Hi Eric,
thanks a lot for the info and help! I'm running version 16.04 and my apache
conf is a bit different because I balance over multiple galaxy web servers:
# API requests get routed through balancer with no authentication
RewriteCond %{QUERY_STRING} key=
RewriteRule ^/api/(.*) balancer://galaxy-noauth/api/$1 [P]
# Regular requests get routed through balancer with LDAP authentication
RewriteRule ^(.*) balancer://galaxy$1 [P]
<Proxy balancer://galaxy/*>
BalancerMember http://localhost:8080
BalancerMember http://localhost:8081
BalancerMember http://localhost:8082
BalancerMember http://localhost:8083
RequestHeader set X-URL-SCHEME https
AuthType Basic
AuthBasicProvider ldap
AuthName "UL HPC Platform Authorized Users Only"
AuthLDAPBindAuthoritative off
AuthLDAPURL "ldap://…";
Require valid-user
RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e
XSendFile on
XSendFilePath /
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:t?gz|zip|bz2)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI /history/export_archive no-gzip dont-vary
</Proxy>
<Proxy balancer://galaxy-noauth/*>
BalancerMember http://localhost:8080
BalancerMember http://localhost:8081
BalancerMember http://localhost:8082
BalancerMember http://localhost:8083
RequestHeader set X-URL-SCHEME https
Satisfy any
XSendFile on
XSendFilePath /
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:t?gz|zip|bz2)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI /history/export_archive no-gzip dont-vary
</Proxy>
What doesn't work when configured this way is data libraries' import from user
directory function. Can you tell if my apache configuration is equivalent to
yours? Does the import functionality in the data libraries work for you?
This configuration worked fine with release 15.10, but doesn't anymore since I
upgraded. Between those two version the default data libraries interface
changed. What used to be "beta" before is now the default and only available
option.
Best regards,
Sarah
----
Sarah Diehl
HPC System Administrator
UNIVERSITÉ DU LUXEMBOURG
LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | Biotech II
6, avenue du Swing
L-4371 Belvaux
T +352 46 66 44 5360
[email protected]<mailto:[email protected]>
http://lcsb.uni.lu<http://lcsb.uni.lu/>
-----
This message is confidential and may contain privileged information. It is
intended for the named recipient only. If you receive it in error please notify
me and permanently delete the original message and any copies.
-----
From: Eric Rasche <[email protected]<mailto:[email protected]>>
Organization: TAMU
Date: Monday 8 August 2016 15:09
To: Sarah DIEHL <[email protected]<mailto:[email protected]>>,
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: Re: [galaxy-dev] External user auth and API
Hi Sarah,
On 08. aug. 2016 07:44, Sarah DIEHL wrote:
Dear all,
since no one replied so far to the main problem I had and it might have gotten
lost in the conversation, I ask again: Does somebody know how to configure
external user auth with apache such that API (from external, e.g. bioblend) and
dataset import in the data libraries work? When I configure apache to require
auth for everything, the API does not work. If I except the API from the apache
auth, the dataset import does not work.
Our configuration looks like the following (just switching CAS for LDAP.)
<Location "/galaxy/api/">
Satisfy Any
Allow from all
</Location>
<Location "/galaxy">
AuthName "CAS"
AuthType CAS
Require valid-user
RequestHeader set X-URL-SCHEME https
XSendFile on
XSendFilePath /
RequestHeader set CAS-User
"%{REMOTE_USER}[email protected]"<mailto:%{REMOTE_USER}[email protected]>
</Location>
ProxyPass /galaxy uwsgi://127.0.0.1:4001/
I.e. we disable authentication on the /api route. On 16.01+ (I think it was
patched then, but 16.04 is a safer bet) this will work correctly and your users
will be able to use the API. On previous versions the /api route would fail for
web users if exposed in this manner.
If I switch to the new galaxy-internal LDAP auth features, will that solve this
problem?
Yes, this is an alternate solution.
Any hints are appreciated!
