Re: [galaxy-dev] External User Authenticaion

[Eric Rasche]

Hi Ryan,

On 10/13/2015 09:50 AM, Ryan G wrote:
> Hi all - In regards to external user authentication that I have working
> now (see thread below).  When users try to go to the actual Galaxy page,
> they get the message:
> 
> 
> Access to Galaxy is denied

That's expected for External User Auth if you don't have the REMOTE_USER
header set properly.

> 
> Galaxy is configured to authenticate users via an external method (such
> as HTTP authentication in Apache), but no shared secret key was provided
> by the upstream (proxy) server.
> 
> Please contact your local Galaxy administrator. The variable
> |remote_user_secret| and |GX_SECRET| header must be set before you may
> access Galaxy.
> 
> 
> 
> That's fine and all but I'd like to have them redirected to the real
> login page.  Is there a way to do this?  I didn't see anything obvious
> and was thinking of adding a parameter to galaxy.ini and have Galaxy
> automatically forward them after 5 seconds or so.

What external auth mechanism are you using?

> 
> Ryan
> 
> 
> On Tue, Oct 13, 2015 at 10:49 AM, Ryan G  > wrote:
> 
> Hi all - In regards to external user authentication that I have
> working now (see thread below).  When users try to go to the actual
> Galaxy page, they get the message:
> 
> 
> On Thu, Oct 1, 2015 at 4:10 PM, Ryan G  > wrote:
> 
> I finally got around to this and all is working well.  I
> submitted 2 patches to remoteuser.py to assist in debugging
> incorrect set ups. 
> 
> Last question - When a user logs out, they get the page ""Access
> to Galaxy user controls is disabled".  I've set the
> remote_user_logout_href parameter to a different website, but
> they still get the "Access to Galaxy user controls is disabled". 
> 
> I see it in lib/galaxy/webapps/galaxy/controllers/user.py, but I
> think at that point its too late.
> 
> 
> 
> On Tue, Sep 8, 2015 at 4:05 PM, Ryan G
>  > wrote:
> 
> Yes, I have a test server I'm going to check this one. 
> thanks for the link, that's perfect...I'll add some
> debugging code in here to see what's going on.
> 
> On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker
> > wrote:
> 
> Do you have a way to verify the "HTTP_MAIL" header is
> actually being passed through your proxy server?  
> 
> The problem is that Galaxy still doesn't think it's
> receiving the expected headers, so there isn't a good
> way that it can tell you more about what might be going
> on.  If you're able to tweak Galaxy (using a test
> server) and add a few logging statements the code, this
> would be good places to check what's going on (print the
> `environ` dictionary associated with that request, along
> with self.remote_user_header to see what Galaxy is
> actually trying to use):
> 
> 
> https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/middleware/remoteuser.py#L49
> 
> -Dannon
> 
> On Thu, Sep 3, 2015 at 1:51 PM, Ryan G
>  > wrote:
> 
> It turns out our authentication system passes a
> header 'HTTP_MAIL' which contains the users email
> address.  In galaxy.ini, I have
> 
> use_remote_user = True
> remote_user_header = HTTP_MAIL
> 
> After restarting,Galaxy still gives the same error. 
> 
> On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker
>  > wrote:
> 
> Hi Ryan,
> 
> It may be that Galaxy is looking for a different
> remote user header than your proxy is setting. 
> I believe by default we look for
> HTTP_REMOTE_USER, but this is configurable in
> galaxy.ini (so, you could set yours to HTTP_USER
> there).  Let me know if this doesn't sort it out
> for you and we can dig deeper!
> 
> -Dannon
> 
> On Mon, Aug 31, 2015 at 3:42 PM, Ryan G
>  > wrote:
> 
> Hi 

Re: [galaxy-dev] External User Authenticaion

[Eric Rasche]

On 10/13/2015 11:34 AM, Ryan G wrote:
> We have Apache set up to authenticate users off our LDAP.  If they
> authenticate correctly, they are then forwarded on through the proxy. 

So, mod_auth_ldap? Or not? You say "forwarded" so I'm thinking you may
not mean this.

> 
> What I want is to prevent users from hitting the galaxy URL directly. 
> If they, do I want to automatically redirect them to the proxy.

