Hi Sarah,

On 08. aug. 2016 07:44, Sarah DIEHL wrote:
> Dear all,
>
> since no one replied so far to the main problem I had and it might
> have gotten lost in the conversation, I ask again: Does somebody know
> how to configure external user auth with apache such that API (from
> external, e.g. bioblend) and dataset import in the data libraries
> work? When I configure apache to require auth for everything, the API
> does not work. If I except the API from the apache auth, the dataset
> import does not work.

Our configuration looks like the following (just switching CAS for LDAP.)

    <Location "/galaxy/api/">
        Satisfy Any
        Allow from all
    </Location>

    <Location "/galaxy">
        AuthName "CAS"
        AuthType CAS
        Require valid-user
        RequestHeader set X-URL-SCHEME https
        XSendFile on
        XSendFilePath /
        RequestHeader set CAS-User "%{REMOTE_USER}s...@tamu.edu"
    </Location>
    ProxyPass /galaxy uwsgi://127.0.0.1:4001/

I.e. we disable authentication on the /api route. On 16.01+ (I think it
was patched then, but 16.04 is a safer bet) this will work correctly and
your users will be able to use the API. On previous versions the /api
route would fail for web users if exposed in this manner.
>
> If I switch to the new galaxy-internal LDAP auth features, will that
> solve this problem?
Yes, this is an alternate solution.
>
> Any hints are appreciated!
>
> Best regards,
> Sarah
>
>
> ----
> Sarah Diehl
> HPC System Administrator
>  
> UNIVERSITÉ DU LUXEMBOURG
>  
> LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
> Campus Belval | Biotech II
> 6, avenue du Swing
> L-4371 Belvaux
> T +352 46 66 44 5360
> sarah.di...@uni.lu <mailto:sarah.di...@uni.lu>     http://lcsb.uni.lu
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lcsb.uni.lu_&d=CwMFAw&c=ODFT-G5SujMiGrKuoJJjVg&r=p9uZby14OqW9zcjBSjiDKw&m=VV-vUll4GtQX9nsboaQbXHu4z31_SAdpkA-8nu-bzUk&s=bJ6NwuiRobXf-sPXjKoJ3KtEQaDOvG_ViZwLwKKumv8&e=>
> -----
> This message is confidential and may contain privileged information.
> It is intended for the named recipient only. If you receive it in
> error please notify me and permanently delete the original message and
> any copies.
> -----
>
>
> From: galaxy-dev <galaxy-dev-boun...@lists.galaxyproject.org
> <mailto:galaxy-dev-boun...@lists.galaxyproject.org>> on behalf of
> Sarah DIEHL <sarah.di...@uni.lu <mailto:sarah.di...@uni.lu>>
> Date: Monday 1 August 2016 13:06
> To: Nicola Soranzo <nsora...@tiscali.it <mailto:nsora...@tiscali.it>>,
> "galaxy-dev@lists.galaxyproject.org
> <mailto:galaxy-dev@lists.galaxyproject.org>"
> <galaxy-dev@lists.galaxyproject.org
> <mailto:galaxy-dev@lists.galaxyproject.org>>
> Subject: Re: [galaxy-dev] Remote user auth and API
>
> Hi Nicola,
>
> thanks a lot for the help! Yes, it's a self-signed certificate, I
> didn't bother with letsencrypt yet ;-).
>
> So now the error turned to
> ConnectionError: GET: error 401: b'<!DOCTYPE HTML PUBLIC "-//IETF//DTD
> HTML 2.0//EN">\n<html><head>\n<title>401 Authorization
> Required</title>\n</head><body>\n<h1>Authorization
> Required</h1>\n<p>This server could not verify that you\nare
> authorized to access the document\nrequested. Either you supplied the
> wrong\ncredentials (e.g., bad password), or your\nbrowser doesn\'t
> understand how to supply\nthe credentials
> required.</p>\n</body></html>\n', 0 attempts left: None
> which is what I expected, since apache now wants the authentication
> through LDAP.
>
> So anybody know what the right settings are to get both the dataset
> import and the API working with external user auth over apache and LDAP?
>
> Thanks,
> Sarah
>
> ----
> Sarah Diehl
> HPC System Administrator
>  
> UNIVERSITÉ DU LUXEMBOURG
>  
> LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
> Campus Belval | Biotech II
> 6, avenue du Swing
> L-4371 Belvaux
> T +352 46 66 44 5360
> sarah.di...@uni.lu <mailto:sarah.di...@uni.lu>     http://lcsb.uni.lu
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lcsb.uni.lu_&d=CwMFAw&c=ODFT-G5SujMiGrKuoJJjVg&r=p9uZby14OqW9zcjBSjiDKw&m=VV-vUll4GtQX9nsboaQbXHu4z31_SAdpkA-8nu-bzUk&s=bJ6NwuiRobXf-sPXjKoJ3KtEQaDOvG_ViZwLwKKumv8&e=>
