Hi all, AFAIK one can put galaxy behind a http proxy and let this to manage the authentication binding do LDAP. This morning I've been looking at the universe_wsgi.ini file and I've seen this: # Use user provided in an upstream server's $REMOTE_USER variable #use_remote_user = False # If use_remote_user is enabled and your external authentication # method just returns bare usernames, set a default mail domain #remote_user_maildomain = example.org I suppose I should set use_remote_user = True to enable proxied authentication... nevertheless the email passed to galaxy looks like a $REMOTE_USER + REMOVE_USER_MAILDOMAIN set in the unverse_wsgi.ini... does that mean that I will not able to authenticate as my ldap username is dcittaro and my email is davide.cittaro@ifom-ieo-campus.it? thanks d /* Davide Cittaro Cogentech - Consortium for Genomic Technologies via adamello, 16 20139 Milano Italy tel.: +39(02)574303007 e-mail: davide.cittaro@ifom-ieo-campus.it */
On Mon, May 24, 2010 at 12:42:43PM +0200, Davide Cittaro wrote:
AFAIK one can put galaxy behind a http proxy and let this to manage the authentication binding do LDAP. This morning I've been looking at the universe_wsgi.ini file and I've seen this:
# Use user provided in an upstream server's $REMOTE_USER variable #use_remote_user = False
# If use_remote_user is enabled and your external authentication # method just returns bare usernames, set a default mail domain #remote_user_maildomain = example.org
I suppose I should set use_remote_user = True to enable proxied authentication... nevertheless the email passed to galaxy looks like a $REMOTE_USER + REMOVE_USER_MAILDOMAIN set in the unverse_wsgi.ini... does that mean that I will not able to authenticate as my ldap username is dcittaro and my email is davide.cittaro@ifom-ieo-campus.it?
When you say "nevertheless the email passed to galaxy looks like a REMOTE_USER + REMOVE_USER_MAILDOMAIN" where are you seeing that? and was REMOVE a typo? I'll take a quick stab at explaining our setup and maybe it will help: We use LDAP for auth with Apache for our Galaxy installation, and here's the key and value information for identity at every step along the way: Step 1: HTTP Autentication over SSL: Browser -> Apache Key: "Authorization" HTTP Header Value: base64 encoded username (no @domain.tld) and password Step 2: LDAP Verificatio: Apache -> LDAP Server Key: uid component in LDAP URL Value: plaintext username (no @domain.tld) and password Step 3: Local HTTP Request: Apache -> Galaxy Key: "REMOTE_USER" HTTP Header Value: Plaintext username (no @domain.tld) (no password) Step 4: Galaxy Internal Value: plaintext username + $REMOTE_USER_MAILDOMAIN So at every point on the wire there's no @msi.umn.edu on the username info. Galaxy appends REMOTE_USER_MAILDOMAIN to the "REMOTE_USER" HTTP header after reiceving it from the Apache proxy, and internally galaxy uses ry4an@msi.umn.edu as the username throughout. The Apache config has a few interesting sections: # put REMOTE_USER into a header for Galaxy <Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy> RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e RequestHeader unset Authorization that hunk does a few interesting things which alter the content of Step 3 above: - Extracts the REMOTE_USER environment variable as set by the LDAP Apache module - Add a HTTP Header named "REMOTE_USER" to the proxy request that goes to Galaxy - Removes the "Authorization" HTTP Header that was copied from the original (Step 1) request on to the proxied request (Step 3). We do that because that request has the password in essentially plaintext and we don't want that information to leave apache and to enter galaxy. The other relevant bit of Apache config is: <Location "/"> # Authentication AuthType Basic AuthBasicProvider ldap AuthName "Galaxy: MSI users only" AuthLDAPUrl ldaps://finch.msi.umn.edu/ou=People,ou=internal,dc=DTC AuthLDAPRemoteUserAttribute uid Require ldap-filter objectClass=posixAccount </Location> which says any URL should require that the user pass an LDAP filter checking to make sure the item retrieved by their 'uid' is in fact a user (and not, say, a printer), though LDAP schemas differ wildly by site and that filter almost certainly doesn't apply in your case. -- Ry4an Brase 612-626-6575 University of Minnesota Supercomputing Institute for Advanced Computational Research http://www.msi.umn.edu
Hi Ry4an On May 24, 2010, at 3:32 PM, Ry4an Brase wrote:
When you say "nevertheless the email passed to galaxy looks like a REMOTE_USER + REMOVE_USER_MAILDOMAIN" where are you seeing that? and was REMOVE a typo?
Yes, it's a typo and I'm just guessing that the $userEmail (passed to galaxy) is built on those values...
