bug: API broken under remote_user

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

bug: API broken under remote_user

Eric Rasche
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://trello.com/c/AGKePuHZ/1630-expose-use-remote-user-via-configuration-api

I don't know if this is the correct card (it's been a long day and I may
be misreading it) but the API is completely broken under REMOTE_USER
authentication.

running ./scripts/api/display.py {key} http://localhost:8300 returns 403
forbidden.

running ./scripts/api/display.py {key} https://fqdn/galaxy/ returns 401
Authorization Required

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQIcBAEBAgAGBQJTmPeFAAoJEMqDXdrsMcpVtmkP/1r36cFmedYJXnMFl2CG0e7P
VtSoMHYbtesc/IKnGwKEH1xtf2RNF7p8n0/0mC3QNAoI0n3A8XDoZRXaWzgmsZ4z
heGipPgotCyhFt/ud2W8eb0IlZ3AhtyWwvhG1hXcwQV4eXXHfuQCepPEbfyUUR2N
F+VCLMGMv3dnsv0ForC7iYesV4qqOsX48Wry6InVD41UpXOE0Bor5uB/HcohYjKS
sVhOmNSjLpME35Rka4vUW4oNIzeeBsQIQyrpCuZ2KTKImEkSoSEbTho9fhNUi0ll
EHlTu+qt4iaXZpqNOKU05p3TqdjxAmc2w/McmMzifwPZdmrxTZjaitFn+g1qXxYs
0ZVJtL/OZviFHuK+8qbbsCPIYYm/dVr5EPy821/F01dAGNw9k+lbk5kZdgC8zcBz
xFc5yk+QZGuc3KeDYLOidtn4c471Ez4LhgTd9wapYkSwva7aM5T1betpPZKufZbw
+SSC/KFi6J2rjVDOkHLCry185Bwha2hrn1tc2hd1+A/5zOuyqQ/u0isvRu+O7dxO
uGF33WjXCYqwVGNzXN+pZMVPStIXKlLmoA2CoWbUM9rHSQWHVRQKIiZ05v2tZYn7
/cpYLOwudWbQtDX+AscPd18bJ4OqSmy+aXo9nSkmJMbCWtN9TxKljx3MNzfg8DxV
r+SaijGDeWJ3xgiv2L6U
=svZc
-----END PGP SIGNATURE-----
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Reply | Threaded
Open this post in threaded view
|

Re: bug: API broken under remote_user

Kandalaft, Iyad
Hi Eric,

It's not broken per se but the documentation is lacking on this front.  You need to route your /galaxy/api folder to a proxy that does not require authentication.  Maybe this isn't the best way but it works for AAFC's production galaxy.  See my apache configuration file below:

--------------------------------------------------------------------------------------
# Function for LowerCase conversion used in rewriterule directive
RewriteMap lc int:tolower

# Setup the load balancer and force LDAP authentication with group file authorization
<Proxy balancer://galaxy-prod/*>
        BalancerMember http://localhost:60000
        BalancerMember http://localhost:60001
        BalancerMember http://localhost:60002

        # LDAP based authentication
        AuthName "Galaxy - Login with AAFC credentials"
        AuthType Basic
        AuthBasicAuthoritative off
        AuthBasicProvider ldap

        AuthLDAPURL "REDACTED"
        AuthLDAPBindDN 'REDACTED'
        AuthLDAPBindPassword "REDACTED"

        # File based authorization
        AuthGroupFile /home/galaxy/permitted_users
        Require group galaxy-users

        RewriteEngine on

        # Convert the sAMAccountName to lower case
        RewriteRule ^ - [E=AUTHENTICATE_sAMAccountName:${lc:%{ENV:AUTHENTICATE_sAMAccountName}}]

        # Set the REMOTE_USER header to the contents of the LDAP query response's "sAMAccountName" attribute
        RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
</Proxy>

<Proxy balancer://galaxy-prod-noauth/*>
        BalancerMember http://localhost:60000
        BalancerMember http://localhost:60001
        BalancerMember http://localhost:60002

        # Required to allow unauthenticated access
        # Not clear why this is so      
        Satisfy any
</Proxy>

# Bypass authentication for the api endpoints when a "key" get variable is provided by proxying directly to the galaxy web server
RewriteCond %{QUERY_STRING} key=
RewriteRule ^/galaxy/api/(.*) balancer://galaxy-prod-noauth/api/$1 [P]

# Bypass authentication for display servers
RewriteCond HTTP_HOST =hgw1.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw2.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw3.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw4.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw5.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw7.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw8.cse.ucsc.edu [NC]
RewriteRule ^/galaxy/root/display_as(.*) balancer://galaxy-prod-noauth/root/display_as$1 [P]

# Serve static content directly from apache
RewriteRule ^/galaxy/static/style/(.*) /home/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L]
RewriteRule ^/galaxy/static/scripts/(.*) /home/galaxy/galaxy-dist/static/scripts/packed/$1 [L]
RewriteRule ^/galaxy/static/(.*) /home/galaxy/galaxy-dist/static/$1 [L]
RewriteRule ^/galaxy/favicon.ico /home/galaxy/galaxy-dist/static/favicon.ico [L]
RewriteRule ^/galaxy/robots.txt /home/galaxy/galaxy-dist/static/robots.txt [L]

# Route all other traffic through the load balancer
RewriteRule ^/galaxy/(.*)$ balancer://galaxy-prod/$1 [P]
------------------------------------------------------------------------------



Regards,

Iyad Kandalaft
Microbial Biodiversity Bioinformatics
Agriculture and Agri-Food Canada | Agriculture et Agroalimentaire Canada
960 Carling Ave.| 960 Ave. Carling
Ottawa, ON| Ottawa (ON) K1A 0C6
E-mail Address / Adresse courriel  [hidden email]
Telephone | Téléphone 613-759-1228
Facsimile | Télécopieur 613-759-1701
Teletypewriter | Téléimprimeur 613-773-2600
Government of Canada | Gouvernement du Canada



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Eric Rasche
Sent: Wednesday, June 11, 2014 8:43 PM
To: [hidden email]
Subject: [galaxy-dev] bug: API broken under remote_user

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://trello.com/c/AGKePuHZ/1630-expose-use-remote-user-via-configuration-api

I don't know if this is the correct card (it's been a long day and I may be misreading it) but the API is completely broken under REMOTE_USER authentication.

running ./scripts/api/display.py {key} http://localhost:8300 returns 403 forbidden.

running ./scripts/api/display.py {key} https://fqdn/galaxy/ returns 401 Authorization Required