> -----
> This message is confidential and may contain privileged information.
> It is intended for the named recipient only. If you receive it in
> error please notify me and permanently delete the original message and
> any copies.
> -----
>
>
> From: Nicola Soranzo <nicola.sora...@gmail.com
> <mailto:nicola.sora...@gmail.com>> on behalf of Nicola Soranzo
> <nsora...@tiscali.it <mailto:nsora...@tiscali.it>>
> Date: Monday 1 August 2016 12:58
> To: Sarah DIEHL <sarah.di...@uni.lu <mailto:sarah.di...@uni.lu>>,
> "galaxy-dev@lists.galaxyproject.org
> <mailto:galaxy-dev@lists.galaxyproject.org>"
> <galaxy-dev@lists.galaxyproject.org
> <mailto:galaxy-dev@lists.galaxyproject.org>>
> Subject: Re: [galaxy-dev] Remote user auth and API
>
> Hi Sarah!
> I guess that your problem is with an untrusted certificate, you can
> get one for free at https://letsencrypt.org/
>
> You can disable certificate verification in bioblend as in the example
> below:
>
> import bioblend.galaxy
> gi = bioblend.galaxy.GalaxyInstance(url=my_server, key=my_key)
> gi.verify = False
>
> Cheers,
> Nicola
>
> On 01/08/16 09:08, Sarah DIEHL wrote:
>> Dear all,
>>
>> since the recent update to 16.04 I get the following error when
>> trying to import a file from a user directory to a data library:
>>
>> AssertionError: use_remote_user is set but HTTP_REMOTE_USER header
>> was not provided
>>
>> I use apache as a proxy and use an LDAP server for authentication. In
>> order to get the API to work previously the apache had to be set to
>> not check authentication for the requests to /api. In the logs I can
>> see that the dataset import is an request to the API, so since the
>> auth is not checked then, there is also no REMOTE_USER header set.
>>
>> What is the recommended way to solve this issue with the current
>> Galaxy version? I disabled the special settings for /api and the
>> dataset import works now.
>>
>> I tried to check the API with an old test script based on bioblend,
>> but I now get the following error:
>>
>> ConnectionError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify
>> failed (_ssl.c:645), 0 attempts left: None
>>
>> Previously I could disable it with 
>>
>> import requests
>> requests.packages.urllib3.disable_warnings()
>>
>> but that doesn't seem to work anymore (switched to Python 3 now).
>> Since bioblend wraps all the requests methods, I cannot apply any of
>> the common solutions I found online (e.g. set verify=False).
>>
>> Any help to solve these issues is highly appreciated :-).
>>
>> Best regards,
>> Sarah
>>
>>
>>
>> ----
>> Sarah Diehl
>> HPC System Administrator
>>  
>> UNIVERSITÉ DU LUXEMBOURG
>>  
>> LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
>> Campus Belval | Biotech II
>> 6, avenue du Swing
>> L-4371 Belvaux
>> T +352 46 66 44 5360
>> <mailto:sarah.di...@uni.lu>sarah.di...@uni.lu     http://lcsb.uni.lu
>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lcsb.uni.lu_&d=CwMFAw&c=ODFT-G5SujMiGrKuoJJjVg&r=p9uZby14OqW9zcjBSjiDKw&m=VV-vUll4GtQX9nsboaQbXHu4z31_SAdpkA-8nu-bzUk&s=bJ6NwuiRobXf-sPXjKoJ3KtEQaDOvG_ViZwLwKKumv8&e=>
>> -----
>> This message is confidential and may contain privileged information.
>> It is intended for the named recipient only. If you receive it in
>> error please notify me and permanently delete the original message
>> and any copies.
>> -----
>>
>>
>>
>> ___________________________________________________________
>> Please keep all replies on the list by using "reply all"
>> in your mail client.  To manage your subscriptions to this
>> and other Galaxy lists, please use the interface at:
>>   https://lists.galaxyproject.org/
>>
>> To search Galaxy mailing lists use the unified search at:
>>   http://galaxyproject.org/search/mailinglists/
>
>
>
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>   https://lists.galaxyproject.org/
>
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/

-- 
Eric Rasche
Programmer II

Center for Phage Technology
Rm 312A, Biochemistry & Biophysics
Texas A&M University
College Station, TX 77843
e...@tamu.edu <mailto:e...@tamu.edu>
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Reply via email to