I'll take a quick stab at explaining our setup and maybe it will help:
We use LDAP for auth with Apache for our Galaxy installation, and here's the key and value information for identity at every step along the way:
Step 1: HTTP Autentication over SSL: Browser -> Apache Key: "Authorization" HTTP Header Value: base64 encoded username (no @domain.tld) and password
Step 2: LDAP Verificatio: Apache -> LDAP Server Key: uid component in LDAP URL Value: plaintext username (no @domain.tld) and password
Step 3: Local HTTP Request: Apache -> Galaxy Key: "REMOTE_USER" HTTP Header Value: Plaintext username (no @domain.tld) (no password)
Step 4: Galaxy Internal Value: plaintext username + $REMOTE_USER_MAILDOMAIN
So at every point on the wire there's no @msi.umn.edu on the username info. Galaxy appends REMOTE_USER_MAILDOMAIN to the "REMOTE_USER" HTTP header after reiceving it from the Apache proxy, and internally galaxy uses ry4an@msi.umn.edu as the username throughout.
That's exactly what I've tried to ask :-) Also, that means that my galaxy user will be dcittaro@ifom-ieo-campus.it . The problem is that email address doesn't exist, as usernames defined in LDAP are not the usernames for mail addresses... I guess I'll have to study LDAP search syntax and instruct it to query with my username (dcittaro) and return the email address stripping the domain (davide.cittaro)... Thanks d
The Apache config has a few interesting sections:
# put REMOTE_USER into a header for Galaxy <Proxy http://localhost:8080> Order deny,allow Allow from all </Proxy> RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e RequestHeader unset Authorization
that hunk does a few interesting things which alter the content of Step 3 above: - Extracts the REMOTE_USER environment variable as set by the LDAP Apache module
- Add a HTTP Header named "REMOTE_USER" to the proxy request that goes to Galaxy
- Removes the "Authorization" HTTP Header that was copied from the original (Step 1) request on to the proxied request (Step 3). We do that because that request has the password in essentially plaintext and we don't want that information to leave apache and to enter galaxy.
The other relevant bit of Apache config is:
<Location "/"> # Authentication AuthType Basic AuthBasicProvider ldap AuthName "Galaxy: MSI users only" AuthLDAPUrl ldaps://finch.msi.umn.edu/ou=People,ou=internal,dc=DTC AuthLDAPRemoteUserAttribute uid Require ldap-filter objectClass=posixAccount </Location>
which says any URL should require that the user pass an LDAP filter checking to make sure the item retrieved by their 'uid' is in fact a user (and not, say, a printer), though LDAP schemas differ wildly by site and that filter almost certainly doesn't apply in your case.
-- Ry4an Brase 612-626-6575 University of Minnesota Supercomputing Institute for Advanced Computational Research http://www.msi.umn.edu _______________________________________________ galaxy-dev mailing list galaxy-dev@lists.bx.psu.edu http://lists.bx.psu.edu/listinfo/galaxy-dev
/* Davide Cittaro Cogentech - Consortium for Genomic Technologies via adamello, 16 20139 Milano Italy tel.: +39(02)574303007 e-mail: davide.cittaro@ifom-ieo-campus.it */
On Mon, May 24, 2010 at 04:14:33PM +0200, Davide Cittaro wrote:
That's exactly what I've tried to ask :-)
Also, that means that my galaxy user will be dcittaro@ifom-ieo-campus.it . The problem is that email address doesn't exist, as usernames defined in LDAP are not the usernames for mail addresses... I guess I'll have to study LDAP search syntax and instruct it to query with my username (dcittaro) and return the email address stripping the domain (davide.cittaro)...
Glad it helped. Here are some Apache Directives that will probably help: http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapremoteuser... which can only legally be one of the attributes included in your: http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl That'll let you auth using the 'uid' and set REMOTE_USER to the 'email'. If the email comes back from LDAP with the @domain.tld already appended then don't set REMOTE_USER_DOMAIN to anything. -- Ry4an Brase 612-626-6575 University of Minnesota Supercomputing Institute for Advanced Computational Research http://www.msi.umn.edu
Hi again, I'm almost done with the whole stuff... I'm now able to get authentication through apache and have $REMOTE_USER set to the user email. I've set remote_user_domain to be blank but as I go to the proxied galaxy page I get this: Access to Galaxy is denied Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. Please contact your local Galaxy administrator. The browser asks for username and password (although the message above is already on screen), but in the end it doesn't work... Some configurations: $ cat /etc/apache2/mods-enabled/proxy.conf <IfModule mod_proxy.c> ProxyRequests Off ProxyVia Off # <Proxy balancer://galaxy> # BalancerMember http://localhost:8080 # BalancerMember http://localhost:8081 # </Proxy> RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e RequestHeader unset Authorization </IfModule> $ cat /etc/apache2/sites-enabled/000-default […] Order deny,allow AuthName "Galaxy Login" AuthType Basic AuthBasicProvider ldap AuthLDAPURL "ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)" AuthLDAPRemoteUserAttribute mail Require ldap-filter objectClass=posixAccount […] RewriteEngine on RewriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy/static/style/(.*) /data/galaxy_dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/galaxy/static/(.*) /data/galaxy_dist/static/$1 [L] RewriteRule ^/galaxy/images/(.*) /data/galaxy_dist/static/images/$1 [L] RewriteRule ^/galaxy/favicon.ico /data/galaxy_dist/static/favicon.ico [L] RewriteRule ^/galaxy/robots.txt /data/galaxy_dist/static/robots.txt [L] RewriteRule ^/galaxy(.*) http://127.0.0.1:8080$1 [P] Any hint? d On May 24, 2010, at 4:21 PM, Ry4an Brase wrote:
On Mon, May 24, 2010 at 04:14:33PM +0200, Davide Cittaro wrote:
That's exactly what I've tried to ask :-)
Also, that means that my galaxy user will be dcittaro@ifom-ieo-campus.it . The problem is that email address doesn't exist, as usernames defined in LDAP are not the usernames for mail addresses... I guess I'll have to study LDAP search syntax and instruct it to query with my username (dcittaro) and return the email address stripping the domain (davide.cittaro)...