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQIcBAEBAgAGBQJTmPeFAAoJEMqDXdrsMcpVtmkP/1r36cFmedYJXnMFl2CG0e7P
VtSoMHYbtesc/IKnGwKEH1xtf2RNF7p8n0/0mC3QNAoI0n3A8XDoZRXaWzgmsZ4z
heGipPgotCyhFt/ud2W8eb0IlZ3AhtyWwvhG1hXcwQV4eXXHfuQCepPEbfyUUR2N
F+VCLMGMv3dnsv0ForC7iYesV4qqOsX48Wry6InVD41UpXOE0Bor5uB/HcohYjKS
sVhOmNSjLpME35Rka4vUW4oNIzeeBsQIQyrpCuZ2KTKImEkSoSEbTho9fhNUi0ll
EHlTu+qt4iaXZpqNOKU05p3TqdjxAmc2w/McmMzifwPZdmrxTZjaitFn+g1qXxYs
0ZVJtL/OZviFHuK+8qbbsCPIYYm/dVr5EPy821/F01dAGNw9k+lbk5kZdgC8zcBz
xFc5yk+QZGuc3KeDYLOidtn4c471Ez4LhgTd9wapYkSwva7aM5T1betpPZKufZbw
+SSC/KFi6J2rjVDOkHLCry185Bwha2hrn1tc2hd1+A/5zOuyqQ/u0isvRu+O7dxO
uGF33WjXCYqwVGNzXN+pZMVPStIXKlLmoA2CoWbUM9rHSQWHVRQKIiZ05v2tZYn7
/cpYLOwudWbQtDX+AscPd18bJ4OqSmy+aXo9nSkmJMbCWtN9TxKljx3MNzfg8DxV
r+SaijGDeWJ3xgiv2L6U
=svZc
-----END PGP SIGNATURE-----
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Reply | Threaded
Open this post in threaded view
|

Re: bug: API broken under remote_user

Eric Rasche
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Iyad,

Thanks for posting configs! I'm very curious how this actually works for
you.

I'm running the API scripts from the galaxy server itself, and I made
requests to http://fqdn/galaxy/, <a href="http://localhost:####/">http://localhost:####/, and
<a href="http://localhost:####/galaxy/">http://localhost:####/galaxy/

The request to the fqdn unsurprisingly fails as apache answers it, and
apache requires authentication. Both of the localhost requests also fail
(403), indicating that galaxy was forbidding me due to lack of a
REMOTE_USER variable being set:

> Galaxy is configured to authenticate users via an external method
> (such as HTTP authentication in Apache), but a username was not
> provided by the upstream (proxy) server.


- From my tests, I conclude that the routes under /api/ also have the
requirement on REMOTE_USER being set. (Maybe a dev can chime in on
this?) I'm fairly certain the only way to get the /api/ route to work
with the apache config presented is to statically set REMOTE_USER, such
that it's always a valid galaxy user. You don't set a static REMOTE_USER
variable in your apache config, so when galaxy is serving requests from
outside users, in my understanding, the REMOTE_USER var will be unset,
and galaxy should refuse to answer it.

Cheers,
Eric


On 06/12/2014 08:31 AM, Kandalaft, Iyad wrote:

> Hi Eric,
>
> It's not broken per se but the documentation is lacking on this front.  You need to route your /galaxy/api folder to a proxy that does not require authentication.  Maybe this isn't the best way but it works for AAFC's production galaxy.  See my apache configuration file below:
>
> --------------------------------------------------------------------------------------
> # Function for LowerCase conversion used in rewriterule directive
> RewriteMap lc int:tolower
>
> # Setup the load balancer and force LDAP authentication with group file authorization
> <Proxy balancer://galaxy-prod/*>
>         BalancerMember http://localhost:60000
>         BalancerMember http://localhost:60001
>         BalancerMember http://localhost:60002
>
>         # LDAP based authentication
>         AuthName "Galaxy - Login with AAFC credentials"
>         AuthType Basic
>         AuthBasicAuthoritative off
>         AuthBasicProvider ldap
>
>         AuthLDAPURL "REDACTED"
>         AuthLDAPBindDN 'REDACTED'
>         AuthLDAPBindPassword "REDACTED"
>
>         # File based authorization
>         AuthGroupFile /home/galaxy/permitted_users
>         Require group galaxy-users
>
>         RewriteEngine on
>
>         # Convert the sAMAccountName to lower case
>         RewriteRule ^ - [E=AUTHENTICATE_sAMAccountName:${lc:%{ENV:AUTHENTICATE_sAMAccountName}}]
>
>         # Set the REMOTE_USER header to the contents of the LDAP query response's "sAMAccountName" attribute
>         RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
> </Proxy>
>
> <Proxy balancer://galaxy-prod-noauth/*>
>         BalancerMember http://localhost:60000
>         BalancerMember http://localhost:60001
>         BalancerMember http://localhost:60002
>
>         # Required to allow unauthenticated access
>         # Not clear why this is so      
>         Satisfy any
> </Proxy>
>
> # Bypass authentication for the api endpoints when a "key" get variable is provided by proxying directly to the galaxy web server
> RewriteCond %{QUERY_STRING} key=
> RewriteRule ^/galaxy/api/(.*) balancer://galaxy-prod-noauth/api/$1 [P]
>
> # Bypass authentication for display servers
> RewriteCond HTTP_HOST =hgw1.cse.ucsc.edu [OR,NC]
> RewriteCond HTTP_HOST =hgw2.cse.ucsc.edu [OR,NC]
> RewriteCond HTTP_HOST =hgw3.cse.ucsc.edu [OR,NC]
> RewriteCond HTTP_HOST =hgw4.cse.ucsc.edu [OR,NC]
> RewriteCond HTTP_HOST =hgw5.cse.ucsc.edu [OR,NC]
> RewriteCond HTTP_HOST =hgw7.cse.ucsc.edu [OR,NC]
> RewriteCond HTTP_HOST =hgw8.cse.ucsc.edu [NC]
> RewriteRule ^/galaxy/root/display_as(.*) balancer://galaxy-prod-noauth/root/display_as$1 [P]
>
> # Serve static content directly from apache
> RewriteRule ^/galaxy/static/style/(.*) /home/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L]
> RewriteRule ^/galaxy/static/scripts/(.*) /home/galaxy/galaxy-dist/static/scripts/packed/$1 [L]
> RewriteRule ^/galaxy/static/(.*) /home/galaxy/galaxy-dist/static/$1 [L]
> RewriteRule ^/galaxy/favicon.ico /home/galaxy/galaxy-dist/static/favicon.ico [L]
> RewriteRule ^/galaxy/robots.txt /home/galaxy/galaxy-dist/static/robots.txt [L]
>
> # Route all other traffic through the load balancer
> RewriteRule ^/galaxy/(.*)$ balancer://galaxy-prod/$1 [P]
> ------------------------------------------------------------------------------
>
>
>
> Regards,
>
> Iyad Kandalaft
> Microbial Biodiversity Bioinformatics
> Agriculture and Agri-Food Canada | Agriculture et Agroalimentaire Canada
> 960 Carling Ave.| 960 Ave. Carling
> Ottawa, ON| Ottawa (ON) K1A 0C6
> E-mail Address / Adresse courriel  [hidden email]
> Telephone | Téléphone 613-759-1228
> Facsimile | Télécopieur 613-759-1701
> Teletypewriter | Téléimprimeur 613-773-2600
> Government of Canada | Gouvernement du Canada
>
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Eric Rasche
> Sent: Wednesday, June 11, 2014 8:43 PM
> To: [hidden email]
> Subject: [galaxy-dev] bug: API broken under remote_user
>
> https://trello.com/c/AGKePuHZ/1630-expose-use-remote-user-via-configuration-api
>
> I don't know if this is the correct card (it's been a long day and I may be misreading it) but the API is completely broken under REMOTE_USER authentication.
>
> running ./scripts/api/display.py {key} http://localhost:8300 returns 403 forbidden.
>
> running ./scripts/api/display.py {key} https://fqdn/galaxy/ returns 401 Authorization Required
>
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this and other Galaxy lists, please use the interface at:
>   http://lists.bx.psu.edu/
>
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/
>