Under mod_auth_ldap this should be done for you.

(Worst case scenario you could write some mod_rewrite logic that checks
for the remote_user header and returns a 301 if it's missing with the
location of your login page)

> 
> 
> On Tue, Oct 13, 2015 at 11:10 AM, Eric Rasche  > wrote:
> 
> Hi Ryan,
> 
> On 10/13/2015 09:50 AM, Ryan G wrote:
> > Hi all - In regards to external user authentication that I have working
> > now (see thread below).  When users try to go to the actual Galaxy page,
> > they get the message:
> >
> >
> > Access to Galaxy is denied
> 
> That's expected for External User Auth if you don't have the REMOTE_USER
> header set properly.
> 
> >
> > Galaxy is configured to authenticate users via an external method (such
> > as HTTP authentication in Apache), but no shared secret key was provided
> > by the upstream (proxy) server.
> >
> > Please contact your local Galaxy administrator. The variable
> > |remote_user_secret| and |GX_SECRET| header must be set before you may
> > access Galaxy.
> >
> >
> >
> > That's fine and all but I'd like to have them redirected to the real
> > login page.  Is there a way to do this?  I didn't see anything obvious
> > and was thinking of adding a parameter to galaxy.ini and have Galaxy
> > automatically forward them after 5 seconds or so.
> 
> What external auth mechanism are you using?
> 
> >
> > Ryan
> >
> >
> > On Tue, Oct 13, 2015 at 10:49 AM, Ryan G  
> >  >>
> wrote:
> >
> > Hi all - In regards to external user authentication that I have
> > working now (see thread below).  When users try to go to the actual
> > Galaxy page, they get the message:
> >
> >
> > On Thu, Oct 1, 2015 at 4:10 PM, Ryan G  
> >  >>
> wrote:
> >
> > I finally got around to this and all is working well.  I
> > submitted 2 patches to remoteuser.py to assist in debugging
> > incorrect set ups.
> >
> > Last question - When a user logs out, they get the page ""Access
> > to Galaxy user controls is disabled".  I've set the
> > remote_user_logout_href parameter to a different website, but
> > they still get the "Access to Galaxy user controls is disabled".
> >
> > I see it in lib/galaxy/webapps/galaxy/controllers/user.py, but I
> > think at that point its too late.
> >
> >
> >
> > On Tue, Sep 8, 2015 at 4:05 PM, Ryan G
> >  
> >  >>
> wrote:
> >
> > Yes, I have a test server I'm going to check this one.
> > thanks for the link, that's perfect...I'll add some
> > debugging code in here to see what's going on.
> >
> > On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker
> > 
> >> wrote:
> >
> > Do you have a way to verify the "HTTP_MAIL" header is
> > actually being passed through your proxy server?
> >
> > The problem is that Galaxy still doesn't think it's
> > receiving the expected headers, so there isn't a good
> > way that it can tell you more about what might be going
> > on.  If you're able to tweak Galaxy (using a test
> > server) and add a few logging statements the code, this
> > would be good places to check what's going on (print the
> > `environ` dictionary associated with that request, along
> > with self.remote_user_header to see what Galaxy is
> > actually trying to use):
> >
> > 
> https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/middleware/remoteuser.py#L49
> >
> >   

Re: [galaxy-dev] External User Authenticaion

[Ryan G]

Sorry, maybe I'm not being clear.

Galaxy is listening on http://galaxy.mycompany.com:8080

Users access Galaxy via http://mycompay.com/galaxy

If users go to http://galaxy.mycompany.com:8080, they get the External
Authentication message.  From here I want them to be redirected to
http://mycompay.com/galaxy which is where they will be authenticated.

