thinking you may not mean this.
What I want is to prevent users from hitting the galaxy URL directly. If they, do I want to automatically redirect them to the proxy.
Under mod_auth_ldap this should be done for you.
(Worst case scenario you could write some mod_rewrite logic that checks for the remote_user header and returns a 301 if it's missing with the location of your login page)
On Tue, Oct 13, 2015 at 11:10 AM, Eric Rasche <esr@tamu.edu <mailto:esr@tamu.edu>> wrote:
Hi Ryan,
On 10/13/2015 09:50 AM, Ryan G wrote: > Hi all - In regards to external user authentication that I have
working
> now (see thread below). When users try to go to the actual Galaxy
page,
> they get the message: > > > Access to Galaxy is denied
That's expected for External User Auth if you don't have the
REMOTE_USER
header set properly.
> > Galaxy is configured to authenticate users via an external method
(such
> as HTTP authentication in Apache), but no shared secret key was
provided
> by the upstream (proxy) server. > > Please contact your local Galaxy administrator. The variable > |remote_user_secret| and |GX_SECRET| header must be set before you
may
> access Galaxy. > > > > That's fine and all but I'd like to have them redirected to the
real
> login page. Is there a way to do this? I didn't see anything
obvious
> and was thinking of adding a parameter to galaxy.ini and have
Galaxy
> automatically forward them after 5 seconds or so.
What external auth mechanism are you using?
> > Ryan > > > On Tue, Oct 13, 2015 at 10:49 AM, Ryan G <
ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>
> <mailto:ngsbioinformatics@gmail.com <mailto:
ngsbioinformatics@gmail.com>>>
wrote: > > Hi all - In regards to external user authentication that I have > working now (see thread below). When users try to go to the
actual
> Galaxy page, they get the message: > > > On Thu, Oct 1, 2015 at 4:10 PM, Ryan G <
ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>
> <mailto:ngsbioinformatics@gmail.com <mailto:
ngsbioinformatics@gmail.com>>>
wrote: > > I finally got around to this and all is working well. I > submitted 2 patches to remoteuser.py to assist in debugging > incorrect set ups. > > Last question - When a user logs out, they get the page
""Access
> to Galaxy user controls is disabled". I've set the > remote_user_logout_href parameter to a different website,
but
> they still get the "Access to Galaxy user controls is
disabled".
> > I see it in lib/galaxy/webapps/galaxy/controllers/user.py,
but I
> think at that point its too late. > > > > On Tue, Sep 8, 2015 at 4:05 PM, Ryan G > <ngsbioinformatics@gmail.com <mailto:
ngsbioinformatics@gmail.com>
> <mailto:ngsbioinformatics@gmail.com <mailto:
ngsbioinformatics@gmail.com>>>
wrote: > > Yes, I have a test server I'm going to check this one. > thanks for the link, that's perfect...I'll add some > debugging code in here to see what's going on. > > On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker > <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com
<mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>>
wrote:
> > Do you have a way to verify the "HTTP_MAIL" header
is
> actually being passed through your proxy server? > > The problem is that Galaxy still doesn't think it's > receiving the expected headers, so there isn't a
good
> way that it can tell you more about what might be
going
> on. If you're able to tweak Galaxy (using a test > server) and add a few logging statements the code,
this
> would be good places to check what's going on
(print the
> `environ` dictionary associated with that request,
along
> with self.remote_user_header to see what Galaxy is > actually trying to use): > >
https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/mi...
> > -Dannon > > On Thu, Sep 3, 2015 at 1:51 PM, Ryan G > <ngsbioinformatics@gmail.com <mailto:
ngsbioinformatics@gmail.com>
> <mailto:ngsbioinformatics@gmail.com <mailto:
ngsbioinformatics@gmail.com>>>
wrote: > > It turns out our authentication system passes a > header 'HTTP_MAIL' which contains the users
> address. In galaxy.ini, I have > > use_remote_user = True > remote_user_header = HTTP_MAIL > > After restarting,Galaxy still gives the same
error.