- --
Эрик Раше
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQIcBAEBAgAGBQJTmbgwAAoJEMqDXdrsMcpVAVoP/31HFgmBOf4/SbGKpvubjXyP
LXKGNqsCVi3TTmWnlnjQDJbZEfA7i045iMIWGPb/wWnDAKiG4kEx6GAx+Uc/F5zj
vLmZIpKUSyAl9mvFlHHA4SMpY69lShDssOOL9q7o1NSxfRV+RAZjMKByHPX8mbwf
j2bjAuvZHDhqXVjNPD/9ODtDgxSNkxSXSc2rssTkJCqNlWsDsjNGyQj+T7uTIr4f
n8Hb/pfSrE7kX+ww02rYBuUSFBtF6EGiJoalF1VGxBvUbTlHHmucZp350epA615C
0sTZxWgY2CHXrDijnkXbAu2xBzjZuOEoQeCQSXHewY8EaLa1pQ7ZxXWUeq02IZww
XhNnbpsii3SMoYr8K0TP3bncJcfgQIla4C3J1Sa1qBk7IjeO/meoDTbTmC47/aS3
NR9DwIsqY4BIqbEeUtrkdH1SGuh4iXIQHMLCnfV6KUk7ruDyCfMrECtnh9QJfaME
tN84HqdxME38VK3LpsJr6h/r1imft4NnwrGm2XArFWo3329QEF1dVhjccHpkRcu6
QKHOkOeJAchFDHxdz9yI8zUMCR8EdqUTDCbN02zQWVun/x4YDr/JP5gxbGp1sPkM
wxwyTCBthsh21WooSW5pqVC7swLh59e/30CwfvnYl+cpGkcZebeo33MW7ck4vgbx
LNWgIcYF/PvESHfQtXAg
=CNnW
-----END PGP SIGNATURE-----
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Reply | Threaded
Open this post in threaded view
|

Re: bug: API broken under remote_user

John Chilton-4
Hey Eric,

  I am pretty sure Iyad's configuration is right - here is a similar
config for nginx with some discussion of the API problem
http://production-galaxy-instances-with-cloudman-and-cloudbiolinux.readthedocs.org/en/latest/#external-authentication-ldap.
It is fine if it is "empty" it just has to be set and in fact it
should use the real remote user if available so the UI elements that
target the API without a key continue to function properly (which I
guess is slowly becoming all of the UI). This is what that apache
config and my nginx config do I believe.

  Does this answer your question, do you have lingering concerns?