Users never see http://galaxy.mycompany.com:8080they will always see
http://mycompay.com/galaxy



On Tue, Oct 13, 2015 at 12:36 PM, Eric Rasche  wrote:

>
>
> On 10/13/2015 11:34 AM, Ryan G wrote:
> > We have Apache set up to authenticate users off our LDAP.  If they
> > authenticate correctly, they are then forwarded on through the proxy.
>
> So, mod_auth_ldap? Or not? You say "forwarded" so I'm thinking you may
> not mean this.
>
> >
> > What I want is to prevent users from hitting the galaxy URL directly.
> > If they, do I want to automatically redirect them to the proxy.
>
> Under mod_auth_ldap this should be done for you.
>
> (Worst case scenario you could write some mod_rewrite logic that checks
> for the remote_user header and returns a 301 if it's missing with the
> location of your login page)
>
> >
> >
> > On Tue, Oct 13, 2015 at 11:10 AM, Eric Rasche  > > wrote:
> >
> > Hi Ryan,
> >
> > On 10/13/2015 09:50 AM, Ryan G wrote:
> > > Hi all - In regards to external user authentication that I have
> working
> > > now (see thread below).  When users try to go to the actual Galaxy
> page,
> > > they get the message:
> > >
> > >
> > > Access to Galaxy is denied
> >
> > That's expected for External User Auth if you don't have the
> REMOTE_USER
> > header set properly.
> >
> > >
> > > Galaxy is configured to authenticate users via an external method
> (such
> > > as HTTP authentication in Apache), but no shared secret key was
> provided
> > > by the upstream (proxy) server.
> > >
> > > Please contact your local Galaxy administrator. The variable
> > > |remote_user_secret| and |GX_SECRET| header must be set before you
> may
> > > access Galaxy.
> > >
> > >
> > >
> > > That's fine and all but I'd like to have them redirected to the
> real
> > > login page.  Is there a way to do this?  I didn't see anything
> obvious
> > > and was thinking of adding a parameter to galaxy.ini and have
> Galaxy
> > > automatically forward them after 5 seconds or so.
> >
> > What external auth mechanism are you using?
> >
> > >
> > > Ryan
> > >
> > >
> > > On Tue, Oct 13, 2015 at 10:49 AM, Ryan G <
> ngsbioinformat...@gmail.com 
> > > >>
> > wrote:
> > >
> > > Hi all - In regards to external user authentication that I have
> > > working now (see thread below).  When users try to go to the
> actual
> > > Galaxy page, they get the message:
> > >
> > >
> > > On Thu, Oct 1, 2015 at 4:10 PM, Ryan G <
> ngsbioinformat...@gmail.com 
> > > >>
> > wrote:
> > >
> > > I finally got around to this and all is working well.  I
> > > submitted 2 patches to remoteuser.py to assist in debugging
> > > incorrect set ups.
> > >
> > > Last question - When a user logs out, they get the page
> ""Access
> > > to Galaxy user controls is disabled".  I've set the
> > > remote_user_logout_href parameter to a different website,
> but
> > > they still get the "Access to Galaxy user controls is
> disabled".
> > >
> > > I see it in lib/galaxy/webapps/galaxy/controllers/user.py,
> but I
> > > think at that point its too late.
> > >
> > >
> > >
> > > On Tue, Sep 8, 2015 at 4:05 PM, Ryan G
> > > 
> > > >>
> > wrote:
> > >
> > > Yes, I have a test server I'm going to check this one.
> > > thanks for the link, that's perfect...I'll add some
> > > debugging code in here to see what's going on.
> > >
> > > On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker
> > >  >
> > >>
> wrote:
> > >
> > > Do you have a way to verify the "HTTP_MAIL" header
> is
> > > actually being passed through your proxy server?
> > >
> > > The problem is that Galaxy still doesn't think it's
> > > receiving the expected 

Re: [galaxy-dev] External User Authenticaion

[Eric Rasche]

Howdy Ryan,

On 10/13/2015 11:44 AM, Ryan G wrote:
> Sorry, maybe I'm not being clear.
> 
> Galaxy is listening on http://galaxy.mycompany.com:8080
> 
> Users access Galaxy via http://mycompay.com/galaxy

Ah! This is much more clear, thanks :)

If you're running under remote_user, you should NOT make it available
outside of the apache proxy. Even with the remote_user_secret variable
that was added, it's still an unnecessary security risk.

> If users go to http://galaxy.mycompany.com:8080, they get the External
> Authentication message.  From here I want them to be redirected to
> http://mycompay.com/galaxy which is where they will be authenticated. 

I'm guessing you migrated at some point from the raw port to the /galaxy
address and your users are moving slowly to the new URL.