> > On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker > <dannon.baker@gmail.com <mailto:
dannon.baker@gmail.com>
> <mailto:dannon.baker@gmail.com <mailto:
dannon.baker@gmail.com>>> wrote:
> > Hi Ryan, > > It may be that Galaxy is looking for a
different
> remote user header than your proxy is
setting.
> I believe by default we look for > HTTP_REMOTE_USER, but this is configurable
in
> galaxy.ini (so, you could set yours to
HTTP_USER
> there). Let me know if this doesn't sort
it out
> for you and we can dig deeper! > > -Dannon > > On Mon, Aug 31, 2015 at 3:42 PM, Ryan G > <ngsbioinformatics@gmail.com <mailto:
ngsbioinformatics@gmail.com>
> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>> wrote: > > Hi all - I'm trying to use external
user
> authentication with Galaxy. The
external
> authentication passes to Galaxy the username > with the mail domain at HTTP_USER. > > In galaxy.ini, I enable: > use_remote_user = True > > > When I try to access Galaxy, I get the message: > Galaxy is configured to authenticate
users
> via an external method (such as HTTP > authentication in Apache), but a
username
> was not provided by the upstream
(proxy)
> server. This is generally due to a > misconfiguration in the upstream
server.
> > But nothing in paster.log indicating
what
> the error is. > > How do I track this down? > > > > ___________________________________________________________ > Please keep all replies on the list by using > "reply all" > in your mail client. To manage your > subscriptions to this > and other Galaxy lists, please use the > interface at: > https://lists.galaxyproject.org/ > > To search Galaxy mailing lists use the > unified search at: > http://galaxyproject.org/search/mailinglists/ > > > > > > > > > > > ___________________________________________________________ > Please keep all replies on the list by using "reply all" > in your mail client. To manage your subscriptions to this > and other Galaxy lists, please use the interface at: > https://lists.galaxyproject.org/ > > To search Galaxy mailing lists use the unified search at: > http://galaxyproject.org/search/mailinglists/ >
-- Eric Rasche Programmer II
Center for Phage Technology Rm 312A, BioBio Texas A&M University College Station, TX 77843 404-692-2048 <tel:404-692-2048> esr@tamu.edu <mailto:esr@tamu.edu> ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
-- Eric Rasche Programmer II
Center for Phage Technology Rm 312A, BioBio Texas A&M University College Station, TX 77843 404-692-2048 esr@tamu.edu
Howdy Ryan, On 10/13/2015 11:44 AM, Ryan G wrote:
Sorry, maybe I'm not being clear.
Galaxy is listening on http://galaxy.mycompany.com:8080
Users access Galaxy via http://mycompay.com/galaxy
Ah! This is much more clear, thanks :) If you're running under remote_user, you should NOT make it available outside of the apache proxy. Even with the remote_user_secret variable that was added, it's still an unnecessary security risk.
If users go to http://galaxy.mycompany.com:8080, they get the External Authentication message. From here I want them to be redirected to http://mycompay.com/galaxy which is where they will be authenticated.
I'm guessing you migrated at some point from the raw port to the /galaxy address and your users are moving slowly to the new URL. Here is my suggestion: - have galaxy listen on 127.0.0.1:8081 so only apache on the same machine can access it. - add an apache virtualhost listening on 0.0.0.0:8080 that automatically redirects any requests to that page to http://mycompany.com/galaxy/ to help migrate users. That should fix your problem without requiring modification to your codebase for this one scenario.
Users never see http://galaxy.mycompany.com:8080....they will always see http://mycompay.com/galaxy
On Tue, Oct 13, 2015 at 12:36 PM, Eric Rasche <esr@tamu.edu <mailto:esr@tamu.edu>> wrote:
On 10/13/2015 11:34 AM, Ryan G wrote: > We have Apache set up to authenticate users off our LDAP. If they > authenticate correctly, they are then forwarded on through the proxy.
So, mod_auth_ldap? Or not? You say "forwarded" so I'm thinking you may not mean this.
