Shantanu Pavgi wrote:
> I did a test by excluding following URLs from Apache-Shibboleth external 
> authentication and it seems to be working: 
> -  /datasets/ 
> -  /u/<username>/h/<history-name>
> - /static/  (css and javascript)
> Do I need to exclude any other URLs so that published histories and datasets 
> can be accessed from remote sites without authentication? Also, will it offer 
> read-only access to the galaxy interface? Does it expose any job submission, 
> file-uploads or any other modification/execution operations using web 
> interface? 

Hi Shantanu,

These should be sufficient and would not give access to anything job or
tool related.  However, since /datasets/ is exposed, this means that any
dataset with no roles associated with the access permission (i.e. a
"public" dataset) would be readable by anyone.  Dataset IDs are encoded
so as not to be easily guessable, but relying on this is essentially
"security by obscurity."

> Also, can we prevent particular galaxy-user from carrying out certain 
> actions, e.g. running jobs, file uploads etc.? Since galaxy will create 
> 'anonymous' user account based on the REMOTE_USER variable set for 
> unauthenticated requests, I am wondering if such locked-down mode will be 
> possible for a particular galaxy-user. 

This cannot be done from within Galaxy, but it shouldn't be necessary
since these actions are not exposed to the anonymous user.


> Thanks,
> Shantanu. 
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

Reply via email to