Glad it helped. Here are some Apache Directives that will probably help:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapremoteuser...
which can only legally be one of the attributes included in your:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl
That'll let you auth using the 'uid' and set REMOTE_USER to the 'email'. If the email comes back from LDAP with the @domain.tld already appended then don't set REMOTE_USER_DOMAIN to anything.
-- Ry4an Brase 612-626-6575 University of Minnesota Supercomputing Institute for Advanced Computational Research http://www.msi.umn.edu _______________________________________________ galaxy-dev mailing list galaxy-dev@lists.bx.psu.edu http://lists.bx.psu.edu/listinfo/galaxy-dev
/* Davide Cittaro Cogentech - Consortium for Genomic Technologies via adamello, 16 20139 Milano Italy tel.: +39(02)574303007 e-mail: davide.cittaro@ifom-ieo-campus.it */
Whoa, sorry to bother you so much... I think I'm getting to the end step by step. As my apache still needs to serve some directories without authentication I've decided to setup a virtualhost listening to 8080 which is now proxy galaxy (listening to 8081). I've tried to follow your instructions but I believe most of the rewritecond and requestheader directive can be skipped. In principle I'm querying LDAP with this: AuthLDAPURL "ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)" AuthLDAPRemoteUserAttribute mail I've checked this with a cgi script which prints evnironmental variables and I have: REMOTE_USER = davide.cittaro@ifom-ieo-campus.it That given, galaxy should simply read the variable, shouldn't it? Unfortunately what happens is that I'm asked to login (by apache) but after that I get the Galaxy error Access to Galaxy is denied Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. Please contact your local Galaxy administrator. Here's the apache config file for the galaxy virtualhost: NameVirtualHost *:8080 <VirtualHost *:8080> ServerAdmin davide.cittaro@ifom-ieo-campus.it # DocumentRoot /data/galaxy_dist/static RewriteEngine on RewriteRule ^(.*) http://localhost:8081$1 [P] RewriteRule ^/static/style/(.*) /data/galaxy_dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/(.*) /data/galaxy_dist/static/$1 [L] RewriteRule ^/images/(.*) /data/galaxy_dist/static/images/$1 [L] RewriteRule ^/favicon.ico /data/galaxy_dist/static/favicon.ico [L] RewriteRule ^/robots.txt /data/galaxy_dist/static/robots.txt [L] # RewriteCond %{IS_SUBREQ} ^false$ # RewriteCond %{LA-U:REMOTE_USER} (.+) # RewriteRule . - [E=RU:%1] # RequestHeader set REMOTE_USER %{RU}e # RequestHeader unset Authorization <Location /> # Options +Indexes # IndexOptions FancyIndexing # AllowOverride None AuthType Basic AuthName Galaxy Order deny,allow AuthBasicProvider ldap AuthLDAPURL "ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)" AuthLDAPRemoteUserAttribute mail Require ldap-filter objectClass=posixAccount </Location> # Alias / /data/galaxy_dist/static/ ErrorLog /var/log/apache2/galaxy-error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel debug CustomLog /var/log/apache2/galaxy-access.log combined ServerSignature On <Location /root/display_as> Satisfy Any Order deny,allow Deny from all Allow from genome.ifom-ieo-campus.it </Location> # ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ # <Directory "/usr/lib/cgi-bin"> # AllowOverride None # Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch # Order allow,deny # Allow from all # </Directory> </VirtualHost> d /* Davide Cittaro Cogentech - Consortium for Genomic Technologies via adamello, 16 20139 Milano Italy tel.: +39(02)574303007 e-mail: davide.cittaro@ifom-ieo-campus.it */
On Tue, May 25, 2010 at 04:03:12PM +0200, Davide Cittaro wrote:
Whoa, sorry to bother you so much... I think I'm getting to the end step by step. As my apache still needs to serve some directories without authentication I've decided to setup a virtualhost listening to 8080 which is now proxy galaxy (listening to 8081). I've tried to follow your instructions but I believe most of the rewritecond and requestheader directive can be skipped. In principle I'm querying LDAP with this:
AuthLDAPURL "ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)" AuthLDAPRemoteUserAttribute mail
I've checked this with a cgi script which prints evnironmental variables and I have:
REMOTE_USER = davide.cittaro@ifom-ieo-campus.it
That given, galaxy should simply read the variable, shouldn't it? Unfortunately what happens is that I'm asked to login (by apache) but after that I get the Galaxy error
