Question about Galaxy integration with external access control
Greetings, I am an IT systems administrator at our lab. We maintain some control over our servers but the bulk of the control resides with our university's research computing group. A while ago the admins at research computing created some LDAP-based user accounts for a project that we have, and I had read ( https://wiki.galaxyproject.org/Admin/Config/ExternalUserAuth) that Galaxy has ability to interface with the directory service, although there wasn't much details in the link here. So we have a few questions: 1) Assuming Galaxy can read LDAP directory service information, to what extent is access control enforced? Is it on a file system level? 2) If a researcher logs into Galaxy with his LDAP credentials, runs some analyses and obtains the results, how exactly are these results protected from other researchers who may be prohibited from accessing these results due to institutional policies? Accordingly, if a researcher wants to share the data product with another LDAP user, how is that done exactly apart from simply downloading and emailing it? Depending on the responses I receive from these questions I may have more follow-up questions. Thank you in advance for your consideration. Simon Chang
Hi Simon, On Thu, Sep 29, 2016 at 11:22 AM, Simon Chang <simonychang.hutlab@gmail.com> wrote:
1) Assuming Galaxy can read LDAP directory service information, to what extent is access control enforced? Is it on a file system level?
The 'galaxy' user, or whichever user is running the files is the normal way to handle this, with other system users not being able to access galaxy owned files directly. 2) If a researcher logs into Galaxy with his LDAP credentials, runs some
analyses and obtains the results, how exactly are these results protected from other researchers who may be prohibited from accessing these results due to institutional policies? Accordingly, if a researcher wants to share the data product with another LDAP user, how is that done exactly apart from simply downloading and emailing it?
Check out https://wiki.galaxyproject.org/Learn/Share for more information about galaxy's sharing abilities, and certainly feel free to ask more questions. In short, there are systems built into Galaxy that allow users to share (or secure) Galaxy objects within the framework. -Dannon
You might consider a secure login for users affiliated to other instutitutions than your lab as well. Then you can implement a redirection to a set of IdPs with delegated permissions to authenticate users against your LDAP but also against many other LDAPs. Feel free to come up with questions about this solution. Nikolay =============== Nikolay Vazov, PhD Department for Research Computing, University of Oslo ________________________________ From: galaxy-dev <galaxy-dev-bounces@lists.galaxyproject.org> on behalf of Dannon Baker <dannon.baker@gmail.com> Sent: 29 September 2016 17:40 To: Simon Chang Cc: galaxy-dev@lists.galaxyproject.org Subject: Re: [galaxy-dev] Question about Galaxy integration with external access control Hi Simon, On Thu, Sep 29, 2016 at 11:22 AM, Simon Chang <simonychang.hutlab@gmail.com<mailto:simonychang.hutlab@gmail.com>> wrote: 1) Assuming Galaxy can read LDAP directory service information, to what extent is access control enforced? Is it on a file system level? The 'galaxy' user, or whichever user is running the files is the normal way to handle this, with other system users not being able to access galaxy owned files directly. 2) If a researcher logs into Galaxy with his LDAP credentials, runs some analyses and obtains the results, how exactly are these results protected from other researchers who may be prohibited from accessing these results due to institutional policies? Accordingly, if a researcher wants to share the data product with another LDAP user, how is that done exactly apart from simply downloading and emailing it? Check out https://wiki.galaxyproject.org/Learn/Share for more information about galaxy's sharing abilities, and certainly feel free to ask more questions. In short, there are systems built into Galaxy that allow users to share (or secure) Galaxy objects within the framework. -Dannon
participants (3)
-
Dannon Baker -
Nikolay Aleksandrov Vazov -
Simon Chang