-John


On Thu, Jun 12, 2014 at 9:24 AM, Eric Rasche <[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Iyad,
>
> Thanks for posting configs! I'm very curious how this actually works for
> you.
>
> I'm running the API scripts from the galaxy server itself, and I made
> requests to http://fqdn/galaxy/, <a href="http://localhost:####/">http://localhost:####/, and
> <a href="http://localhost:####/galaxy/">http://localhost:####/galaxy/
>
> The request to the fqdn unsurprisingly fails as apache answers it, and
> apache requires authentication. Both of the localhost requests also fail
> (403), indicating that galaxy was forbidding me due to lack of a
> REMOTE_USER variable being set:
>
>> Galaxy is configured to authenticate users via an external method
>> (such as HTTP authentication in Apache), but a username was not
>> provided by the upstream (proxy) server.
>
>
> - From my tests, I conclude that the routes under /api/ also have the
> requirement on REMOTE_USER being set. (Maybe a dev can chime in on
> this?) I'm fairly certain the only way to get the /api/ route to work
> with the apache config presented is to statically set REMOTE_USER, such
> that it's always a valid galaxy user. You don't set a static REMOTE_USER
> variable in your apache config, so when galaxy is serving requests from
> outside users, in my understanding, the REMOTE_USER var will be unset,
> and galaxy should refuse to answer it.
>
> Cheers,
> Eric
>
>
> On 06/12/2014 08:31 AM, Kandalaft, Iyad wrote:
>> Hi Eric,
>>
>> It's not broken per se but the documentation is lacking on this front.  You need to route your /galaxy/api folder to a proxy that does not require authentication.  Maybe this isn't the best way but it works for AAFC's production galaxy.  See my apache configuration file below:
>>
>> --------------------------------------------------------------------------------------
>> # Function for LowerCase conversion used in rewriterule directive
>> RewriteMap lc int:tolower
>>
>> # Setup the load balancer and force LDAP authentication with group file authorization
>> <Proxy balancer://galaxy-prod/*>
>>         BalancerMember http://localhost:60000
>>         BalancerMember http://localhost:60001
>>         BalancerMember http://localhost:60002
>>
>>         # LDAP based authentication
>>         AuthName "Galaxy - Login with AAFC credentials"
>>         AuthType Basic
>>         AuthBasicAuthoritative off
>>         AuthBasicProvider ldap
>>
>>         AuthLDAPURL "REDACTED"
>>         AuthLDAPBindDN 'REDACTED'
>>         AuthLDAPBindPassword "REDACTED"
>>
>>         # File based authorization
>>         AuthGroupFile /home/galaxy/permitted_users
>>         Require group galaxy-users
>>
>>         RewriteEngine on
>>
>>         # Convert the sAMAccountName to lower case
>>         RewriteRule ^ - [E=AUTHENTICATE_sAMAccountName:${lc:%{ENV:AUTHENTICATE_sAMAccountName}}]
>>
>>         # Set the REMOTE_USER header to the contents of the LDAP query response's "sAMAccountName" attribute
>>         RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
>> </Proxy>
>>
>> <Proxy balancer://galaxy-prod-noauth/*>
>>         BalancerMember http://localhost:60000
>>         BalancerMember http://localhost:60001
>>         BalancerMember http://localhost:60002
>>
>>         # Required to allow unauthenticated access
>>         # Not clear why this is so
>>         Satisfy any
>> </Proxy>
>>
>> # Bypass authentication for the api endpoints when a "key" get variable is provided by proxying directly to the galaxy web server
>> RewriteCond %{QUERY_STRING} key=
>> RewriteRule ^/galaxy/api/(.*) balancer://galaxy-prod-noauth/api/$1 [P]
>>
>> # Bypass authentication for display servers
>> RewriteCond HTTP_HOST =hgw1.cse.ucsc.edu [OR,NC]
>> RewriteCond HTTP_HOST =hgw2.cse.ucsc.edu [OR,NC]
>> RewriteCond HTTP_HOST =hgw3.cse.ucsc.edu [OR,NC]
>> RewriteCond HTTP_HOST =hgw4.cse.ucsc.edu [OR,NC]
>> RewriteCond HTTP_HOST =hgw5.cse.ucsc.edu [OR,NC]
>> RewriteCond HTTP_HOST =hgw7.cse.ucsc.edu [OR,NC]
>> RewriteCond HTTP_HOST =hgw8.cse.ucsc.edu [NC]
>> RewriteRule ^/galaxy/root/display_as(.*) balancer://galaxy-prod-noauth/root/display_as$1 [P]
>>
>> # Serve static content directly from apache
>> RewriteRule ^/galaxy/static/style/(.*) /home/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L]
>> RewriteRule ^/galaxy/static/scripts/(.*) /home/galaxy/galaxy-dist/static/scripts/packed/$1 [L]
>> RewriteRule ^/galaxy/static/(.*) /home/galaxy/galaxy-dist/static/$1 [L]
>> RewriteRule ^/galaxy/favicon.ico /home/galaxy/galaxy-dist/static/favicon.ico [L]
>> RewriteRule ^/galaxy/robots.txt /home/galaxy/galaxy-dist/static/robots.txt [L]
>>
>> # Route all other traffic through the load balancer
>> RewriteRule ^/galaxy/(.*)$ balancer://galaxy-prod/$1 [P]
>> ------------------------------------------------------------------------------
>>
>>
>>
>> Regards,
>>
>> Iyad Kandalaft
>> Microbial Biodiversity Bioinformatics
>> Agriculture and Agri-Food Canada | Agriculture et Agroalimentaire Canada
>> 960 Carling Ave.| 960 Ave. Carling
>> Ottawa, ON| Ottawa (ON) K1A 0C6
>> E-mail Address / Adresse courriel  [hidden email]
>> Telephone | Téléphone 613-759-1228
>> Facsimile | Télécopieur 613-759-1701
>> Teletypewriter | Téléimprimeur 613-773-2600
>> Government of Canada | Gouvernement du Canada
>>
>>
>>
>> -----Original Message-----
>> From: [hidden email] [mailto:[hidden email]] On Behalf Of Eric Rasche
>> Sent: Wednesday, June 11, 2014 8:43 PM
>> To: [hidden email]
>> Subject: [galaxy-dev] bug: API broken under remote_user
>>
>> https://trello.com/c/AGKePuHZ/1630-expose-use-remote-user-via-configuration-api
>>
>> I don't know if this is the correct card (it's been a long day and I may be misreading it) but the API is completely broken under REMOTE_USER authentication.
>>
>> running ./scripts/api/display.py {key} http://localhost:8300 returns 403 forbidden.
>>
>> running ./scripts/api/display.py {key} https://fqdn/galaxy/ returns 401 Authorization Required
>>
>> ___________________________________________________________
>> Please keep all replies on the list by using "reply all"
>> in your mail client.  To manage your subscriptions to this and other Galaxy lists, please use the interface at:
>>   http://lists.bx.psu.edu/
>>
>> To search Galaxy mailing lists use the unified search at:
>>   http://galaxyproject.org/search/mailinglists/
>>
>
> - --
> Эрик Раше
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (GNU/Linux)
>
> iQIcBAEBAgAGBQJTmbgwAAoJEMqDXdrsMcpVAVoP/31HFgmBOf4/SbGKpvubjXyP
> LXKGNqsCVi3TTmWnlnjQDJbZEfA7i045iMIWGPb/wWnDAKiG4kEx6GAx+Uc/F5zj
> vLmZIpKUSyAl9mvFlHHA4SMpY69lShDssOOL9q7o1NSxfRV+RAZjMKByHPX8mbwf
> j2bjAuvZHDhqXVjNPD/9ODtDgxSNkxSXSc2rssTkJCqNlWsDsjNGyQj+T7uTIr4f
> n8Hb/pfSrE7kX+ww02rYBuUSFBtF6EGiJoalF1VGxBvUbTlHHmucZp350epA615C
> 0sTZxWgY2CHXrDijnkXbAu2xBzjZuOEoQeCQSXHewY8EaLa1pQ7ZxXWUeq02IZww
> XhNnbpsii3SMoYr8K0TP3bncJcfgQIla4C3J1Sa1qBk7IjeO/meoDTbTmC47/aS3
> NR9DwIsqY4BIqbEeUtrkdH1SGuh4iXIQHMLCnfV6KUk7ruDyCfMrECtnh9QJfaME
> tN84HqdxME38VK3LpsJr6h/r1imft4NnwrGm2XArFWo3329QEF1dVhjccHpkRcu6
> QKHOkOeJAchFDHxdz9yI8zUMCR8EdqUTDCbN02zQWVun/x4YDr/JP5gxbGp1sPkM
> wxwyTCBthsh21WooSW5pqVC7swLh59e/30CwfvnYl+cpGkcZebeo33MW7ck4vgbx
> LNWgIcYF/PvESHfQtXAg
> =CNnW
> -----END PGP SIGNATURE-----
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>   http://lists.bx.psu.edu/
>
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Reply | Threaded
Open this post in threaded view
|

Re: bug: API broken under remote_user

Eric Rasche
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi John,

Seems like odd behaviour, but if that's how it works, then that'll
adequately fix my problem.

Thanks John/Iyad!