Unfortunately, that's insufficient. Your CGI is a UNIX process launched by apache itself, so it inherits the environment variables from apache, and thus gets that REMOTE_USER variable. However, If I'm understanding your setup correctly, you're using Apache to proxy that content to galaxy, which is a local network connection, not a process invocation, and the environment doesn't make it across. That Rewrite stuff takes the (eventual) value of the REMOTE_USER environment variable, and stashes it in a HTTP header on the request to galaxy, which (unlike environment variables) are send to the downstream application (in this case galaxy). Galaxy insists on a username and you really want to allow unauthenticated access to it you can do something like I did: # put REMOTE_USER into a header for Galaxy <Proxy http://localhost:8080> Order deny,allow Allow from all RequestHeader set REMOTE_USER "displayonly" </Proxy> There I'm stuffing 'displayonly' into the REMOTE_USER header, which galaxy will turn into displayonly@msi.umn.edu. Please note that I was very careful about what URLs are available to that no-user proxy path as I don't want someone called displayonly@msi.umn.edu kicking off jobs and building histories. Another way to go about that is something like this: RewriteRule ^(/root/display_as.*) http://localhost:8080$1 [E=REMOTE_USER:viewonly,P,L] That (in pseudocode) says: if (the URL starts with /root/display_as) { Set the REMOTE_USER environment variable equal to "viewonly" And Proxy it to http://localhost:8080 And don't consider any further RewriteRules } By putting that in my Galaxy config I'm able to take a specific URL path and make sure that that requests for that path can continue un-authenticated, whereas anything that doesn't match hits this rule further on: RewriteRule ^/(.*) https://galaxy.msi.umn.edu/$1 [R] which sends everything that didn't match the exception above on to the authenticated https: site where our LDAP barrier is. Now's about the time I should mention that none of this is endorsed by the galaxy people as a sane setup; it's just what I happened to do locally.
Here's the apache config file for the galaxy virtualhost:
I see one oddity below. RewriteRules are processed in order, and you have the catch-all rule at the top. This one: RewriteRule ^(.*) http://localhost:8081$1 [P] Says anything (.*) should be proxied to localhost:8081. Try moving that after all the more specific RewriteRules (which themselves have a [L] for Last, which prevents further rule processing).
NameVirtualHost *:8080 <VirtualHost *:8080> ServerAdmin davide.cittaro@ifom-ieo-campus.it
# DocumentRoot /data/galaxy_dist/static
RewriteEngine on RewriteRule ^(.*) http://localhost:8081$1 [P] RewriteRule ^/static/style/(.*) /data/galaxy_dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/(.*) /data/galaxy_dist/static/$1 [L] RewriteRule ^/images/(.*) /data/galaxy_dist/static/images/$1 [L] RewriteRule ^/favicon.ico /data/galaxy_dist/static/favicon.ico [L] RewriteRule ^/robots.txt /data/galaxy_dist/static/robots.txt [L]
# RewriteCond %{IS_SUBREQ} ^false$ # RewriteCond %{LA-U:REMOTE_USER} (.+) # RewriteRule . - [E=RU:%1] # RequestHeader set REMOTE_USER %{RU}e # RequestHeader unset Authorization
<Location /> # Options +Indexes # IndexOptions FancyIndexing # AllowOverride None AuthType Basic AuthName Galaxy Order deny,allow AuthBasicProvider ldap AuthLDAPURL "ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)" AuthLDAPRemoteUserAttribute mail Require ldap-filter objectClass=posixAccount </Location> # Alias / /data/galaxy_dist/static/
ErrorLog /var/log/apache2/galaxy-error.log
# Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel debug
CustomLog /var/log/apache2/galaxy-access.log combined ServerSignature On
<Location /root/display_as> Satisfy Any Order deny,allow Deny from all Allow from genome.ifom-ieo-campus.it </Location>
# ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ # <Directory "/usr/lib/cgi-bin"> # AllowOverride None # Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch # Order allow,deny # Allow from all # </Directory>
</VirtualHost>
d /* Davide Cittaro
Cogentech - Consortium for Genomic Technologies via adamello, 16 20139 Milano Italy
tel.: +39(02)574303007 e-mail: davide.cittaro@ifom-ieo-campus.it */
-- Ry4an Brase 612-626-6575 University of Minnesota Supercomputing Institute for Advanced Computational Research http://www.msi.umn.edu
On Tue, May 25, 2010 at 02:54:12PM +0200, Davide Cittaro wrote:
