Re: [galaxy-dev] trouble with authentication through Apache
On Tue, Nov 2, 2010 at 10:48 AM, David Hoover <hooverdm@helix.nih.gov> wrote:
I tried a number of things, but the only one that works is a hack to the galaxy remoteuser.py script.
I am authenticating with Kerberos, and this introduces a string in the HTTP_COOKIE variable
Odd - according to http://onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html?page=2 the Kerberos module is supposed to automagically set REMOTE_USER to the full userid (email and all)? That http_remote_user hack is sure ugly - there must be a better way? Looking at our setup for LDAP we have the user id in the uid attribute, so RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e works for us without all the other stuff suggested in http://bitbucket.org/galaxy/galaxy-central/wiki/Config/ApacheProxy Any suggestions Nate?
newuser=[userid]
So, in remoteuser.py, I match the alphanumerical characters of the userid and set HTTP_REMOTE_USER directly.
$ diff remoteuser.py remoteuser.py.ORIG 6d5 < import re 79,81d77 < match = re.search('newuser=([0-9a-zA-Z]+)',environ['HTTP_COOKIE']) < if match: < environ['HTTP_REMOTE_USER'] = match.group(1)
This is really bad, because every time galaxy is updated I will need to change this script. Ultimately, it would be better if galaxy could access the $REMOTE_USER variable like perl and mod_cgi do.
David
On Nov 1, 2010, at 8:55 PM, Ross wrote:
David,
Please feel free to write some notes to summarize what you've learned about Kerberos and apache?
If you could contribute what you have learned in a form that we could use to improve the documentation - telegraphic notes or longer narratives are always welcome - we'll make sure they're added to our wiki to help future users.
Thanks for using and helping us improve Galaxy!
On Mon, Nov 1, 2010 at 5:43 PM, David Hoover <hooverdm@helix.nih.gov> wrote:
Ah, well the documentation on the wiki is not entirely complete...
I figured out that the REMOTE_USER is not passed when Kerberos is used to authenticate, so I figured out a roundabout way of doing it using HTTP_COOKIE instead. Quite brutal. It's very similar to the problem with mod_authnz_ldap.
David
On Oct 29, 2010, at 7:46 PM, Ross wrote:
David, the section "Serving Galaxy at a sub directory (such as /galaxy) " in http://bitbucket.org/galaxy/galaxy-central/wiki/Config/ApacheProxy might help?
On Fri, Oct 29, 2010 at 5:32 PM, David Hoover <hooverdm@helix.nih.gov> wrote:
Hi,
I'm trying to set up a Galaxy mirror, and I'd like to authenticate via Apache. I can get Galaxy going when I don't authenticate.
It's running on the same machine as the Apache server, listening on port 8081.
I've added the mod_rewrite stuff from http://bitbucket.org/galaxy/galaxy-central/wiki/Config/ApacheProxy, but I'm' still getting an error:
Access to Galaxy is denied
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
Please contact your local Galaxy administrator.
Here's the block from our Apache configuration:
<Location "/galaxy"> AuthName "NIH Login -- all lowercase, not prefixed with NIH\!" AuthType Kerberos Krb5Keytab /etc/auth_kerb.keytab KrbAuthRealm NIH.GOV KrbMethodNegotiate off KrbSaveCredentials off KrbVerifyKDC off Require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e </Location>
RewriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy/static/style/(.*) /home/galaxy/galaxy/static/june_2007_style/blue/$1 [L] RewriteRule ^/galaxy/static/scripts/(.*) /home/galaxy/galaxy/static/scripts/packed/$1 [L] RewriteRule ^/galaxy/static/(.*) /home/galaxy/galaxy/static/$1 [L] RewriteRule ^/galaxy/favicon.ico /home/galaxy/galaxy/static/favicon.ico [L] RewriteRule ^/galaxy/robots.txt /home/galaxy/galaxy/static/robots.txt [L] RewriteRule ^/galaxy(.*) http://localhost:8081$1 [P]
Any ideas?
-- Ross Lazarus MBBS MPH Associate Professor, Harvard Medical School Director of Bioinformatics, Channing Laboratory 181 Longwood Ave., Boston MA 02115, USA. Tel: +1 617 505 4850
Ross wrote:
On Tue, Nov 2, 2010 at 10:48 AM, David Hoover <hooverdm@helix.nih.gov> wrote:
I tried a number of things, but the only one that works is a hack to the galaxy remoteuser.py script.