Here is my suggestion:

- have galaxy listen on 127.0.0.1:8081 so only apache on the same
machine can access it.
- add an apache virtualhost listening on 0.0.0.0:8080 that automatically
redirects any requests to that page to http://mycompany.com/galaxy/ to
help migrate users.

That should fix your problem without requiring modification to your
codebase for this one scenario.

> 
> Users never see http://galaxy.mycompany.com:8080they will always see
> http://mycompay.com/galaxy



> 
> 
> 
> On Tue, Oct 13, 2015 at 12:36 PM, Eric Rasche  > wrote:
> 
> 
> 
> On 10/13/2015 11:34 AM, Ryan G wrote:
> > We have Apache set up to authenticate users off our LDAP.  If they
> > authenticate correctly, they are then forwarded on through the proxy.
> 
> So, mod_auth_ldap? Or not? You say "forwarded" so I'm thinking you may
> not mean this.
> 
> >
> > What I want is to prevent users from hitting the galaxy URL directly.
> > If they, do I want to automatically redirect them to the proxy.
> 
> Under mod_auth_ldap this should be done for you.
> 
> (Worst case scenario you could write some mod_rewrite logic that checks
> for the remote_user header and returns a 301 if it's missing with the
> location of your login page)
> 
> >
> >
> > On Tue, Oct 13, 2015 at 11:10 AM, Eric Rasche  
> > >> wrote:
> >
> > Hi Ryan,
> >
> > On 10/13/2015 09:50 AM, Ryan G wrote:
> > > Hi all - In regards to external user authentication that I have 
> working
> > > now (see thread below).  When users try to go to the actual 
> Galaxy page,
> > > they get the message:
> > >
> > >
> > > Access to Galaxy is denied
> >
> > That's expected for External User Auth if you don't have the 
> REMOTE_USER
> > header set properly.
> >
> > >
> > > Galaxy is configured to authenticate users via an external method 
> (such
> > > as HTTP authentication in Apache), but no shared secret key was 
> provided
> > > by the upstream (proxy) server.
> > >
> > > Please contact your local Galaxy administrator. The variable
> > > |remote_user_secret| and |GX_SECRET| header must be set before 
> you may
> > > access Galaxy.
> > >
> > >
> > >
> > > That's fine and all but I'd like to have them redirected to the 
> real
> > > login page.  Is there a way to do this?  I didn't see anything 
> obvious
> > > and was thinking of adding a parameter to galaxy.ini and have 
> Galaxy
> > > automatically forward them after 5 seconds or so.
> >
> > What external auth mechanism are you using?
> >
> > >
> > > Ryan
> > >
> > >
> > > On Tue, Oct 13, 2015 at 10:49 AM, Ryan G 
> 
>  >
> > >  
>   > wrote:
> > >
> > > Hi all - In regards to external user authentication that I 
> have
> > > working now (see thread below).  When users try to go to the 
> actual
> > > Galaxy page, they get the message:
> > >
> > >
> > > On Thu, Oct 1, 2015 at 4:10 PM, Ryan G 
> 
>  >
> > >  
>   > wrote:
> > >
> > > I finally got around to this and all is working well.  I
> > > submitted 2 patches to remoteuser.py to assist in 

Re: [galaxy-dev] External User Authenticaion

[Ryan G]

We have Apache set up to authenticate users off our LDAP.  If they
authenticate correctly, they are then forwarded on through the proxy.

What I want is to prevent users from hitting the galaxy URL directly.  If
they, do I want to automatically redirect them to the proxy.


On Tue, Oct 13, 2015 at 11:10 AM, Eric Rasche  wrote:

> Hi Ryan,
>
> On 10/13/2015 09:50 AM, Ryan G wrote:
> > Hi all - In regards to external user authentication that I have working
> > now (see thread below).  When users try to go to the actual Galaxy page,
> > they get the message:
> >
> >
> > Access to Galaxy is denied
>
> That's expected for External User Auth if you don't have the REMOTE_USER
> header set properly.
>
> >
> > Galaxy is configured to authenticate users via an external method (such
> > as HTTP authentication in Apache), but no shared secret key was provided
> > by the upstream (proxy) server.
> >
> > Please contact your local Galaxy administrator. The variable
> > |remote_user_secret| and |GX_SECRET| header must be set before you may
> > access Galaxy.
> >
> >
> >
> > That's fine and all but I'd like to have them redirected to the real
> > login page.  Is there a way to do this?  I didn't see anything obvious
> > and was thinking of adding a parameter to galaxy.ini and have Galaxy
> > automatically forward them after 5 seconds or so.
>
> What external auth mechanism are you using?
>
> >
> > Ryan
> >
> >
> > On Tue, Oct 13, 2015 at 10:49 AM, Ryan G  > > wrote:
> >
> > Hi all - In regards to external user authentication that I have
> > working now (see thread below).  When users try to go to the actual
> > Galaxy page, they get the message:
> >
> >
> > On Thu, Oct 1, 2015 at 4:10 PM, Ryan G  > > wrote:
> >
> > I finally got around to this and all is working well.  I
> > submitted 2 patches to remoteuser.py to assist in debugging
> > incorrect set ups.
> >
> > Last question - When a user logs out, they get the page ""Access
> > to Galaxy user controls is disabled".  I've set the
> > remote_user_logout_href parameter to a different website, but
> > they still get the "Access to Galaxy user controls is disabled".
> >
> > I see it in lib/galaxy/webapps/galaxy/controllers/user.py, but I
> > think at that point its too late.
> >
> >
> >
> > On Tue, Sep 8, 2015 at 4:05 PM, Ryan G
> >  > > wrote:
> >
> > Yes, I have a test server I'm going to check this one.
> > thanks for the link, that's perfect...I'll add some
> > debugging code in here to see what's going on.
> >
> > On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker
> > >
> wrote:
> >
> > Do you have a way to verify the "HTTP_MAIL" header is
> > actually being passed through your proxy server?
> >
> > The problem is that Galaxy still doesn't think it's
> > receiving the expected headers, so there isn't a good
> > way that it can tell you more about what might be going
> > on.  If you're able to tweak Galaxy (using a test
> > server) and add a few logging statements the code, this
> > would be good places to check what's going on (print the
> > `environ` dictionary associated with that request, along
> > with self.remote_user_header to see what Galaxy is
> > actually trying to use):
> >
> >
> https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/middleware/remoteuser.py#L49
> >
> > -Dannon
> >
> > On Thu, Sep 3, 2015 at 1:51 PM, Ryan G
> >  > > wrote:
> >
> > It turns out our authentication system passes a
> > header 'HTTP_MAIL' which contains the users email
> > address.  In galaxy.ini, I have
> >
> > use_remote_user = True
> > remote_user_header = HTTP_MAIL
> >
> > After restarting,Galaxy still gives the same error.
> >
> > On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker
> >  > > wrote:
> >
> > Hi Ryan,
> >
> > It may be that Galaxy is looking for a different
> > remote user header than your proxy is setting.
> > I believe by default we look for
> > 

Re: [galaxy-dev] External User Authenticaion

[Ryan G]

I finally got around to this and all is working well.  I submitted 2
patches to remoteuser.py to assist in debugging incorrect set ups.

Last question - When a user logs out, they get the page ""Access to Galaxy
user controls is disabled".  I've set the remote_user_logout_href parameter
to a different website, but they still get the "Access to Galaxy user
controls is disabled".

I see it in lib/galaxy/webapps/galaxy/controllers/user.py, but I think at
that point its too late.



On Tue, Sep 8, 2015 at 4:05 PM, Ryan G  wrote:

> Yes, I have a test server I'm going to check this one.  thanks for the
> link, that's perfect...I'll add some debugging code in here to see what's
> going on.
>
> On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker 
> wrote:
>
>> Do you have a way to verify the "HTTP_MAIL" header is actually being
>> passed through your proxy server?
>>
>> The problem is that Galaxy still doesn't think it's receiving the
>> expected headers, so there isn't a good way that it can tell you more about
>> what might be going on.  If you're able to tweak Galaxy (using a test
>> server) and add a few logging statements the code, this would be good
>> places to check what's going on (print the `environ` dictionary associated
>> with that request, along with self.remote_user_header to see what Galaxy is
>> actually trying to use):
>>
>>
>> https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/middleware/remoteuser.py#L49
>>
>> -Dannon
>>
>> On Thu, Sep 3, 2015 at 1:51 PM, Ryan G 
>> wrote:
>>
>>> It turns out our authentication system passes a header 'HTTP_MAIL' which
>>> contains the users email address.  In galaxy.ini, I have
>>>
>>> use_remote_user = True
>>> remote_user_header = HTTP_MAIL
>>>
>>> After restarting,Galaxy still gives the same error.
>>>
>>> On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker 
>>> wrote:
>>>
 Hi Ryan,