Best regards,
Sarah
----
Sarah Diehl
HPC System Administrator
UNIVERSITÉ DU LUXEMBOURG
LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | Biotech II
6, avenue du Swing
L-4371 Belvaux
T +352 46 66 44 5360
<mailto:[email protected]>[email protected]<mailto:[email protected]>
<https://urldefense.proofpoint.com/v2/url?u=http-3A__lcsb.uni.lu_&d=CwMFAw&c=ODFT-G5SujMiGrKuoJJjVg&r=p9uZby14OqW9zcjBSjiDKw&m=VV-vUll4GtQX9nsboaQbXHu4z31_SAdpkA-8nu-bzUk&s=bJ6NwuiRobXf-sPXjKoJ3KtEQaDOvG_ViZwLwKKumv8&e=>
http://lcsb.uni.lu
-----
This message is confidential and may contain privileged information. It is
intended for the named recipient only. If you receive it in error please notify
me and permanently delete the original message and any copies.
-----
From: galaxy-dev
<<mailto:[email protected]>[email protected]<mailto:[email protected]>>
on behalf of Sarah DIEHL <[email protected]<mailto:[email protected]>>
Date: Monday 1 August 2016 13:06
To: Nicola Soranzo
<<mailto:[email protected]>[email protected]<mailto:[email protected]>>,
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: Re: [galaxy-dev] Remote user auth and API
Hi Nicola,
thanks a lot for the help! Yes, it's a self-signed certificate, I didn't bother
with letsencrypt yet ;-).
So now the error turned to
ConnectionError: GET: error 401: b'<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
2.0//EN">\n<html><head>\n<title>401 Authorization
Required</title>\n</head><body>\n<h1>Authorization Required</h1>\n<p>This
server could not verify that you\nare authorized to access the
document\nrequested. Either you supplied the wrong\ncredentials (e.g., bad
password), or your\nbrowser doesn\'t understand how to supply\nthe credentials
required.</p>\n</body></html>\n', 0 attempts left: None
which is what I expected, since apache now wants the authentication through
LDAP.
So anybody know what the right settings are to get both the dataset import and
the API working with external user auth over apache and LDAP?
Thanks,
Sarah
----
Sarah Diehl
HPC System Administrator
UNIVERSITÉ DU LUXEMBOURG
LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | Biotech II
6, avenue du Swing
L-4371 Belvaux
T +352 46 66 44 5360
<mailto:[email protected]>[email protected]<mailto:[email protected]>
<https://urldefense.proofpoint.com/v2/url?u=http-3A__lcsb.uni.lu_&d=CwMFAw&c=ODFT-G5SujMiGrKuoJJjVg&r=p9uZby14OqW9zcjBSjiDKw&m=VV-vUll4GtQX9nsboaQbXHu4z31_SAdpkA-8nu-bzUk&s=bJ6NwuiRobXf-sPXjKoJ3KtEQaDOvG_ViZwLwKKumv8&e=>
http://lcsb.uni.lu
-----
This message is confidential and may contain privileged information. It is
intended for the named recipient only. If you receive it in error please notify
me and permanently delete the original message and any copies.
-----
From: Nicola Soranzo
<[email protected]<mailto:[email protected]>> on behalf of Nicola
Soranzo
<<mailto:[email protected]>[email protected]<mailto:[email protected]>>
Date: Monday 1 August 2016 12:58
To: Sarah DIEHL <[email protected]<mailto:[email protected]>>,
"[email protected]<mailto:[email protected]>"
<[email protected]<mailto:[email protected]>>
Subject: Re: [galaxy-dev] Remote user auth and API
Hi Sarah!