Hi again, I'm almost done with the whole stuff... I'm now able to get authentication through apache and have $REMOTE_USER set to the user email. I've set remote_user_domain to be blank but as I go to the proxied galaxy page I get this:
Access to Galaxy is denied
Hrm, just for sanity-check sake you do have 'use_remote_user' enabled in your universe_wsgi.ini, right? Are you certain the 'email' field in your LDAP entries contain the @domain.tld portion of the email address? If not you should be setting remote_user_domain to '@domain.tld'. What about, and this is just a guess, moving the RewriteConds, RewriteRule, and RequestHeader lines out of /etc/apache2/mods-enabled/proxy.conf and into /etc/apache2/sites-enabled/000-default Those are vhost specific, so putting them in the general server config context in which the proxy.conf is interpreted might not see them loaded in the vhost where your galaxy config lives. If that doesn't do it I'd be moving on to debugging using either tcpdump/etheral, which will let you view the network traffic between apache and galaxy, or by setting a RewriteLog and RewriteLogLevel 5 and watching to make sure my rewrite cond/rule setup is infact adding the variable.
The browser asks for username and password (although the message above is already on screen), but in the end it doesn't work... Some configurations:
$ cat /etc/apache2/mods-enabled/proxy.conf <IfModule mod_proxy.c>
ProxyRequests Off
ProxyVia Off # <Proxy balancer://galaxy> # BalancerMember http://localhost:8080 # BalancerMember http://localhost:8081 # </Proxy> RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e RequestHeader unset Authorization
</IfModule>
$ cat /etc/apache2/sites-enabled/000-default […] Order deny,allow AuthName "Galaxy Login" AuthType Basic AuthBasicProvider ldap AuthLDAPURL "ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)" AuthLDAPRemoteUserAttribute mail Require ldap-filter objectClass=posixAccount
[…] RewriteEngine on RewriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy/static/style/(.*) /data/galaxy_dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/galaxy/static/(.*) /data/galaxy_dist/static/$1 [L] RewriteRule ^/galaxy/images/(.*) /data/galaxy_dist/static/images/$1 [L] RewriteRule ^/galaxy/favicon.ico /data/galaxy_dist/static/favicon.ico [L] RewriteRule ^/galaxy/robots.txt /data/galaxy_dist/static/robots.txt [L] RewriteRule ^/galaxy(.*) http://127.0.0.1:8080$1 [P]
Any hint?
d
On May 24, 2010, at 4:21 PM, Ry4an Brase wrote:
On Mon, May 24, 2010 at 04:14:33PM +0200, Davide Cittaro wrote:
That's exactly what I've tried to ask :-)
Also, that means that my galaxy user will be dcittaro@ifom-ieo-campus.it . The problem is that email address doesn't exist, as usernames defined in LDAP are not the usernames for mail addresses... I guess I'll have to study LDAP search syntax and instruct it to query with my username (dcittaro) and return the email address stripping the domain (davide.cittaro)...
Glad it helped. Here are some Apache Directives that will probably help:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapremoteuser...
which can only legally be one of the attributes included in your:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl
That'll let you auth using the 'uid' and set REMOTE_USER to the 'email'. If the email comes back from LDAP with the @domain.tld already appended then don't set REMOTE_USER_DOMAIN to anything.
-- Ry4an Brase 612-626-6575 University of Minnesota Supercomputing Institute for Advanced Computational Research http://www.msi.umn.edu _______________________________________________ galaxy-dev mailing list galaxy-dev@lists.bx.psu.edu http://lists.bx.psu.edu/listinfo/galaxy-dev
/* Davide Cittaro
Cogentech - Consortium for Genomic Technologies via adamello, 16 20139 Milano Italy
tel.: +39(02)574303007 e-mail: davide.cittaro@ifom-ieo-campus.it */
-- Ry4an Brase 612-626-6575 University of Minnesota Supercomputing Institute for Advanced Computational Research http://www.msi.umn.edu
On May 25, 2010, at 4:04 PM, Ry4an Brase wrote:
On Tue, May 25, 2010 at 02:54:12PM +0200, Davide Cittaro wrote:
Hi again, I'm almost done with the whole stuff... I'm now able to get authentication through apache and have $REMOTE_USER set to the user email. I've set remote_user_domain to be blank but as I go to the proxied galaxy page I get this:
Access to Galaxy is denied
Hrm, just for sanity-check sake you do have 'use_remote_user' enabled in your universe_wsgi.ini, right?