> > What I want is to prevent users from hitting the galaxy URL directly. > If they, do I want to automatically redirect them to the proxy.
Under mod_auth_ldap this should be done for you.
(Worst case scenario you could write some mod_rewrite logic that checks for the remote_user header and returns a 301 if it's missing with the location of your login page)
> > > On Tue, Oct 13, 2015 at 11:10 AM, Eric Rasche <esr@tamu.edu <mailto:esr@tamu.edu> > <mailto:esr@tamu.edu <mailto:esr@tamu.edu>>> wrote: > > Hi Ryan, > > On 10/13/2015 09:50 AM, Ryan G wrote: > > Hi all - In regards to external user authentication that I have working > > now (see thread below). When users try to go to the actual Galaxy page, > > they get the message: > > > > > > Access to Galaxy is denied > > That's expected for External User Auth if you don't have the REMOTE_USER > header set properly. > > > > > Galaxy is configured to authenticate users via an external method (such > > as HTTP authentication in Apache), but no shared secret key was provided > > by the upstream (proxy) server. > > > > Please contact your local Galaxy administrator. The variable > > |remote_user_secret| and |GX_SECRET| header must be set before you may > > access Galaxy. > > > > > > > > That's fine and all but I'd like to have them redirected to the real > > login page. Is there a way to do this? I didn't see anything obvious > > and was thinking of adding a parameter to galaxy.ini and have Galaxy > > automatically forward them after 5 seconds or so. > > What external auth mechanism are you using? > > > > > Ryan > > > > > > On Tue, Oct 13, 2015 at 10:49 AM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> > wrote: > > > > Hi all - In regards to external user authentication that I have > > working now (see thread below). When users try to go to the actual > > Galaxy page, they get the message: > > > > > > On Thu, Oct 1, 2015 at 4:10 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> > wrote: > > > > I finally got around to this and all is working well. I > > submitted 2 patches to remoteuser.py to assist in debugging > > incorrect set ups. > > > > Last question - When a user logs out, they get the page ""Access > > to Galaxy user controls is disabled". I've set the > > remote_user_logout_href parameter to a different website, but > > they still get the "Access to Galaxy user controls is disabled". > > > > I see it in lib/galaxy/webapps/galaxy/controllers/user.py, but I > > think at that point its too late. > > > > > > > > On Tue, Sep 8, 2015 at 4:05 PM, Ryan G > > <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> > wrote: > > > > Yes, I have a test server I'm going to check this one. > > thanks for the link, that's perfect...I'll add some > > debugging code in here to see what's going on. > > > > On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker > > <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com> <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>> > <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com> <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>>> wrote: > > > > Do you have a way to verify the "HTTP_MAIL" header is > > actually being passed through your proxy server? > > > > The problem is that Galaxy still doesn't think it's > > receiving the expected headers, so there isn't a good > > way that it can tell you more about what might be going > > on. If you're able to tweak Galaxy (using a test > > server) and add a few logging statements the code, this > > would be good places to check what's going on (print the > > `environ` dictionary associated with that request, along > > with self.remote_user_header to see what Galaxy is > > actually trying to use): > > > > https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/mi... > > > > -Dannon > > > > On Thu, Sep 3, 2015 at 1:51 PM, Ryan G > > <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> > wrote: > > > > It turns out our authentication system passes a > > header 'HTTP_MAIL' which contains the users email > > address. In galaxy.ini, I have > > > > use_remote_user = True > > remote_user_header = HTTP_MAIL > > > > After restarting,Galaxy still gives the same error. > > > > On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker > > <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com> <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>> > > <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com> <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>>> wrote: > > > > Hi Ryan, > > > > It may be that Galaxy is looking for a different > > remote user header than your proxy is setting. > > I believe by default we look for > > HTTP_REMOTE_USER, but this is configurable in > > galaxy.ini (so, you could set yours to HTTP_USER > > there). Let me know if this doesn't sort it out > > for you and we can dig deeper! > > > > -Dannon > > > > On Mon, Aug 31, 2015 at 3:42 PM, Ryan G > > <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> wrote: > > > > Hi all - I'm trying to use external user > > authentication with Galaxy. The external > > authentication passes to Galaxy the > username > > with the mail domain at HTTP_USER. > > > > In galaxy.ini, I enable: > > use_remote_user = True > > > > > > When I try to access Galaxy, I get the > message: > > Galaxy is configured to authenticate users > > via an external method (such as HTTP > > authentication in Apache), but a username > > was not provided by the upstream (proxy) > > server. This is generally due to a > > misconfiguration in the upstream server. > > > > But nothing in paster.log indicating what > > the error is. > > > > How do I track this down? > > > > > > > > > ___________________________________________________________ > > Please keep all replies on the list by > using > > "reply all" > > in your mail client. To manage your > > subscriptions to this > > and other Galaxy lists, please use the > > interface at: > > https://lists.galaxyproject.org/ > > > > To search Galaxy mailing lists use the > > unified search at: > > > http://galaxyproject.org/search/mailinglists/ > > > > > > > > > > > > > > > > > > > > > > ___________________________________________________________ > > Please keep all replies on the list by using "reply all" > > in your mail client. To manage your subscriptions to this > > and other Galaxy lists, please use the interface at: > > https://lists.galaxyproject.org/ > > > > To search Galaxy mailing lists use the unified search at: > > http://galaxyproject.org/search/mailinglists/ > > > > -- > Eric Rasche > Programmer II > > Center for Phage Technology > Rm 312A, BioBio > Texas A&M University > College Station, TX 77843 > 404-692-2048 <tel:404-692-2048> <tel:404-692-2048 <tel:404-692-2048>> > esr@tamu.edu <mailto:esr@tamu.edu> <mailto:esr@tamu.edu <mailto:esr@tamu.edu>> > ___________________________________________________________ > Please keep all replies on the list by using "reply all" > in your mail client. To manage your subscriptions to this > and other Galaxy lists, please use the interface at: > https://lists.galaxyproject.org/ > > To search Galaxy mailing lists use the unified search at: > http://galaxyproject.org/search/mailinglists/ > >
-- Eric Rasche Programmer II
Center for Phage Technology Rm 312A, BioBio Texas A&M University College Station, TX 77843 404-692-2048 <tel:404-692-2048> esr@tamu.edu <mailto:esr@tamu.edu>
-- Eric Rasche Programmer II Center for Phage Technology Rm 312A, BioBio Texas A&M University College Station, TX 77843 404-692-2048 esr@tamu.edu
Thanks. I'll try that. On Tue, Oct 13, 2015 at 12:52 PM, Eric Rasche <esr@tamu.edu> wrote:
Howdy Ryan,
On 10/13/2015 11:44 AM, Ryan G wrote:
Sorry, maybe I'm not being clear.
Galaxy is listening on http://galaxy.mycompany.com:8080
Users access Galaxy via http://mycompay.com/galaxy
Ah! This is much more clear, thanks :)
If you're running under remote_user, you should NOT make it available outside of the apache proxy. Even with the remote_user_secret variable that was added, it's still an unnecessary security risk.
If users go to http://galaxy.mycompany.com:8080, they get the External Authentication message. From here I want them to be redirected to http://mycompay.com/galaxy which is where they will be authenticated.
I'm guessing you migrated at some point from the raw port to the /galaxy address and your users are moving slowly to the new URL.
Here is my suggestion:
- have galaxy listen on 127.0.0.1:8081 so only apache on the same machine can access it. - add an apache virtualhost listening on 0.0.0.0:8080 that automatically redirects any requests to that page to http://mycompany.com/galaxy/ to help migrate users.
That should fix your problem without requiring modification to your codebase for this one scenario.