Cheers,
Eric

On 06/12/2014 09:40 AM, John Chilton wrote:

> Hey Eric,
>
>   I am pretty sure Iyad's configuration is right - here is a similar
> config for nginx with some discussion of the API problem
> http://production-galaxy-instances-with-cloudman-and-cloudbiolinux.readthedocs.org/en/latest/#external-authentication-ldap.
> It is fine if it is "empty" it just has to be set and in fact it
> should use the real remote user if available so the UI elements that
> target the API without a key continue to function properly (which I
> guess is slowly becoming all of the UI). This is what that apache
> config and my nginx config do I believe.
>
>   Does this answer your question, do you have lingering concerns?
>
> -John
>
>
> On Thu, Jun 12, 2014 at 9:24 AM, Eric Rasche <[hidden email]> wrote:
> Hi Iyad,
>
> Thanks for posting configs! I'm very curious how this actually works for
> you.
>
> I'm running the API scripts from the galaxy server itself, and I made
> requests to http://fqdn/galaxy/, <a href="http://localhost:####/">http://localhost:####/, and
> <a href="http://localhost:####/galaxy/">http://localhost:####/galaxy/
>
> The request to the fqdn unsurprisingly fails as apache answers it, and
> apache requires authentication. Both of the localhost requests also fail
> (403), indicating that galaxy was forbidding me due to lack of a
> REMOTE_USER variable being set:
>
>>>> Galaxy is configured to authenticate users via an external method
>>>> (such as HTTP authentication in Apache), but a username was not
>>>> provided by the upstream (proxy) server.
>
>
> - From my tests, I conclude that the routes under /api/ also have the
> requirement on REMOTE_USER being set. (Maybe a dev can chime in on
> this?) I'm fairly certain the only way to get the /api/ route to work
> with the apache config presented is to statically set REMOTE_USER, such
> that it's always a valid galaxy user. You don't set a static REMOTE_USER
> variable in your apache config, so when galaxy is serving requests from
> outside users, in my understanding, the REMOTE_USER var will be unset,
> and galaxy should refuse to answer it.
>
> Cheers,
> Eric
>
>
> On 06/12/2014 08:31 AM, Kandalaft, Iyad wrote:
>>>> Hi Eric,
>>>>
>>>> It's not broken per se but the documentation is lacking on this front.  You need to route your /galaxy/api folder to a proxy that does not require authentication.  Maybe this isn't the best way but it works for AAFC's production galaxy.  See my apache configuration file below:
>>>>
>>>> --------------------------------------------------------------------------------------
>>>> # Function for LowerCase conversion used in rewriterule directive
>>>> RewriteMap lc int:tolower
>>>>
>>>> # Setup the load balancer and force LDAP authentication with group file authorization
>>>> <Proxy balancer://galaxy-prod/*>
>>>>         BalancerMember http://localhost:60000
>>>>         BalancerMember http://localhost:60001
>>>>         BalancerMember http://localhost:60002
>>>>
>>>>         # LDAP based authentication
>>>>         AuthName "Galaxy - Login with AAFC credentials"
>>>>         AuthType Basic
>>>>         AuthBasicAuthoritative off
>>>>         AuthBasicProvider ldap
>>>>
>>>>         AuthLDAPURL "REDACTED"
>>>>         AuthLDAPBindDN 'REDACTED'
>>>>         AuthLDAPBindPassword "REDACTED"
>>>>
>>>>         # File based authorization
>>>>         AuthGroupFile /home/galaxy/permitted_users
>>>>         Require group galaxy-users
>>>>
>>>>         RewriteEngine on
>>>>
>>>>         # Convert the sAMAccountName to lower case
>>>>         RewriteRule ^ - [E=AUTHENTICATE_sAMAccountName:${lc:%{ENV:AUTHENTICATE_sAMAccountName}}]
>>>>
>>>>         # Set the REMOTE_USER header to the contents of the LDAP query response's "sAMAccountName" attribute
>>>>         RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
>>>> </Proxy>
>>>>
>>>> <Proxy balancer://galaxy-prod-noauth/*>
>>>>         BalancerMember http://localhost:60000
>>>>         BalancerMember http://localhost:60001
>>>>         BalancerMember http://localhost:60002
>>>>
>>>>         # Required to allow unauthenticated access
>>>>         # Not clear why this is so
>>>>         Satisfy any
>>>> </Proxy>
>>>>
>>>> # Bypass authentication for the api endpoints when a "key" get variable is provided by proxying directly to the galaxy web server
>>>> RewriteCond %{QUERY_STRING} key=
>>>> RewriteRule ^/galaxy/api/(.*) balancer://galaxy-prod-noauth/api/$1 [P]
>>>>
>>>> # Bypass authentication for display servers
>>>> RewriteCond HTTP_HOST =hgw1.cse.ucsc.edu [OR,NC]
>>>> RewriteCond HTTP_HOST =hgw2.cse.ucsc.edu [OR,NC]
>>>> RewriteCond HTTP_HOST =hgw3.cse.ucsc.edu [OR,NC]
>>>> RewriteCond HTTP_HOST =hgw4.cse.ucsc.edu [OR,NC]
>>>> RewriteCond HTTP_HOST =hgw5.cse.ucsc.edu [OR,NC]
>>>> RewriteCond HTTP_HOST =hgw7.cse.ucsc.edu [OR,NC]
>>>> RewriteCond HTTP_HOST =hgw8.cse.ucsc.edu [NC]
>>>> RewriteRule ^/galaxy/root/display_as(.*) balancer://galaxy-prod-noauth/root/display_as$1 [P]
>>>>
>>>> # Serve static content directly from apache
>>>> RewriteRule ^/galaxy/static/style/(.*) /home/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L]
>>>> RewriteRule ^/galaxy/static/scripts/(.*) /home/galaxy/galaxy-dist/static/scripts/packed/$1 [L]
>>>> RewriteRule ^/galaxy/static/(.*) /home/galaxy/galaxy-dist/static/$1 [L]
>>>> RewriteRule ^/galaxy/favicon.ico /home/galaxy/galaxy-dist/static/favicon.ico [L]
>>>> RewriteRule ^/galaxy/robots.txt /home/galaxy/galaxy-dist/static/robots.txt [L]
>>>>
>>>> # Route all other traffic through the load balancer
>>>> RewriteRule ^/galaxy/(.*)$ balancer://galaxy-prod/$1 [P]
>>>> ------------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Iyad Kandalaft
>>>> Microbial Biodiversity Bioinformatics
>>>> Agriculture and Agri-Food Canada | Agriculture et Agroalimentaire Canada
>>>> 960 Carling Ave.| 960 Ave. Carling
>>>> Ottawa, ON| Ottawa (ON) K1A 0C6
>>>> E-mail Address / Adresse courriel  [hidden email]
>>>> Telephone | Téléphone 613-759-1228
>>>> Facsimile | Télécopieur 613-759-1701
>>>> Teletypewriter | Téléimprimeur 613-773-2600
>>>> Government of Canada | Gouvernement du Canada
>>>>
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: [hidden email] [mailto:[hidden email]] On Behalf Of Eric Rasche
>>>> Sent: Wednesday, June 11, 2014 8:43 PM
>>>> To: [hidden email]
>>>> Subject: [galaxy-dev] bug: API broken under remote_user
>>>>
>>>> https://trello.com/c/AGKePuHZ/1630-expose-use-remote-user-via-configuration-api
>>>>
>>>> I don't know if this is the correct card (it's been a long day and I may be misreading it) but the API is completely broken under REMOTE_USER authentication.
>>>>
>>>> running ./scripts/api/display.py {key} http://localhost:8300 returns 403 forbidden.
>>>>
>>>> running ./scripts/api/display.py {key} https://fqdn/galaxy/ returns 401 Authorization Required
>>>>
>>>> ___________________________________________________________
>>>> Please keep all replies on the list by using "reply all"
>>>> in your mail client.  To manage your subscriptions to this and other Galaxy lists, please use the interface at:
>>>>   http://lists.bx.psu.edu/
>>>>
>>>> To search Galaxy mailing lists use the unified search at:
>>>>   http://galaxyproject.org/search/mailinglists/
>>>>
>
>> ___________________________________________________________
>> Please keep all replies on the list by using "reply all"
>> in your mail client.  To manage your subscriptions to this
>> and other Galaxy lists, please use the interface at:
>>   http://lists.bx.psu.edu/
>>
>> To search Galaxy mailing lists use the unified search at:
>>   http://galaxyproject.org/search/mailinglists/