I guess that your problem is with an untrusted certificate, you can get one for
free at
https://letsencrypt.org/<https://urldefense.proofpoint.com/v2/url?u=https-3A__letsencrypt.org_&d=CwMFAw&c=ODFT-G5SujMiGrKuoJJjVg&r=p9uZby14OqW9zcjBSjiDKw&m=VV-vUll4GtQX9nsboaQbXHu4z31_SAdpkA-8nu-bzUk&s=NYyw6a4m49frmrTEPhp4x8j9TIotoRZOht1LReOprJ8&e=>
You can disable certificate verification in bioblend as in the example below:
import bioblend.galaxy
gi = bioblend.galaxy.GalaxyInstance(url=my_server, key=my_key)
gi.verify = False
Cheers,
Nicola
On 01/08/16 09:08, Sarah DIEHL wrote:
Dear all,
since the recent update to 16.04 I get the following error when trying to
import a file from a user directory to a data library:
AssertionError: use_remote_user is set but HTTP_REMOTE_USER header was not
provided
I use apache as a proxy and use an LDAP server for authentication. In order to
get the API to work previously the apache had to be set to not check
authentication for the requests to /api. In the logs I can see that the dataset
import is an request to the API, so since the auth is not checked then, there
is also no REMOTE_USER header set.
What is the recommended way to solve this issue with the current Galaxy
version? I disabled the special settings for /api and the dataset import works
now.
I tried to check the API with an old test script based on bioblend, but I now
get the following error:
ConnectionError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:645), 0 attempts left: None
Previously I could disable it with
import requests
requests.packages.urllib3.disable_warnings()
but that doesn't seem to work anymore (switched to Python 3 now). Since
bioblend wraps all the requests methods, I cannot apply any of the common
solutions I found online (e.g. set verify=False).
Any help to solve these issues is highly appreciated :-).
Best regards,
Sarah
----
Sarah Diehl
HPC System Administrator
UNIVERSITÉ DU LUXEMBOURG
LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE
Campus Belval | Biotech II
6, avenue du Swing
L-4371 Belvaux
T +352 46 66 44 5360
<mailto:[email protected]><mailto:[email protected]>[email protected]<mailto:[email protected]>
<https://urldefense.proofpoint.com/v2/url?u=http-3A__lcsb.uni.lu_&d=CwMFAw&c=ODFT-G5SujMiGrKuoJJjVg&r=p9uZby14OqW9zcjBSjiDKw&m=VV-vUll4GtQX9nsboaQbXHu4z31_SAdpkA-8nu-bzUk&s=bJ6NwuiRobXf-sPXjKoJ3KtEQaDOvG_ViZwLwKKumv8&e=>
http://lcsb.uni.lu
-----
This message is confidential and may contain privileged information. It is
intended for the named recipient only. If you receive it in error please notify
me and permanently delete the original message and any copies.
-----
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
https://lists.galaxyproject.org/<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.galaxyproject.org_&d=CwMFAw&c=ODFT-G5SujMiGrKuoJJjVg&r=p9uZby14OqW9zcjBSjiDKw&m=VV-vUll4GtQX9nsboaQbXHu4z31_SAdpkA-8nu-bzUk&s=w_t0ZyMjOV6HxDZIvyq1Tu3PPBLEuxL7i44NRXlB4ek&e=>
To search Galaxy mailing lists use the unified search at:
http://galaxyproject.org/search/mailinglists/<https://urldefense.proofpoint.com/v2/url?u=http-3A__galaxyproject.org_search_mailinglists_&d=CwMFAw&c=ODFT-G5SujMiGrKuoJJjVg&r=p9uZby14OqW9zcjBSjiDKw&m=VV-vUll4GtQX9nsboaQbXHu4z31_SAdpkA-8nu-bzUk&s=WfGH9TDJEwweVcQ6dwOkrMduRauoy5JU4RERwya-M7A&e=>
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at:
http://galaxyproject.org/search/mailinglists/
--
Eric Rasche
Programmer II
Center for Phage Technology
Rm 312A, Biochemistry & Biophysics
Texas A&M University
College Station, TX 77843
[email protected]<mailto:[email protected]>
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
https://lists.galaxyproject.org/
To search Galaxy mailing lists use the unified search at:
http://galaxyproject.org/search/mailinglists/