:-) Yes, it is (Besides, shoud I set to False any other field, such as allow_users_creation?)
Are you certain the 'email' field in your LDAP entries contain the @domain.tld portion of the email address? If not you should be setting remote_user_domain to '@domain.tld'.
Yes, the mail field in LDAP contains the domain. I've commented the remote_user_maildomain in universe_wsgi.ini
What about, and this is just a guess, moving the RewriteConds, RewriteRule, and RequestHeader lines out of /etc/apache2/mods-enabled/proxy.conf and into /etc/apache2/sites-enabled/000-default
Those are vhost specific, so putting them in the general server config context in which the proxy.conf is interpreted might not see them loaded in the vhost where your galaxy config lives.
I've moved them into the specific vhost file (which is now 001-galaxy, a separated entry with 8080 binding only)
If that doesn't do it I'd be moving on to debugging using either tcpdump/etheral, which will let you view the network traffic between apache and galaxy, or by setting a RewriteLog and RewriteLogLevel 5 and watching to make sure my rewrite cond/rule setup is infact adding the variable.
I'm right now testing your suggestion (and the ones on galaxy wiki). I've seen that this rule RequestHeader set REMOTE_USER %{RU}e doesn't set actually the REMOTE_USER variable but the HTTP_REMOTE_USER, I've made this test: RequestHeader set REMOTE_USER "foo" and I have these two values: HTTP_REMOTE_USER = "foo" REMOTE_USER = davide.cittaro@ifom-ieo-campus.it I wonder if galaxy is somehow reading from HTTP_REMOTE_USER which is set to (null) if no RequestHeader is specified... I'm now going to test this d
The browser asks for username and password (although the message above is already on screen), but in the end it doesn't work... Some configurations:
$ cat /etc/apache2/mods-enabled/proxy.conf <IfModule mod_proxy.c>
ProxyRequests Off
ProxyVia Off # <Proxy balancer://galaxy> # BalancerMember http://localhost:8080 # BalancerMember http://localhost:8081 # </Proxy> RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e RequestHeader unset Authorization
</IfModule>
$ cat /etc/apache2/sites-enabled/000-default […] Order deny,allow AuthName "Galaxy Login" AuthType Basic AuthBasicProvider ldap AuthLDAPURL "ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)" AuthLDAPRemoteUserAttribute mail Require ldap-filter objectClass=posixAccount
[…] RewriteEngine on RewriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy/static/style/(.*) /data/galaxy_dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/galaxy/static/(.*) /data/galaxy_dist/static/$1 [L] RewriteRule ^/galaxy/images/(.*) /data/galaxy_dist/static/images/$1 [L] RewriteRule ^/galaxy/favicon.ico /data/galaxy_dist/static/favicon.ico [L] RewriteRule ^/galaxy/robots.txt /data/galaxy_dist/static/robots.txt [L] RewriteRule ^/galaxy(.*) http://127.0.0.1:8080$1 [P]
Any hint?
d
On May 24, 2010, at 4:21 PM, Ry4an Brase wrote:
On Mon, May 24, 2010 at 04:14:33PM +0200, Davide Cittaro wrote:
That's exactly what I've tried to ask :-)
Also, that means that my galaxy user will be dcittaro@ifom-ieo-campus.it . The problem is that email address doesn't exist, as usernames defined in LDAP are not the usernames for mail addresses... I guess I'll have to study LDAP search syntax and instruct it to query with my username (dcittaro) and return the email address stripping the domain (davide.cittaro)...
Glad it helped. Here are some Apache Directives that will probably help:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapremoteuser...
which can only legally be one of the attributes included in your:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl
That'll let you auth using the 'uid' and set REMOTE_USER to the 'email'. If the email comes back from LDAP with the @domain.tld already appended then don't set REMOTE_USER_DOMAIN to anything.
-- Ry4an Brase 612-626-6575 University of Minnesota Supercomputing Institute for Advanced Computational Research http://www.msi.umn.edu _______________________________________________ galaxy-dev mailing list galaxy-dev@lists.bx.psu.edu http://lists.bx.psu.edu/listinfo/galaxy-dev
/* Davide Cittaro
Cogentech - Consortium for Genomic Technologies via adamello, 16 20139 Milano Italy
tel.: +39(02)574303007 e-mail: davide.cittaro@ifom-ieo-campus.it */
-- Ry4an Brase 612-626-6575 University of Minnesota Supercomputing Institute for Advanced Computational Research http://www.msi.umn.edu
/* Davide Cittaro Cogentech - Consortium for Genomic Technologies via adamello, 16 20139 Milano Italy tel.: +39(02)574303007 e-mail: davide.cittaro@ifom-ieo-campus.it */
Hi Davide, Sorry I haven't kept up with this thread. I'll try to add any information I can to help. Davide Cittaro wrote:
:-) Yes, it is (Besides, shoud I set to False any other field, such as allow_users_creation?)