 It may be that Galaxy is looking for a different remote user header
 than your proxy is setting.  I believe by default we look for
 HTTP_REMOTE_USER, but this is configurable in galaxy.ini (so, you could set
 yours to HTTP_USER there).  Let me know if this doesn't sort it out for you
 and we can dig deeper!

 -Dannon

 On Mon, Aug 31, 2015 at 3:42 PM, Ryan G 
 wrote:

> Hi all - I'm trying to use external user authentication with Galaxy.
> The external authentication passes to Galaxy the username with the mail
> domain at HTTP_USER.
>
> In galaxy.ini, I enable:
> use_remote_user = True
>
>
> When I try to access Galaxy, I get the message:
> Galaxy is configured to authenticate users via an external method
> (such as HTTP authentication in Apache), but a username was not provided 
> by
> the upstream (proxy) server. This is generally due to a misconfiguration 
> in
> the upstream server.
>
> But nothing in paster.log indicating what the error is.
>
> How do I track this down?
>
>
>
> ___
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>   https://lists.galaxyproject.org/
>
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/
>


>>>
>>
>
___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Re: [galaxy-dev] External User Authenticaion

[Ryan G]

Yes, I have a test server I'm going to check this one.  thanks for the
link, that's perfect...I'll add some debugging code in here to see what's
going on.

On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker  wrote:

> Do you have a way to verify the "HTTP_MAIL" header is actually being
> passed through your proxy server?
>
> The problem is that Galaxy still doesn't think it's receiving the expected
> headers, so there isn't a good way that it can tell you more about what
> might be going on.  If you're able to tweak Galaxy (using a test server)
> and add a few logging statements the code, this would be good places to
> check what's going on (print the `environ` dictionary associated with that
> request, along with self.remote_user_header to see what Galaxy is actually
> trying to use):
>
>
> https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/middleware/remoteuser.py#L49
>
> -Dannon
>
> On Thu, Sep 3, 2015 at 1:51 PM, Ryan G 
> wrote:
>
>> It turns out our authentication system passes a header 'HTTP_MAIL' which
>> contains the users email address.  In galaxy.ini, I have
>>
>> use_remote_user = True
>> remote_user_header = HTTP_MAIL
>>
>> After restarting,Galaxy still gives the same error.
>>
>> On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker 
>> wrote:
>>
>>> Hi Ryan,
>>>
>>> It may be that Galaxy is looking for a different remote user header than
>>> your proxy is setting.  I believe by default we look for HTTP_REMOTE_USER,
>>> but this is configurable in galaxy.ini (so, you could set yours to
>>> HTTP_USER there).  Let me know if this doesn't sort it out for you and we
>>> can dig deeper!
>>>
>>> -Dannon
>>>
>>> On Mon, Aug 31, 2015 at 3:42 PM, Ryan G 
>>> wrote:
>>>
 Hi all - I'm trying to use external user authentication with Galaxy.
 The external authentication passes to Galaxy the username with the mail
 domain at HTTP_USER.

 In galaxy.ini, I enable:
 use_remote_user = True


 When I try to access Galaxy, I get the message:
 Galaxy is configured to authenticate users via an external method (such
 as HTTP authentication in Apache), but a username was not provided by the
 upstream (proxy) server. This is generally due to a misconfiguration in the
 upstream server.

 But nothing in paster.log indicating what the error is.

 How do I track this down?



 ___
 Please keep all replies on the list by using "reply all"
 in your mail client.  To manage your subscriptions to this
 and other Galaxy lists, please use the interface at:
   https://lists.galaxyproject.org/

 To search Galaxy mailing lists use the unified search at:
   http://galaxyproject.org/search/mailinglists/

>>>
>>>
>>
>
___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Re: [galaxy-dev] External User Authenticaion

[Dannon Baker]

Do you have a way to verify the "HTTP_MAIL" header is actually being passed
through your proxy server?