- --
Эрик Раше
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iQIcBAEBAgAGBQJTmb62AAoJEMqDXdrsMcpVupMQAK5ELIUQJ6wuBxxYYiRJpsXp
ifKAKkdsxz0VhYP1c5vHpihkNErxrOetgtyqc5OvnsTYtIl3aRqUWkfB+VLvEAcH
tPnGOl5tGxT6J213SK54U1qX4gPNooXBCt4w7Q09unqgOn4T1ROmTb6Vnfgfv05E
f4hMj7l7xtKoKfF8GopYr3EEY6m/EVqNB91rlOCyNdwizi69ovPatJn2MJlGxTov
2S11k2trNmZOdY+mcLW6n4UwNr64IOYmq+tOxGUw5iOmQUfPTMPNDeiCPxE8MBrX
tlPgndubxc+fLV6bIeWUkfUW6kdOZD71QmNlJzlfA30+Az2xR/p1ThK0ES8Rvc73
coQUjOLokY5b4DczM1ZcnYeayAJCWgFINtTRTJmLVXw4e1h4jzmuVddwNQkj2EDL
jcIMq5keF6ngV6v2EPrK2C8kbXHxpHoGmglFZOIXgbh5mmWjxyViaOKum/V97Zbf
/tMfajOc0rDUd23qYiYyG8lhlz6kYtRbgnAq6gyaGe2kX+rDEx3UMp/GMqTzvdxE
PzNYlPpXRqqId5bo1KaiaWCMGp8Bru4nAKL+7Qtjqdy6bUzCfoQ8zLJ4hxP6lXK9
zRoCFh2h5BCjTB7DJ+B6p/I01/ceKTKA7haW/Kkba75Wej9dRuUYF3mMyAYndUzq
c5gMQGTEpFFoaqUJrzlY
=i0j3
-----END PGP SIGNATURE-----
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Reply | Threaded
Open this post in threaded view
|

Re: bug: API broken under remote_user

Eric Rasche
In reply to this post by John Chilton-4
Hi All,

Digging up an ancient thread because it is, once again, relevant to me. As per Iyad's suggestion, we added a special apache conf section for the API access which sets REMOTE_USER, and API access works, but it introduces a whole new set of issues!

History is (now?) accessed through the API, so after switching apache over to providing a 'default' REMOTE_USER value, I can no longer access my histories, every attempt to switch histories generates a new "Unnamed history".

Additionally, history issue aside, this leads us to an issue with bioblend; while we can access and interact with the API, we cannot download datasets through the API, those are served on separate routes, not covered by API access. During download attempts, authentication information is required, and BioBlend returns with a 401 Unauthorized. Upload seems to work just fine though.

Wondering if anyone had suggestions here.

For reference:
https://github.com/bgruening/galaxy-ipython/issues/17

Cheers,
Eric


On 06/12/2014 09:40 AM, John Chilton wrote:
> Hey Eric,
>
>   I am pretty sure Iyad's configuration is right - here is a similar
> config for nginx with some discussion of the API problem
> http://production-galaxy-instances-with-cloudman-and-cloudbiolinux.readthedocs.org/en/latest/#external-authentication-ldap.
> It is fine if it is "empty" it just has to be set and in fact it
> should use the real remote user if available so the UI elements that
> target the API without a key continue to function properly (which I
> guess is slowly becoming all of the UI). This is what that apache
> config and my nginx config do I believe.
>
>   Does this answer your question, do you have lingering concerns?
>
> -John
>
>
> On Thu, Jun 12, 2014 at 9:24 AM, Eric Rasche [hidden email] wrote:

Hi Iyad,

Thanks for posting configs! I'm very curious how this actually works for
you.

I'm running the API scripts from the galaxy server itself, and I made
requests to http://fqdn/galaxy/, <a class="moz-txt-link-freetext" href="http://localhost:####/">http://localhost:####/, and
<a class="moz-txt-link-freetext" href="http://localhost:####/galaxy/">http://localhost:####/galaxy/

The request to the fqdn unsurprisingly fails as apache answers it, and
apache requires authentication. Both of the localhost requests also fail
(403), indicating that galaxy was forbidding me due to lack of a
REMOTE_USER variable being set:

>>> Galaxy is configured to authenticate users via an external method
>>> (such as HTTP authentication in Apache), but a username was not
>>> provided by the upstream (proxy) server.


- From my tests, I conclude that the routes under /api/ also have the
requirement on REMOTE_USER being set. (Maybe a dev can chime in on
this?) I'm fairly certain the only way to get the /api/ route to work
with the apache config presented is to statically set REMOTE_USER, such
that it's always a valid galaxy user. You don't set a static REMOTE_USER
variable in your apache config, so when galaxy is serving requests from
outside users, in my understanding, the REMOTE_USER var will be unset,
and galaxy should refuse to answer it.