These options won't really have an effect anyway, since user options are hidden when you enable use_remote_user.
I'm right now testing your suggestion (and the ones on galaxy wiki). I've seen that this rule
RequestHeader set REMOTE_USER %{RU}e
doesn't set actually the REMOTE_USER variable but the HTTP_REMOTE_USER, I've made this test:
RequestHeader set REMOTE_USER "foo"
and I have these two values:
HTTP_REMOTE_USER = "foo" REMOTE_USER = davide.cittaro@ifom-ieo-campus.it <mailto:davide.cittaro@ifom-ieo-campus.it>
I wonder if galaxy is somehow reading from HTTP_REMOTE_USER which is set to (null) if no RequestHeader is specified... I'm now going to test this
This is what it does - because Galaxy is a proxied application and does not run in Apache's environment, the only way to pass REMOTE_USER upstream is as a header. In detail: RewriteCond %{LA-U:REMOTE_USER} (.+) - Match the REMOTE_USER server variable and store it in a regex backref. RewriteRule . - [E=RU:%1] - Store the previously matched backref in the RU env variable. RequestHeader set REMOTE_USER %{RU}e - Set the REMOTE_USER header in the proxied request to the value of RU. The application sees it as HTTP_REMOTE_USER since all of the HTTP headers are stored in the wsgi environment with HTTP_ prepended. --nate
On May 25, 2010, at 4:21 PM, Nate Coraor wrote:
Hi Davide,
Sorry I haven't kept up with this thread. I'll try to add any information I can to help.
Solved. Given that I'm asking mail address to LDAP I get it back as AUTHENTICATE_MAIL variable. Now I only need this RequestHeader set REMOTE_USER %{AUTHENTICATE_MAIL}e to set the HTTP_REMOTE_USER properly... thanks all d
Davide Cittaro wrote:
:-) Yes, it is (Besides, shoud I set to False any other field, such as allow_users_creation?)
These options won't really have an effect anyway, since user options are hidden when you enable use_remote_user.
I'm right now testing your suggestion (and the ones on galaxy wiki). I've seen that this rule RequestHeader set REMOTE_USER %{RU}e doesn't set actually the REMOTE_USER variable but the HTTP_REMOTE_USER, I've made this test: RequestHeader set REMOTE_USER "foo" and I have these two values: HTTP_REMOTE_USER = "foo" REMOTE_USER = davide.cittaro@ifom-ieo-campus.it <mailto:davide.cittaro@ifom-ieo-campus.it> I wonder if galaxy is somehow reading from HTTP_REMOTE_USER which is set to (null) if no RequestHeader is specified... I'm now going to test this
This is what it does - because Galaxy is a proxied application and does not run in Apache's environment, the only way to pass REMOTE_USER upstream is as a header.
In detail:
RewriteCond %{LA-U:REMOTE_USER} (.+)
- Match the REMOTE_USER server variable and store it in a regex backref.
RewriteRule . - [E=RU:%1]
- Store the previously matched backref in the RU env variable.
RequestHeader set REMOTE_USER %{RU}e
- Set the REMOTE_USER header in the proxied request to the value of RU.
The application sees it as HTTP_REMOTE_USER since all of the HTTP headers are stored in the wsgi environment with HTTP_ prepended.
--nate
/* Davide Cittaro Cogentech - Consortium for Genomic Technologies via adamello, 16 20139 Milano Italy tel.: +39(02)574303007 e-mail: davide.cittaro@ifom-ieo-campus.it */
On May 25, 2010, at 4:27 PM, Davide Cittaro wrote:
On May 25, 2010, at 4:21 PM, Nate Coraor wrote:
Hi Davide,
Sorry I haven't kept up with this thread. I'll try to add any information I can to help.
Solved.
Still I have to fix the display on external ucsc mirrors, according to your wiki page I should set: <Location /root/display_as> Satisfy Any Order deny,allow Deny from all Allow from genome.ifom-ieo-campus.it Allow from host036.2b11.ifom-ieo-campus.it </Location> The first is our local mirror, the second is a test workstation... I'm getting 401 errors... Mmmm.... /* Davide Cittaro Cogentech - Consortium for Genomic Technologies via adamello, 16 20139 Milano Italy tel.: +39(02)574303007 e-mail: davide.cittaro@ifom-ieo-campus.it */
Davide Cittaro wrote:
Still I have to fix the display on external ucsc mirrors, according to your wiki page I should set:
<Location /root/display_as> Satisfy Any Order deny,allow Deny from all Allow from genome.ifom-ieo-campus.it <http://genome.ifom-ieo-campus.it> Allow from host036.2b11.ifom-ieo-campus.it <http://host036.2b11.ifom-ieo-campus.it> </Location>
The first is our local mirror, the second is a test workstation... I'm getting 401 errors... Mmmm....
