Hi Eric,

It's not broken per se but the documentation is lacking on this front.  You 
need to route your /galaxy/api folder to a proxy that does not require 
authentication.  Maybe this isn't the best way but it works for AAFC's 
production galaxy.  See my apache configuration file below:

--------------------------------------------------------------------------------------
# Function for LowerCase conversion used in rewriterule directive
RewriteMap lc int:tolower

# Setup the load balancer and force LDAP authentication with group file 
authorization
<Proxy balancer://galaxy-prod/*>
        BalancerMember http://localhost:60000
        BalancerMember http://localhost:60001
        BalancerMember http://localhost:60002

        # LDAP based authentication
        AuthName "Galaxy - Login with AAFC credentials"
        AuthType Basic
        AuthBasicAuthoritative off
        AuthBasicProvider ldap

        AuthLDAPURL "REDACTED"
        AuthLDAPBindDN 'REDACTED'
        AuthLDAPBindPassword "REDACTED"

        # File based authorization
        AuthGroupFile /home/galaxy/permitted_users
        Require group galaxy-users

        RewriteEngine on

        # Convert the sAMAccountName to lower case
        RewriteRule ^ - 
[E=AUTHENTICATE_sAMAccountName:${lc:%{ENV:AUTHENTICATE_sAMAccountName}}]

        # Set the REMOTE_USER header to the contents of the LDAP query 
response's "sAMAccountName" attribute
        RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
</Proxy>

<Proxy balancer://galaxy-prod-noauth/*>
        BalancerMember http://localhost:60000
        BalancerMember http://localhost:60001
        BalancerMember http://localhost:60002

        # Required to allow unauthenticated access
        # Not clear why this is so      
        Satisfy any
</Proxy>

# Bypass authentication for the api endpoints when a "key" get variable is 
provided by proxying directly to the galaxy web server
RewriteCond %{QUERY_STRING} key=
RewriteRule ^/galaxy/api/(.*) balancer://galaxy-prod-noauth/api/$1 [P]

# Bypass authentication for display servers
RewriteCond HTTP_HOST =hgw1.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw2.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw3.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw4.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw5.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw7.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw8.cse.ucsc.edu [NC]
RewriteRule ^/galaxy/root/display_as(.*) 
balancer://galaxy-prod-noauth/root/display_as$1 [P]

# Serve static content directly from apache
RewriteRule ^/galaxy/static/style/(.*) 
/home/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L]
RewriteRule ^/galaxy/static/scripts/(.*) 
/home/galaxy/galaxy-dist/static/scripts/packed/$1 [L]
RewriteRule ^/galaxy/static/(.*) /home/galaxy/galaxy-dist/static/$1 [L]
RewriteRule ^/galaxy/favicon.ico /home/galaxy/galaxy-dist/static/favicon.ico [L]
RewriteRule ^/galaxy/robots.txt /home/galaxy/galaxy-dist/static/robots.txt [L]

# Route all other traffic through the load balancer
RewriteRule ^/galaxy/(.*)$ balancer://galaxy-prod/$1 [P]
------------------------------------------------------------------------------



Regards,

Iyad Kandalaft
Microbial Biodiversity Bioinformatics
Agriculture and Agri-Food Canada | Agriculture et Agroalimentaire Canada
960 Carling Ave.| 960 Ave. Carling
Ottawa, ON| Ottawa (ON) K1A 0C6
E-mail Address / Adresse courriel  iyad.kandal...@agr.gc.ca
Telephone | Téléphone 613-759-1228
Facsimile | Télécopieur 613-759-1701
Teletypewriter | Téléimprimeur 613-773-2600
Government of Canada | Gouvernement du Canada 



-----Original Message-----
From: galaxy-dev-boun...@lists.bx.psu.edu 
[mailto:galaxy-dev-boun...@lists.bx.psu.edu] On Behalf Of Eric Rasche
Sent: Wednesday, June 11, 2014 8:43 PM
To: galaxy-dev@lists.bx.psu.edu
Subject: [galaxy-dev] bug: API broken under remote_user

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://trello.com/c/AGKePuHZ/1630-expose-use-remote-user-via-configuration-api

I don't know if this is the correct card (it's been a long day and I may be 
misreading it) but the API is completely broken under REMOTE_USER 
authentication.

running ./scripts/api/display.py {key} http://localhost:8300 returns 403 
forbidden.

running ./scripts/api/display.py {key} https://fqdn/galaxy/ returns 401 
Authorization Required

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQIcBAEBAgAGBQJTmPeFAAoJEMqDXdrsMcpVtmkP/1r36cFmedYJXnMFl2CG0e7P
VtSoMHYbtesc/IKnGwKEH1xtf2RNF7p8n0/0mC3QNAoI0n3A8XDoZRXaWzgmsZ4z
heGipPgotCyhFt/ud2W8eb0IlZ3AhtyWwvhG1hXcwQV4eXXHfuQCepPEbfyUUR2N
F+VCLMGMv3dnsv0ForC7iYesV4qqOsX48Wry6InVD41UpXOE0Bor5uB/HcohYjKS
sVhOmNSjLpME35Rka4vUW4oNIzeeBsQIQyrpCuZ2KTKImEkSoSEbTho9fhNUi0ll
EHlTu+qt4iaXZpqNOKU05p3TqdjxAmc2w/McmMzifwPZdmrxTZjaitFn+g1qXxYs
0ZVJtL/OZviFHuK+8qbbsCPIYYm/dVr5EPy821/F01dAGNw9k+lbk5kZdgC8zcBz
xFc5yk+QZGuc3KeDYLOidtn4c471Ez4LhgTd9wapYkSwva7aM5T1betpPZKufZbw
+SSC/KFi6J2rjVDOkHLCry185Bwha2hrn1tc2hd1+A/5zOuyqQ/u0isvRu+O7dxO
uGF33WjXCYqwVGNzXN+pZMVPStIXKlLmoA2CoWbUM9rHSQWHVRQKIiZ05v2tZYn7
/cpYLOwudWbQtDX+AscPd18bJ4OqSmy+aXo9nSkmJMbCWtN9TxKljx3MNzfg8DxV
r+SaijGDeWJ3xgiv2L6U
=svZc
-----END PGP SIGNATURE-----
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this and other Galaxy 
lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Reply via email to