trouble with authentication through Apache
Hi, I'm trying to set up a Galaxy mirror, and I'd like to authenticate via Apache. I can get Galaxy going when I don't authenticate. It's running on the same machine as the Apache server, listening on port 8081. I've added the mod_rewrite stuff from http://bitbucket.org/galaxy/galaxy-central/wiki/Config/ApacheProxy, but I'm' still getting an error: Access to Galaxy is denied Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. Please contact your local Galaxy administrator. Here's the block from our Apache configuration: <Location "/galaxy"> AuthName "NIH Login -- all lowercase, not prefixed with NIH\!" AuthType Kerberos Krb5Keytab /etc/auth_kerb.keytab KrbAuthRealm NIH.GOV KrbMethodNegotiate off KrbSaveCredentials off KrbVerifyKDC off Require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e </Location> RewriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy/static/style/(.*) /home/galaxy/galaxy/static/june_2007_style/blue/$1 [L] RewriteRule ^/galaxy/static/scripts/(.*) /home/galaxy/galaxy/static/scripts/packed/$1 [L] RewriteRule ^/galaxy/static/(.*) /home/galaxy/galaxy/static/$1 [L] RewriteRule ^/galaxy/favicon.ico /home/galaxy/galaxy/static/favicon.ico [L] RewriteRule ^/galaxy/robots.txt /home/galaxy/galaxy/static/robots.txt [L] RewriteRule ^/galaxy(.*) http://localhost:8081$1 [P] Any ideas? David Hoover Helix Systems Staff http://helix.nih.gov
David, the section "Serving Galaxy at a sub directory (such as /galaxy) " in http://bitbucket.org/galaxy/galaxy-central/wiki/Config/ApacheProxy might help? On Fri, Oct 29, 2010 at 5:32 PM, David Hoover <hooverdm@helix.nih.gov> wrote:
Hi,
I'm trying to set up a Galaxy mirror, and I'd like to authenticate via Apache. I can get Galaxy going when I don't authenticate.
It's running on the same machine as the Apache server, listening on port 8081.
I've added the mod_rewrite stuff from http://bitbucket.org/galaxy/galaxy-central/wiki/Config/ApacheProxy, but I'm' still getting an error:
Access to Galaxy is denied
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
Please contact your local Galaxy administrator.
Here's the block from our Apache configuration:
<Location "/galaxy"> AuthName "NIH Login -- all lowercase, not prefixed with NIH\!" AuthType Kerberos Krb5Keytab /etc/auth_kerb.keytab KrbAuthRealm NIH.GOV KrbMethodNegotiate off KrbSaveCredentials off KrbVerifyKDC off Require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e </Location>
RewriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy/static/style/(.*) /home/galaxy/galaxy/static/june_2007_style/blue/$1 [L] RewriteRule ^/galaxy/static/scripts/(.*) /home/galaxy/galaxy/static/scripts/packed/$1 [L] RewriteRule ^/galaxy/static/(.*) /home/galaxy/galaxy/static/$1 [L] RewriteRule ^/galaxy/favicon.ico /home/galaxy/galaxy/static/favicon.ico [L] RewriteRule ^/galaxy/robots.txt /home/galaxy/galaxy/static/robots.txt [L] RewriteRule ^/galaxy(.*) http://localhost:8081$1 [P]
Any ideas?
Ah, well the documentation on the wiki is not entirely complete... I figured out that the REMOTE_USER is not passed when Kerberos is used to authenticate, so I figured out a roundabout way of doing it using HTTP_COOKIE instead. Quite brutal. It's very similar to the problem with mod_authnz_ldap. David On Oct 29, 2010, at 7:46 PM, Ross wrote: David, the section "Serving Galaxy at a sub directory (such as /galaxy) " in http://bitbucket.org/galaxy/galaxy-central/wiki/Config/ApacheProxy might help? On Fri, Oct 29, 2010 at 5:32 PM, David Hoover <hooverdm@helix.nih.gov> wrote:
Hi,
I'm trying to set up a Galaxy mirror, and I'd like to authenticate via Apache. I can get Galaxy going when I don't authenticate.
It's running on the same machine as the Apache server, listening on port 8081.
I've added the mod_rewrite stuff from http://bitbucket.org/galaxy/galaxy-central/wiki/Config/ApacheProxy, but I'm' still getting an error:
Access to Galaxy is denied
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
Please contact your local Galaxy administrator.
Here's the block from our Apache configuration:
<Location "/galaxy"> AuthName "NIH Login -- all lowercase, not prefixed with NIH\!" AuthType Kerberos Krb5Keytab /etc/auth_kerb.keytab KrbAuthRealm NIH.GOV KrbMethodNegotiate off KrbSaveCredentials off KrbVerifyKDC off Require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e </Location>
RewriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy/static/style/(.*) /home/galaxy/galaxy/static/june_2007_style/blue/$1 [L] RewriteRule ^/galaxy/static/scripts/(.*) /home/galaxy/galaxy/static/scripts/packed/$1 [L] RewriteRule ^/galaxy/static/(.*) /home/galaxy/galaxy/static/$1 [L] RewriteRule ^/galaxy/favicon.ico /home/galaxy/galaxy/static/favicon.ico [L] RewriteRule ^/galaxy/robots.txt /home/galaxy/galaxy/static/robots.txt [L] RewriteRule ^/galaxy(.*) http://localhost:8081$1 [P]
Any ideas?