The problem is that Galaxy still doesn't think it's receiving the expected
headers, so there isn't a good way that it can tell you more about what
might be going on.  If you're able to tweak Galaxy (using a test server)
and add a few logging statements the code, this would be good places to
check what's going on (print the `environ` dictionary associated with that
request, along with self.remote_user_header to see what Galaxy is actually
trying to use):

https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/middleware/remoteuser.py#L49

-Dannon

On Thu, Sep 3, 2015 at 1:51 PM, Ryan G  wrote:

> It turns out our authentication system passes a header 'HTTP_MAIL' which
> contains the users email address.  In galaxy.ini, I have
>
> use_remote_user = True
> remote_user_header = HTTP_MAIL
>
> After restarting,Galaxy still gives the same error.
>
> On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker 
> wrote:
>
>> Hi Ryan,
>>
>> It may be that Galaxy is looking for a different remote user header than
>> your proxy is setting.  I believe by default we look for HTTP_REMOTE_USER,
>> but this is configurable in galaxy.ini (so, you could set yours to
>> HTTP_USER there).  Let me know if this doesn't sort it out for you and we
>> can dig deeper!
>>
>> -Dannon
>>
>> On Mon, Aug 31, 2015 at 3:42 PM, Ryan G 
>> wrote:
>>
>>> Hi all - I'm trying to use external user authentication with Galaxy.
>>> The external authentication passes to Galaxy the username with the mail
>>> domain at HTTP_USER.
>>>
>>> In galaxy.ini, I enable:
>>> use_remote_user = True
>>>
>>>
>>> When I try to access Galaxy, I get the message:
>>> Galaxy is configured to authenticate users via an external method (such
>>> as HTTP authentication in Apache), but a username was not provided by the
>>> upstream (proxy) server. This is generally due to a misconfiguration in the
>>> upstream server.
>>>
>>> But nothing in paster.log indicating what the error is.
>>>
>>> How do I track this down?
>>>
>>>
>>>
>>> ___
>>> Please keep all replies on the list by using "reply all"
>>> in your mail client.  To manage your subscriptions to this
>>> and other Galaxy lists, please use the interface at:
>>>   https://lists.galaxyproject.org/
>>>
>>> To search Galaxy mailing lists use the unified search at:
>>>   http://galaxyproject.org/search/mailinglists/
>>>
>>
>>
>
___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

[galaxy-dev] External User Authenticaion

[Ryan G]

Hi all - I'm trying to use external user authentication with Galaxy.  The
external authentication passes to Galaxy the username with the mail domain
at HTTP_USER.

In galaxy.ini, I enable:
use_remote_user = True


When I try to access Galaxy, I get the message:
Galaxy is configured to authenticate users via an external method (such as
HTTP authentication in Apache), but a username was not provided by the
upstream (proxy) server. This is generally due to a misconfiguration in the
upstream server.

But nothing in paster.log indicating what the error is.

How do I track this down?
___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Re: [galaxy-dev] External User Authenticaion

[Dannon Baker]

Hi Ryan,

It may be that Galaxy is looking for a different remote user header than
your proxy is setting.  I believe by default we look for HTTP_REMOTE_USER,
but this is configurable in galaxy.ini (so, you could set yours to
HTTP_USER there).  Let me know if this doesn't sort it out for you and we
can dig deeper!

-Dannon

On Mon, Aug 31, 2015 at 3:42 PM, Ryan G  wrote:

> Hi all - I'm trying to use external user authentication with Galaxy.  The
> external authentication passes to Galaxy the username with the mail domain
> at HTTP_USER.
>
> In galaxy.ini, I enable:
> use_remote_user = True
>
>
> When I try to access Galaxy, I get the message:
> Galaxy is configured to authenticate users via an external method (such as
> HTTP authentication in Apache), but a username was not provided by the
> upstream (proxy) server. This is generally due to a misconfiguration in the
> upstream server.
>
> But nothing in paster.log indicating what the error is.
>
> How do I track this down?
>
>
>
> ___
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>   https://lists.galaxyproject.org/
>
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/
>
___
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/