Shantanu Pavgi wrote:
> 
> I did a test by excluding following URLs from Apache-Shibboleth external 
> authentication and it seems to be working: 
> -  /datasets/ 
> -  /u/<username>/h/<history-name>
> - /static/  (css and javascript)
> 
> Do I need to exclude any other URLs so that published histories and datasets 
> can be accessed from remote sites without authentication? Also, will it offer 
> read-only access to the galaxy interface? Does it expose any job submission, 
> file-uploads or any other modification/execution operations using web 
> interface? 

Hi Shantanu,

These should be sufficient and would not give access to anything job or
tool related.  However, since /datasets/ is exposed, this means that any
dataset with no roles associated with the access permission (i.e. a
"public" dataset) would be readable by anyone.  Dataset IDs are encoded
so as not to be easily guessable, but relying on this is essentially
"security by obscurity."

> Also, can we prevent particular galaxy-user from carrying out certain 
> actions, e.g. running jobs, file uploads etc.? Since galaxy will create 
> 'anonymous' user account based on the REMOTE_USER variable set for 
> unauthenticated requests, I am wondering if such locked-down mode will be 
> possible for a particular galaxy-user. 

This cannot be done from within Galaxy, but it shouldn't be necessary
since these actions are not exposed to the anonymous user.

--nate

> 
> 
> Thanks,
> Shantanu. 
> 
> 
> 
> 
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/

Reply via email to