Users never see http://galaxy.mycompany.com:8080....they will always see http://mycompay.com/galaxy
On Tue, Oct 13, 2015 at 12:36 PM, Eric Rasche <esr@tamu.edu <mailto:esr@tamu.edu>> wrote:
On 10/13/2015 11:34 AM, Ryan G wrote: > We have Apache set up to authenticate users off our LDAP. If they > authenticate correctly, they are then forwarded on through the
proxy.
So, mod_auth_ldap? Or not? You say "forwarded" so I'm thinking you
may
not mean this.
> > What I want is to prevent users from hitting the galaxy URL
directly.
> If they, do I want to automatically redirect them to the proxy.
Under mod_auth_ldap this should be done for you.
(Worst case scenario you could write some mod_rewrite logic that
checks
for the remote_user header and returns a 301 if it's missing with the location of your login page)
> > > On Tue, Oct 13, 2015 at 11:10 AM, Eric Rasche <esr@tamu.edu
<mailto:esr@tamu.edu>
> <mailto:esr@tamu.edu <mailto:esr@tamu.edu>>> wrote: > > Hi Ryan, > > On 10/13/2015 09:50 AM, Ryan G wrote: > > Hi all - In regards to external user authentication that I
have working
> > now (see thread below). When users try to go to the actual
Galaxy page,
> > they get the message: > > > > > > Access to Galaxy is denied > > That's expected for External User Auth if you don't have the
REMOTE_USER
> header set properly. > > > > > Galaxy is configured to authenticate users via an external
method (such
> > as HTTP authentication in Apache), but no shared secret key
was provided
> > by the upstream (proxy) server. > > > > Please contact your local Galaxy administrator. The variable > > |remote_user_secret| and |GX_SECRET| header must be set
before you may
> > access Galaxy. > > > > > > > > That's fine and all but I'd like to have them redirected to
the real
> > login page. Is there a way to do this? I didn't see
anything obvious
> > and was thinking of adding a parameter to galaxy.ini and
have Galaxy
> > automatically forward them after 5 seconds or so. > > What external auth mechanism are you using? > > > > > Ryan > > > > > > On Tue, Oct 13, 2015 at 10:49 AM, Ryan G <
ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>
<mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> > wrote: > > > > Hi all - In regards to external user authentication that
I have
> > working now (see thread below). When users try to go to
the actual
> > Galaxy page, they get the message: > > > > > > On Thu, Oct 1, 2015 at 4:10 PM, Ryan G <
ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>
<mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> > wrote: > > > > I finally got around to this and all is working
well. I
> > submitted 2 patches to remoteuser.py to assist in
debugging
> > incorrect set ups. > > > > Last question - When a user logs out, they get the
page ""Access
> > to Galaxy user controls is disabled". I've set the > > remote_user_logout_href parameter to a different
website, but
> > they still get the "Access to Galaxy user controls
is disabled".
> > > > I see it in
lib/galaxy/webapps/galaxy/controllers/user.py, but I
> > think at that point its too late. > > > > > > > > On Tue, Sep 8, 2015 at 4:05 PM, Ryan G > > <ngsbioinformatics@gmail.com <mailto:
ngsbioinformatics@gmail.com>
<mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> > wrote: > > > > Yes, I have a test server I'm going to check
this one.
> > thanks for the link, that's perfect...I'll add
some
> > debugging code in here to see what's going on. > > > > On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker > > <dannon.baker@gmail.com <mailto:
dannon.baker@gmail.com>
<mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>> > <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com> <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>>>
wrote:
> > > > Do you have a way to verify the "HTTP_MAIL"
header is
> > actually being passed through your proxy
server?
> > > > The problem is that Galaxy still doesn't
think it's
> > receiving the expected headers, so there
isn't a good
> > way that it can tell you more about what
might be going
> > on. If you're able to tweak Galaxy (using a
test
> > server) and add a few logging statements the
code, this
> > would be good places to check what's going
on (print the
> > `environ` dictionary associated with that
request, along
> > with self.remote_user_header to see what
Galaxy is
> > actually trying to use): > > > >
https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/mi...