David, Please feel free to write some notes to summarize what you've learned about Kerberos and apache? If you could contribute what you have learned in a form that we could use to improve the documentation - telegraphic notes or longer narratives are always welcome - we'll make sure they're added to our wiki to help future users. Thanks for using and helping us improve Galaxy! On Mon, Nov 1, 2010 at 5:43 PM, David Hoover <hooverdm@helix.nih.gov> wrote:
Ah, well the documentation on the wiki is not entirely complete...
I figured out that the REMOTE_USER is not passed when Kerberos is used to authenticate, so I figured out a roundabout way of doing it using HTTP_COOKIE instead. Quite brutal. It's very similar to the problem with mod_authnz_ldap.
David
On Oct 29, 2010, at 7:46 PM, Ross wrote:
David, the section "Serving Galaxy at a sub directory (such as /galaxy) " in http://bitbucket.org/galaxy/galaxy-central/wiki/Config/ApacheProxy might help?
On Fri, Oct 29, 2010 at 5:32 PM, David Hoover <hooverdm@helix.nih.gov> wrote:
Hi,
I'm trying to set up a Galaxy mirror, and I'd like to authenticate via Apache. I can get Galaxy going when I don't authenticate.
It's running on the same machine as the Apache server, listening on port 8081.
I've added the mod_rewrite stuff from http://bitbucket.org/galaxy/galaxy-central/wiki/Config/ApacheProxy, but I'm' still getting an error:
Access to Galaxy is denied
Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server.
Please contact your local Galaxy administrator.
Here's the block from our Apache configuration:
<Location "/galaxy"> AuthName "NIH Login -- all lowercase, not prefixed with NIH\!" AuthType Kerberos Krb5Keytab /etc/auth_kerb.keytab KrbAuthRealm NIH.GOV KrbMethodNegotiate off KrbSaveCredentials off KrbVerifyKDC off Require valid-user RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e </Location>
RewriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy/static/style/(.*) /home/galaxy/galaxy/static/june_2007_style/blue/$1 [L] RewriteRule ^/galaxy/static/scripts/(.*) /home/galaxy/galaxy/static/scripts/packed/$1 [L] RewriteRule ^/galaxy/static/(.*) /home/galaxy/galaxy/static/$1 [L] RewriteRule ^/galaxy/favicon.ico /home/galaxy/galaxy/static/favicon.ico [L] RewriteRule ^/galaxy/robots.txt /home/galaxy/galaxy/static/robots.txt [L] RewriteRule ^/galaxy(.*) http://localhost:8081$1 [P]
Any ideas?
After installing a Galaxy mirror, I noticed that if I open a session through Safari and upload a file, that file (and history) is not available if I open another session through Firefox. I am authenticating externally through Apache, would that have anything to do with it? Logically if I am authenticated as the same user in different sessions, I should still see the same history and uploaded files. David Hoover Helix Systems Staff http://helix.nih.gov
David Hoover wrote:
After installing a Galaxy mirror, I noticed that if I open a session through Safari and upload a file, that file (and history) is not available if I open another session through Firefox. I am authenticating externally through Apache, would that have anything to do with it? Logically if I am authenticated as the same user in different sessions, I should still see the same history and uploaded files.
Hi David, Your second login will get a new Galaxy session and therefore a new history. The original history should be available under your saved histories, which can be found under the "Options" menu of the history panel. Upon switching to that history, as long as you don't clear your cookies, you'll return to that history the next time you load Galaxy. --nate
David Hoover Helix Systems Staff http://helix.nih.gov _______________________________________________ galaxy-dev mailing list galaxy-dev@lists.bx.psu.edu http://lists.bx.psu.edu/listinfo/galaxy-dev
Hi Nate, Didn't realize about switching histories. Yes, everything is still intact. Thanks for pointing this out. Cheers, David On Nov 2, 2010, at 8:16 AM, Nate Coraor wrote: David Hoover wrote:
After installing a Galaxy mirror, I noticed that if I open a session through Safari and upload a file, that file (and history) is not available if I open another session through Firefox. I am authenticating externally through Apache, would that have anything to do with it? Logically if I am authenticated as the same user in different sessions, I should still see the same history and uploaded files.
Hi David, Your second login will get a new Galaxy session and therefore a new history. The original history should be available under your saved histories, which can be found under the "Options" menu of the history panel. Upon switching to that history, as long as you don't clear your cookies, you'll return to that history the next time you load Galaxy. --nate
David Hoover Helix Systems Staff http://helix.nih.gov _______________________________________________ galaxy-dev mailing list galaxy-dev@lists.bx.psu.edu http://lists.bx.psu.edu/listinfo/galaxy-dev
participants (3)
-
David Hoover -
Nate Coraor -
Ross