I am authenticating with Kerberos, and this introduces a string in the HTTP_COOKIE variable
Odd - according to http://onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html?page=2 the Kerberos module is supposed to automagically set REMOTE_USER to the full userid (email and all)? That http_remote_user hack is sure ugly - there must be a better way?
Looking at our setup for LDAP we have the user id in the uid attribute, so
RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e
works for us without all the other stuff suggested in http://bitbucket.org/galaxy/galaxy-central/wiki/Config/ApacheProxy
Any suggestions Nate?
I'm pretty sure I had this working with mod_auth_kerb years ago. David, in testing, did you happen to check in remoteuser.py whether HTTP_REMOTE_USER was set at all? With mod_auth_kerb you don't need to set a default maildomain since the realm is included in REMOTE_USER. But the default should be ignored regardless. Can you confirm that you have configured a <Proxy> block as shown in the documentation? Assuming you have, the first step would be to have a CGI behind mod_auth_kerb display whether REMOTE_USER is set - if not, any permutation of passing it as a header will fail. --nate
newuser=[userid]
So, in remoteuser.py, I match the alphanumerical characters of the userid and set HTTP_REMOTE_USER directly.
$ diff remoteuser.py remoteuser.py.ORIG 6d5 < import re 79,81d77 < match = re.search('newuser=([0-9a-zA-Z]+)',environ['HTTP_COOKIE']) < if match: < environ['HTTP_REMOTE_USER'] = match.group(1)
This is really bad, because every time galaxy is updated I will need to change this script. Ultimately, it would be better if galaxy could access the $REMOTE_USER variable like perl and mod_cgi do.
David
On Nov 1, 2010, at 8:55 PM, Ross wrote:
David,
Please feel free to write some notes to summarize what you've learned about Kerberos and apache?
If you could contribute what you have learned in a form that we could use to improve the documentation - telegraphic notes or longer narratives are always welcome - we'll make sure they're added to our wiki to help future users.
Thanks for using and helping us improve Galaxy!
On Mon, Nov 1, 2010 at 5:43 PM, David Hoover <hooverdm@helix.nih.gov> wrote:
Ah, well the documentation on the wiki is not entirely complete...
I figured out that the REMOTE_USER is not passed when Kerberos is used to authenticate, so I figured out a roundabout way of doing it using HTTP_COOKIE instead. Quite brutal. It's very similar to the problem with mod_authnz_ldap.
David
On Oct 29, 2010, at 7:46 PM, Ross wrote:
David, the section "Serving Galaxy at a sub directory (such as /galaxy) " in http://bitbucket.org/galaxy/galaxy-central/wiki/Config/ApacheProxy might help?
On Fri, Oct 29, 2010 at 5:32 PM, David Hoover <hooverdm@helix.nih.gov> wrote:
Hi,
I'm trying to set up a Galaxy mirror, and I'd like to authenticate via Apache. I can get Galaxy going when I don't authenticate.
It's running on the same machine as the Apache server, listening on port 8081.
I've added the mod_rewrite stuff from http://bitbucket.org/galaxy/galaxy-central/wiki/Config/ApacheProxy, but I'm' still getting an error:
Access to Galaxy is denied
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
Please contact your local Galaxy administrator.
Here's the block from our Apache configuration:
<Location "/galaxy"> AuthName "NIH Login -- all lowercase, not prefixed with NIH\!" AuthType Kerberos Krb5Keytab /etc/auth_kerb.keytab KrbAuthRealm NIH.GOV KrbMethodNegotiate off KrbSaveCredentials off KrbVerifyKDC off Require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e </Location>
RewriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy/static/style/(.*) /home/galaxy/galaxy/static/june_2007_style/blue/$1 [L] RewriteRule ^/galaxy/static/scripts/(.*) /home/galaxy/galaxy/static/scripts/packed/$1 [L] RewriteRule ^/galaxy/static/(.*) /home/galaxy/galaxy/static/$1 [L] RewriteRule ^/galaxy/favicon.ico /home/galaxy/galaxy/static/favicon.ico [L] RewriteRule ^/galaxy/robots.txt /home/galaxy/galaxy/static/robots.txt [L] RewriteRule ^/galaxy(.*) http://localhost:8081$1 [P]
Any ideas?
-- Ross Lazarus MBBS MPH Associate Professor, Harvard Medical School Director of Bioinformatics, Channing Laboratory 181 Longwood Ave., Boston MA 02115, USA. Tel: +1 617 505 4850
_______________________________________________ galaxy-dev mailing list galaxy-dev@lists.bx.psu.edu http://lists.bx.psu.edu/listinfo/galaxy-dev
participants (2)
-
Nate Coraor -
Ross