> > > > -Dannon > > > > On Thu, Sep 3, 2015 at 1:51 PM, Ryan G > > <ngsbioinformatics@gmail.com <mailto:
ngsbioinformatics@gmail.com>
<mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> > wrote: > > > > It turns out our authentication system
passes a
> > header 'HTTP_MAIL' which contains the
users email
> > address. In galaxy.ini, I have > > > > use_remote_user = True > > remote_user_header = HTTP_MAIL > > > > After restarting,Galaxy still gives the
same error.
> > > > On Mon, Aug 31, 2015 at 3:44 PM, Dannon
Baker
> > <dannon.baker@gmail.com <mailto:
dannon.baker@gmail.com>
<mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>> > > <mailto:dannon.baker@gmail.com <mailto:
dannon.baker@gmail.com>
<mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>>>
wrote:
> > > > Hi Ryan, > > > > It may be that Galaxy is looking for
a different
> > remote user header than your proxy
is setting.
> > I believe by default we look for > > HTTP_REMOTE_USER, but this is
configurable in
> > galaxy.ini (so, you could set yours
to HTTP_USER
> > there). Let me know if this doesn't
sort it out
> > for you and we can dig deeper! > > > > -Dannon > > > > On Mon, Aug 31, 2015 at 3:42 PM,
Ryan G
> > <ngsbioinformatics@gmail.com
<mailto:ngsbioinformatics@gmail.com>
<mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> wrote: > > > > Hi all - I'm trying to use external user > > authentication with Galaxy. The external > > authentication passes to Galaxy
the
> username > > with the mail domain at
HTTP_USER.
> > > > In galaxy.ini, I enable: > > use_remote_user = True > > > > > > When I try to access Galaxy, I get the > message: > > Galaxy is configured to authenticate users > > via an external method (such as
HTTP
> > authentication in Apache), but a username > > was not provided by the upstream (proxy) > > server. This is generally due to
a
> > misconfiguration in the upstream server. > > > > But nothing in paster.log indicating what > > the error is. > > > > How do I track this down? > > > > > > > > > ___________________________________________________________ > > Please keep all replies on the list by > using > > "reply all" > > in your mail client. To manage
your
> > subscriptions to this > > and other Galaxy lists, please use the > > interface at: > >
https://lists.galaxyproject.org/
> > > > To search Galaxy mailing lists use the > > unified search at: > > > http://galaxyproject.org/search/mailinglists/ > > > > > > > > > > > > > > > > > > > > > > ___________________________________________________________ > > Please keep all replies on the list by using "reply all" > > in your mail client. To manage your subscriptions to this > > and other Galaxy lists, please use the interface at: > > https://lists.galaxyproject.org/ > > > > To search Galaxy mailing lists use the unified search at: > > http://galaxyproject.org/search/mailinglists/ > > > > -- > Eric Rasche > Programmer II > > Center for Phage Technology > Rm 312A, BioBio > Texas A&M University > College Station, TX 77843 > 404-692-2048 <tel:404-692-2048> <tel:404-692-2048 <tel:404-692-2048>> > esr@tamu.edu <mailto:esr@tamu.edu> <mailto:esr@tamu.edu <mailto:esr@tamu.edu>> > ___________________________________________________________ > Please keep all replies on the list by using "reply all" > in your mail client. To manage your subscriptions to this > and other Galaxy lists, please use the interface at: > https://lists.galaxyproject.org/ > > To search Galaxy mailing lists use the unified search at: > http://galaxyproject.org/search/mailinglists/ > >
-- Eric Rasche Programmer II
Center for Phage Technology Rm 312A, BioBio Texas A&M University College Station, TX 77843 404-692-2048 <tel:404-692-2048> esr@tamu.edu <mailto:esr@tamu.edu>
-- Eric Rasche Programmer II
Center for Phage Technology Rm 312A, BioBio Texas A&M University College Station, TX 77843 404-692-2048 esr@tamu.edu
participants (3)
-
Dannon Baker -
Eric Rasche -
Ryan G