Cheers,
Eric


On 06/12/2014 08:31 AM, Kandalaft, Iyad wrote:
>>> Hi Eric,
>>>
>>> It's not broken per se but the documentation is lacking on this front.  You need to route your /galaxy/api folder to a proxy that does not require authentication.  Maybe this isn't the best way but it works for AAFC's production galaxy.  See my apache configuration file below:
>>>
>>> --------------------------------------------------------------------------------------
>>> # Function for LowerCase conversion used in rewriterule directive
>>> RewriteMap lc int:tolower
>>>
>>> # Setup the load balancer and force LDAP authentication with group file authorization
>>> <Proxy balancer://galaxy-prod/*>
>>>         BalancerMember http://localhost:60000
>>>         BalancerMember http://localhost:60001
>>>         BalancerMember http://localhost:60002
>>>
>>>         # LDAP based authentication
>>>         AuthName "Galaxy - Login with AAFC credentials"
>>>         AuthType Basic
>>>         AuthBasicAuthoritative off
>>>         AuthBasicProvider ldap
>>>
>>>         AuthLDAPURL "REDACTED"
>>>         AuthLDAPBindDN 'REDACTED'
>>>         AuthLDAPBindPassword "REDACTED"
>>>
>>>         # File based authorization
>>>         AuthGroupFile /home/galaxy/permitted_users
>>>         Require group galaxy-users
>>>
>>>         RewriteEngine on
>>>
>>>         # Convert the sAMAccountName to lower case
>>>         RewriteRule ^ - [E=AUTHENTICATE_sAMAccountName:${lc:%{ENV:AUTHENTICATE_sAMAccountName}}]
>>>
>>>         # Set the REMOTE_USER header to the contents of the LDAP query response's "sAMAccountName" attribute
>>>         RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
>>> </Proxy>
>>>
>>> <Proxy balancer://galaxy-prod-noauth/*>
>>>         BalancerMember http://localhost:60000
>>>         BalancerMember http://localhost:60001
>>>         BalancerMember http://localhost:60002
>>>
>>>         # Required to allow unauthenticated access
>>>         # Not clear why this is so
>>>         Satisfy any
>>> </Proxy>
>>>
>>> # Bypass authentication for the api endpoints when a "key" get variable is provided by proxying directly to the galaxy web server
>>> RewriteCond %{QUERY_STRING} key=
>>> RewriteRule ^/galaxy/api/(.*) balancer://galaxy-prod-noauth/api/$1 [P]
>>>
>>> # Bypass authentication for display servers
>>> RewriteCond HTTP_HOST =hgw1.cse.ucsc.edu [OR,NC]
>>> RewriteCond HTTP_HOST =hgw2.cse.ucsc.edu [OR,NC]
>>> RewriteCond HTTP_HOST =hgw3.cse.ucsc.edu [OR,NC]
>>> RewriteCond HTTP_HOST =hgw4.cse.ucsc.edu [OR,NC]
>>> RewriteCond HTTP_HOST =hgw5.cse.ucsc.edu [OR,NC]
>>> RewriteCond HTTP_HOST =hgw7.cse.ucsc.edu [OR,NC]
>>> RewriteCond HTTP_HOST =hgw8.cse.ucsc.edu [NC]
>>> RewriteRule ^/galaxy/root/display_as(.*) balancer://galaxy-prod-noauth/root/display_as$1 [P]
>>>
>>> # Serve static content directly from apache
>>> RewriteRule ^/galaxy/static/style/(.*) /home/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L]
>>> RewriteRule ^/galaxy/static/scripts/(.*) /home/galaxy/galaxy-dist/static/scripts/packed/$1 [L]
>>> RewriteRule ^/galaxy/static/(.*) /home/galaxy/galaxy-dist/static/$1 [L]
>>> RewriteRule ^/galaxy/favicon.ico /home/galaxy/galaxy-dist/static/favicon.ico [L]
>>> RewriteRule ^/galaxy/robots.txt /home/galaxy/galaxy-dist/static/robots.txt [L]
>>>
>>> # Route all other traffic through the load balancer
>>> RewriteRule ^/galaxy/(.*)$ balancer://galaxy-prod/$1 [P]
>>> ------------------------------------------------------------------------------
>>>
>>>
>>>
>>> Regards,
>>>
>>> Iyad Kandalaft
>>> Microbial Biodiversity Bioinformatics
>>> Agriculture and Agri-Food Canada | Agriculture et Agroalimentaire Canada
>>> 960 Carling Ave.| 960 Ave. Carling
>>> Ottawa, ON| Ottawa (ON) K1A 0C6
>>> E-mail Address / Adresse courriel  [hidden email]
>>> Telephone | Téléphone 613-759-1228
>>> Facsimile | Télécopieur 613-759-1701
>>> Teletypewriter | Téléimprimeur 613-773-2600
>>> Government of Canada | Gouvernement du Canada
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: [hidden email] [[hidden email]] On Behalf Of Eric Rasche
>>> Sent: Wednesday, June 11, 2014 8:43 PM
>>> To: [hidden email]
>>> Subject: [galaxy-dev] bug: API broken under remote_user
>>>
>>> https://trello.com/c/AGKePuHZ/1630-expose-use-remote-user-via-configuration-api
>>>
>>> I don't know if this is the correct card (it's been a long day and I may be misreading it) but the API is completely broken under REMOTE_USER authentication.
>>>
>>> running ./scripts/api/display.py {key} http://localhost:8300 returns 403 forbidden.
>>>
>>> running ./scripts/api/display.py {key} https://fqdn/galaxy/ returns 401 Authorization Required
>>>
>>> ___________________________________________________________
>>> Please keep all replies on the list by using "reply all"
>>> in your mail client.  To manage your subscriptions to this and other Galaxy lists, please use the interface at:
>>>   http://lists.bx.psu.edu/
>>>
>>> To search Galaxy mailing lists use the unified search at:
>>>   http://galaxyproject.org/search/mailinglists/
>>>

>> ___________________________________________________________
>> Please keep all replies on the list by using "reply all"
>> in your mail client.  To manage your subscriptions to this
>> and other Galaxy lists, please use the interface at:
>>   http://lists.bx.psu.edu/
>>
>> To search Galaxy mailing lists use the unified search at:
>>   http://galaxyproject.org/search/mailinglists/


--
Eric Rasche
Programmer II
Center for Phage Technology
Texas A&M University
College Station, TX 77843
<a href="tel:4046922048">404-692-2048
[hidden email]


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Reply | Threaded
Open this post in threaded view
|

Re: bug: API broken under remote_user

Eric Rasche
On this topic, I'm seeing the following in sentry:
A new event has been recorded in Sentry:

    User logged in as 'none@' externally, but has a cookie as '[hidden email]' invalidating session

I'm /pretty/ sure this is for the history requests from the browser as there were 18 of these.

Cheers,
Eric

On 08/19/2014 01:44 PM, Eric Rasche wrote:
Hi All,

Digging up an ancient thread because it is, once again, relevant to me.
As per Iyad's suggestion, we added a special apache conf section for the
API access which sets REMOTE_USER, and API access works, but it
introduces a whole new set of issues!

History is (now?) accessed through the API, so after switching apache
over to providing a 'default' REMOTE_USER value, I can no longer access
my histories, every attempt to switch histories generates a new "Unnamed
history".

Additionally, history issue aside, this leads us to an issue with
bioblend; while we can access and interact with the API, we cannot
download datasets through the API, those are served on separate routes,
not covered by API access. During download attempts, authentication
information is required, and BioBlend returns with a 401 Unauthorized.
Upload seems to work just fine though.

