[galaxy-dev] Integrating Galaxy into our Kerberos auth

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[galaxy-dev] Integrating Galaxy into our Kerberos auth

Peter van Heusden
Hi everyone

I'm busy integrating Galaxy (installed locally on galaxy.sanbi.ac.za)
with our Kerberos authentication. To do this, in the Apache virtualhost
configuration, I install mdo_auth_kerb and specify:

        <Location />
                AuthType Kerberos
                Krb5Keytab /etc/krb5.keytab
                KrbServiceName http
                KrbAuthRealms SANBI
                Require valid-user
        </Location>


in my virtualhost config.

Now, our Kerberos users show up as <user>@SANBI (SANBI is our realm).
Their email addresses are of the form <user>@sanbi.ac.za. So this causes
a problem with the default Galaxy config. The solution I've got is to
throw away that @SANBI, then set remote_user_maildomain to sanbi.ac.za.
And add this to the virtualhost config:

        RewriteEngine on
        <Proxy http://localhost:8080>
            Order deny,allow
            Allow from all
        </Proxy>
        RewriteCond %{IS_SUBREQ} ^false$
        RewriteCond %{LA-U:REMOTE_USER} ^([^@]+)@
        RewriteRule . - [E=RU:%1]
        RequestHeader set REMOTE_USER %{RU}e

Note the ^([^@]+)@ - this is different to the (.*) which is on the wiki,
and has the effect that %1 in the RewriteRule only contains the <user>
part. The remote_user_maildomain is then used to get <user>@sanbi.ac.za.
So far this setup seems to work.

BTW. why, in templates/webapps/galaxy/base_panels.mako does it only show
the "Logged in as" if you are not using remote_user ? Since user_email
is always generated somehow, surely it is safe to show it whether you're
logged in via remote_user or not.

And finally, I see  that after the first few uploads, there aren't any
new sets of slides being put up on the dev2010 page. I'm looking forward
to seeing a full set of slides so I can show them to people at SANBI!

Peter
_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev
Reply | Threaded
Open this post in threaded view
|

Re: [galaxy-dev] Integrating Galaxy into our Kerberos auth

Nate Coraor (nate@bx.psu.edu)
Peter van Heusden wrote:

> Hi everyone
>
> I'm busy integrating Galaxy (installed locally on galaxy.sanbi.ac.za)
> with our Kerberos authentication. To do this, in the Apache virtualhost
> configuration, I install mdo_auth_kerb and specify:
>
>         <Location />
>                 AuthType Kerberos
>                 Krb5Keytab /etc/krb5.keytab
>                 KrbServiceName http
>                 KrbAuthRealms SANBI
>                 Require valid-user
>         </Location>
>
>
> in my virtualhost config.
>
> Now, our Kerberos users show up as <user>@SANBI (SANBI is our realm).
> Their email addresses are of the form <user>@sanbi.ac.za. So this causes
> a problem with the default Galaxy config. The solution I've got is to
> throw away that @SANBI, then set remote_user_maildomain to sanbi.ac.za.
> And add this to the virtualhost config:
>
>         RewriteEngine on
>         <Proxy http://localhost:8080>
>             Order deny,allow
>             Allow from all
>         </Proxy>
>         RewriteCond %{IS_SUBREQ} ^false$
>         RewriteCond %{LA-U:REMOTE_USER} ^([^@]+)@
>         RewriteRule . - [E=RU:%1]
>         RequestHeader set REMOTE_USER %{RU}e
>
> Note the ^([^@]+)@ - this is different to the (.*) which is on the wiki,
> and has the effect that %1 in the RewriteRule only contains the <user>
> part. The remote_user_maildomain is then used to get <user>@sanbi.ac.za.
> So far this setup seems to work.

Great, I can add this example to the wiki.  Since authentication is
handled entirely outside of Galaxy there's not a lot we can do in Galaxy
to handle these sorts of issues.

> BTW. why, in templates/webapps/galaxy/base_panels.mako does it only show
> the "Logged in as" if you are not using remote_user ? Since user_email
> is always generated somehow, surely it is safe to show it whether you're
> logged in via remote_user or not.

Good point, I've changed this in changeset 3854:384c809db93e.

> And finally, I see  that after the first few uploads, there aren't any
> new sets of slides being put up on the dev2010 page. I'm looking forward
> to seeing a full set of slides so I can show them to people at SANBI!

Sorry about this, I'll coordinate an effort to get everything posted.

--nate

>
> Peter
> _______________________________________________
> galaxy-dev mailing list
> [hidden email]
> http://lists.bx.psu.edu/listinfo/galaxy-dev

_______________________________________________
galaxy-dev mailing list
[hidden email]
http://lists.bx.psu.edu/listinfo/galaxy-dev