Hi Davide, I just tested this config in Apache and it still works for me. Anything helpful in the Apache error log? --nate
On May 25, 2010, at 9:23 PM, Nate Coraor wrote:
Davide Cittaro wrote:
Still I have to fix the display on external ucsc mirrors, according to your wiki page I should set: <Location /root/display_as> Satisfy Any Order deny,allow Deny from all Allow from genome.ifom-ieo-campus.it <http://genome.ifom-ieo-campus.it> Allow from host036.2b11.ifom-ieo-campus.it <http://host036.2b11.ifom-ieo-campus.it> </Location> The first is our local mirror, the second is a test workstation... I'm getting 401 errors... Mmmm....
Hi Davide,
I just tested this config in Apache and it still works for me. Anything helpful in the Apache error log?
I'll check tomorrow, but I believe I may be missing mod_authz_host :-( d
--nate _______________________________________________ galaxy-dev mailing list galaxy-dev@lists.bx.psu.edu http://lists.bx.psu.edu/listinfo/galaxy-dev
/* Davide Cittaro Cogentech - Consortium for Genomic Technologies via adamello, 16 20139 Milano Italy tel.: +39(02)574303007 e-mail: davide.cittaro@ifom-ieo-campus.it */
Hi Nate, hi galaxy devlps On May 25, 2010, at 9:23 PM, Nate Coraor wrote:
Davide Cittaro wrote:
Still I have to fix the display on external ucsc mirrors, according to your wiki page I should set: <Location /root/display_as> Satisfy Any Order deny,allow Deny from all Allow from genome.ifom-ieo-campus.it <http://genome.ifom-ieo-campus.it> Allow from host036.2b11.ifom-ieo-campus.it <http://host036.2b11.ifom-ieo-campus.it> </Location> The first is our local mirror, the second is a test workstation... I'm getting 401 errors... Mmmm....
Hi Davide,
I just tested this config in Apache and it still works for me. Anything helpful in the Apache error log?
I found what was wrong, essentially this galaxy instance is not public to the world, hence I cannot use UCSC sites from cse.edu. I have to link to our local mirror (which is behind our main proxy too). I thought I only had to enable it in the universe_wsgi.ini file: ucsc_display_sites = main,campus and $ grep campus tool-data/shared/ucsc/ucsc_build_sites.txt #Harvested from http://genome.ifom-ieo-campus.it/cgi-bin/das/dsn campus http://genome.ifom-ieo-campus.it/cgi-bin/hgTracks? hg19,hg18,hg17,mm9,mm8,rn4,danRer6,danRer5,ci2,ce6,ce4,cb3,dm3,sacCer2,sacCer1 Unfortunately this is not enough, as UCSC sites are hardcoded in galaxy. Some greps and debugs led me to this diff: $ diff -u remoteuser.here.py remoteuser.py --- remoteuser.here.py 2010-05-26 12:19:30.349424733 +0200 +++ remoteuser.py 2010-05-26 12:19:51.968985808 +0200 @@ -44,7 +44,6 @@ 'hgw6.cse.ucsc.edu', 'hgw7.cse.ucsc.edu', 'hgw8.cse.ucsc.edu', - 'genome.ifom-ieo-campus.it', ) UCSC_ARCHAEA_SERVERS = ( 'lowepub.cse.ucsc.edu', @@ -56,7 +55,7 @@ self.maildomain = maildomain self.allow_ucsc_main = False self.allow_ucsc_archaea = False - if 'main' in ucsc_display_sites or 'test' in ucsc_display_sites or 'campus' in ucsc_display_sites: + if 'main' in ucsc_display_sites or 'test' in ucsc_display_sites: self.allow_ucsc_main = True if 'archaea' in ucsc_display_sites: self.allow_ucsc_archaea = True Now I can link our local mirror (at least for intervals, still have to try with BAM files). I'm only afraid that I will lose these changes in the next repository upgrade... Should I open a bug request to remove hardcoded links or you are already working on this? cheers d /* Davide Cittaro Cogentech - Consortium for Genomic Technologies via adamello, 16 20139 Milano Italy tel.: +39(02)574303007 e-mail: davide.cittaro@ifom-ieo-campus.it */
Davide Cittaro wrote:
Now I can link our local mirror (at least for intervals, still have to try with BAM files). I'm only afraid that I will lose these changes in the next repository upgrade... Should I open a bug request to remove hardcoded links or you are already working on this?
A bug would be good. I know they need to be fixed but I'm not working on them now.
participants (3)
-
Davide Cittaro -
Nate Coraor -
Ry4an Brase