Wondering if anyone had suggestions here.

For reference:
https://github.com/bgruening/galaxy-ipython/issues/17

Cheers,
Eric


On 06/12/2014 09:40 AM, John Chilton wrote:
Hey Eric,

  I am pretty sure Iyad's configuration is right - here is a similar
config for nginx with some discussion of the API problem

http://production-galaxy-instances-with-cloudman-and-cloudbiolinux.readthedocs.org/en/latest/#external-authentication-ldap.
It is fine if it is "empty" it just has to be set and in fact it
should use the real remote user if available so the UI elements that
target the API without a key continue to function properly (which I
guess is slowly becoming all of the UI). This is what that apache
config and my nginx config do I believe.

  Does this answer your question, do you have lingering concerns?

-John


On Thu, Jun 12, 2014 at 9:24 AM, Eric Rasche [hidden email]
wrote:
Hi Iyad,

Thanks for posting configs! I'm very curious how this actually works for
you.

I'm running the API scripts from the galaxy server itself, and I made
requests to http://fqdn/galaxy/, <a class="moz-txt-link-freetext" href="http://localhost:####/">http://localhost:####/, and
<a class="moz-txt-link-freetext" href="http://localhost:####/galaxy/">http://localhost:####/galaxy/

The request to the fqdn unsurprisingly fails as apache answers it, and
apache requires authentication. Both of the localhost requests also fail
(403), indicating that galaxy was forbidding me due to lack of a
REMOTE_USER variable being set:

Galaxy is configured to authenticate users via an external method
(such as HTTP authentication in Apache), but a username was not
provided by the upstream (proxy) server.

- From my tests, I conclude that the routes under /api/ also have the
requirement on REMOTE_USER being set. (Maybe a dev can chime in on
this?) I'm fairly certain the only way to get the /api/ route to work
with the apache config presented is to statically set REMOTE_USER, such
that it's always a valid galaxy user. You don't set a static REMOTE_USER
variable in your apache config, so when galaxy is serving requests from
outside users, in my understanding, the REMOTE_USER var will be unset,
and galaxy should refuse to answer it.

Cheers,
Eric


On 06/12/2014 08:31 AM, Kandalaft, Iyad wrote:
Hi Eric,

It's not broken per se but the documentation is lacking on this
front.  You need to route your /galaxy/api folder to a proxy that does
not require authentication.  Maybe this isn't the best way but it
works for AAFC's production galaxy.  See my apache configuration file
below:

--------------------------------------------------------------------------------------
# Function for LowerCase conversion used in rewriterule directive
RewriteMap lc int:tolower

# Setup the load balancer and force LDAP authentication with group
file authorization
<Proxy balancer://galaxy-prod/*>
        BalancerMember http://localhost:60000
        BalancerMember http://localhost:60001
        BalancerMember http://localhost:60002

        # LDAP based authentication
        AuthName "Galaxy - Login with AAFC credentials"
        AuthType Basic
        AuthBasicAuthoritative off
        AuthBasicProvider ldap

        AuthLDAPURL "REDACTED"
        AuthLDAPBindDN 'REDACTED'
        AuthLDAPBindPassword "REDACTED"

        # File based authorization
        AuthGroupFile /home/galaxy/permitted_users
        Require group galaxy-users

        RewriteEngine on

        # Convert the sAMAccountName to lower case
        RewriteRule ^ -
[E=AUTHENTICATE_sAMAccountName:${lc:%{ENV:AUTHENTICATE_sAMAccountName}}]
        # Set the REMOTE_USER header to the contents of the LDAP
query response's "sAMAccountName" attribute
        RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
</Proxy>

<Proxy balancer://galaxy-prod-noauth/*>
        BalancerMember http://localhost:60000
        BalancerMember http://localhost:60001
        BalancerMember http://localhost:60002

        # Required to allow unauthenticated access
        # Not clear why this is so
        Satisfy any
</Proxy>

# Bypass authentication for the api endpoints when a "key" get
variable is provided by proxying directly to the galaxy web server
RewriteCond %{QUERY_STRING} key=
RewriteRule ^/galaxy/api/(.*) balancer://galaxy-prod-noauth/api/$1 [P]

# Bypass authentication for display servers
RewriteCond HTTP_HOST =hgw1.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw2.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw3.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw4.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw5.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw7.cse.ucsc.edu [OR,NC]
RewriteCond HTTP_HOST =hgw8.cse.ucsc.edu [NC]
RewriteRule ^/galaxy/root/display_as(.*)
balancer://galaxy-prod-noauth/root/display_as$1 [P]
# Serve static content directly from apache
RewriteRule ^/galaxy/static/style/(.*)
/home/galaxy/galaxy-dist/static/june_2007_style/blue/$1 [L]
RewriteRule ^/galaxy/static/scripts/(.*)
/home/galaxy/galaxy-dist/static/scripts/packed/$1 [L]
RewriteRule ^/galaxy/static/(.*)
/home/galaxy/galaxy-dist/static/$1 [L]
RewriteRule ^/galaxy/favicon.ico
/home/galaxy/galaxy-dist/static/favicon.ico [L]
RewriteRule ^/galaxy/robots.txt
/home/galaxy/galaxy-dist/static/robots.txt [L]
# Route all other traffic through the load balancer
RewriteRule ^/galaxy/(.*)$ balancer://galaxy-prod/$1 [P]

------------------------------------------------------------------------------


Regards,

Iyad Kandalaft
Microbial Biodiversity Bioinformatics
Agriculture and Agri-Food Canada | Agriculture et Agroalimentaire
Canada
960 Carling Ave.| 960 Ave. Carling
Ottawa, ON| Ottawa (ON) K1A 0C6
E-mail Address / Adresse courriel  [hidden email]
Telephone | Téléphone 613-759-1228
Facsimile | Télécopieur 613-759-1701
Teletypewriter | Téléimprimeur 613-773-2600
Government of Canada | Gouvernement du Canada



-----Original Message-----
From: [hidden email]
[[hidden email]] On Behalf Of Eric Rasche
Sent: Wednesday, June 11, 2014 8:43 PM
To: [hidden email]
Subject: [galaxy-dev] bug: API broken under remote_user


https://trello.com/c/AGKePuHZ/1630-expose-use-remote-user-via-configuration-api
I don't know if this is the correct card (it's been a long day and
I may be misreading it) but the API is completely broken under
REMOTE_USER authentication.
running ./scripts/api/display.py {key} http://localhost:8300
returns 403 forbidden.
running ./scripts/api/display.py {key} https://fqdn/galaxy/
returns 401 Authorization Required
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this and
other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/


        
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

      

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/


--
Eric Rasche
Programmer II
Center for Phage Technology
Texas A&M University
College Station, TX 77843
<a href="tel:4046922048">404-692-2048
[hidden email]

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/