Leandro Hermida wrote:
> Hi Shantanu,
> 
> In your Apache configuration exactly how did you set up an anonymous
> REMOTE_USER just for specific locations like the /datasets/ path?  I'm just
> looking at the Apache docs and the RequestHeader directive has a context of
> the entire VirtualHost and cannot be put into a Location container so I'm
> not sure how to do it.

Hi Leandro,

See the optional 'env=' argument and docs on the same for ways to make
RequestHeader conditional:

    http://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader

So, depending on the path accessed, you should be able to have
mod_rewrite set an environment variable specifying which REMOTE_USER
(real username or fake anonymouse user) should be set.

You could also just set it as the anonymous user to start with and then
use 'RequestHeader set' to overwrite it with the real username in the
case that a real username is available.

This is all just from glancing at the docs, though, I have not tried any
of it out, and this sort of Apache trickery is always difficult to get
right.

--nate

> 
> thanks,
> Leandro
> 
> On Wed, Jun 22, 2011 at 9:40 PM, Shantanu Pavgi <pa...@uab.edu> wrote:
> 
> >
> > On Jun 20, 2011, at 4:10 PM, Shantanu Pavgi wrote:
> >
> > >
> > > On Jun 20, 2011, at 2:40 PM, Nate Coraor wrote:
> > >
> > >> Shantanu Pavgi wrote:
> > >>> Hi,
> > >>>
> > >>> We have a galaxy server setup using external shibboleth authentication.
> > While we would like to have site behind authentication realm, there are
> > instances when our galaxy datasets/histories need to be accessible publicly
> > from other websites. We tried adding an exception to auth rule for /datasets
> >  path using Location directive in apache web server configuration, however
> > galaxy server returned an error as:
> > >>>
> > >>> {{{
> > >>> Access to Galaxy is denied
> > >>> Galaxy is configured to authenticate users via an external method (such
> > as HTTP authentication in Apache), but a username was not provided by the
> > upstream (proxy) server. This is generally due to a misconfiguration in the
> > upstream server.
> > >>> }}}
> > >>>
> > >>> Is there any way to share public histories and datasets when galaxy is
> > using external authentication mechanism? I have thought about setting up
> > (fake) anonymous REMOTE_USER variable for /datasets path, but  not sure
> > whether this is correct approach. Also, would it require any galaxy code
> > changes? Any thoughts?
> > >>
> > >> Hi Shantanu,
> > >>
> > >> That's about all you can do, or modify
> > >> lib/galaxy/web/framework/middleware/remoteuser.py to let these
> > >> connections through.  I would suggest the former solution of setting a
> > >> header in Apache, but only set it if the user is not authenticated.
> > >>
> > >> --nate
> > >
> > >
> > > Thanks for the reply Nate. That's helpful.
> > >
> > > --
> > > Shantanu.
> > >
> >
> >
> > I did a test by excluding following URLs from Apache-Shibboleth external
> > authentication and it seems to be working:
> > -  /datasets/
> > -  /u/<username>/h/<history-name>
> > - /static/  (css and javascript)
> >
> > Do I need to exclude any other URLs so that published histories and
> > datasets can be accessed from remote sites without authentication? Also,
> > will it offer read-only access to the galaxy interface? Does it expose any
> > job submission, file-uploads or any other modification/execution operations
> > using web interface?
> >
> > Also, can we prevent particular galaxy-user from carrying out certain
> > actions, e.g. running jobs, file uploads etc.? Since galaxy will create
> > 'anonymous' user account based on the REMOTE_USER variable set for
> > unauthenticated requests, I am wondering if such locked-down mode will be
> > possible for a particular galaxy-user.
> >
> >
> > Thanks,
> > Shantanu.
> >
> >
> >
> >
> > ___________________________________________________________
> > Please keep all replies on the list by using "reply all"
> > in your mail client.  To manage your subscriptions to this
> > and other Galaxy lists, please use the interface at:
> >
> >  http://lists.bx.psu.edu/
> >
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/

Reply via email to