Locked History Actions

Admin/Config/ApacheExternalUserAuth

External user authentication

By default, Galaxy manages its own users. However, it may be more useful at your site to tie into a local authentication system. Galaxy does not do this itself - it delegates this responsibility to the upstream proxy server (e.g., Apache or Nginx). The authentication module (basic authentication, mod_auth_kerb, mod_authn_ldap, mod_auth_cas, Cosign, etc.) is responsible for providing a username, which we will pass through the proxy to Galaxy as $REMOTE_USER.

In addition to the modules above, mod_headers must be enabled in the Apache config, for some types of authentication.

Basic Authentication

Basic authentication is configured as it is for any other protected portion of your site (other authentication modules are configured differently):

   1 # Define the authentication method
   2 AuthType Basic
   3 AuthName Galaxy
   4 AuthUserFile /home/nate/htpasswd
   5 Require valid-user

The following options are used to take the $REMOTE_USER variable (set by basic authentication) and set it as a header in the proxied environment:

   1 # Define Galaxy as a valid Proxy
   2 <Proxy http://localhost:8080>
   3     Order deny,allow
   4     Allow from all
   5 </Proxy>
   6 # Take the $REMOTE_USER environment variable and set it as a header in the proxy request.
   7 RewriteEngine on
   8 RewriteCond %{IS_SUBREQ} ^false$
   9 RewriteCond %{LA-U:REMOTE_USER} (.+)
  10 RewriteRule . - [E=RU:%1]
  11 RequestHeader set REMOTE_USER %{RU}e

These new directives should be placed in a <Location> block, depending on the directory from which you are serving Galaxy. Your entire configuration will now look something like this:

   1 # Define Galaxy as a valid Proxy
   2 <Proxy http://localhost:8080>
   3     Order deny,allow
   4     Allow from all
   5 </Proxy>
   6 RewriteEngine on
   7 # Serving
   8 <Location "/">
   9     # Define the authentication method
  10     AuthType Basic
  11     AuthName Galaxy
  12     AuthUserFile /home/galaxy/htpasswd # Change this to your htpasswd file location
  13     Require valid-user
  14     # Take the $REMOTE_USER environment variable and set it as a header in the proxy request.
  15     RewriteCond %{IS_SUBREQ} ^false$
  16     RewriteCond %{LA-U:REMOTE_USER} (.+)
  17     RewriteRule . - [E=RU:%1]
  18     RequestHeader set REMOTE_USER %{RU}e
  19 </Location>

On the Galaxy side, set use_remote_user = True in universe_wsgi.ini. If your auth method doesn't provide a full email address in $(REMOTE_USER, you'll also need to set remote_user_maildomain:

use_remote_user = True
remote_user_maildomain = example.org

For example, when using basic authentication, only bare usernames (e.g. "nate") will be passed to Galaxy. Since Galaxy usernames are full email addresses, remote_user_maildomain needs to be set (e.g. to "example.org"). On the other hand, auth methods such as mod_auth_kerb set the full nate@example.org address, so remote_user_maildomain should not be set. If you're not sure, Galaxy will tell you via an error message if remote_user_maildomain needs to be set.

Users are automatically created in the Galaxy database if the external auth method allows them through. Users created in this manner may not log in if use_remote_user is later disabled, since Galaxy does not have a password stored for the user (since the password is managed by Apache).

mod_authnz_ldap

The Apache mod_authnz_ldap module does not set $REMOTE_USER like other auth modules. The following alternate configuration should allow you to use any LDAP attribute as the username to set in $REMOTE_USER:

   1 # Define Galaxy as a valid Proxy
   2 <Proxy http://localhost:8080>
   3     Order deny,allow
   4     Allow from all
   5 </Proxy>
   6 #!highlight apache
   7 <Location "/">
   8     AuthType Basic
   9     AuthBasicProvider ldap
  10     AuthLDAPURL "ldaps://server:636/ou=People,dc=example,dc=org?uid?sub?(objectClass=person)"
  11     Require valid-user
  12     # Set the REMOTE_USER header to the contents of the LDAP query response's "uid" attribute
  13     RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e
  14 </Location>

The AuthLDAPURL and variable in which the username is set will vary and is dependent entirely upon the schema/design of your LDAP database. If your LDAP server is Windows (Active Directory), you may need to use the %{AUTHENTICATE_sAMAccountName}  variable.

Note the S/E after substituted variables, transcluded from the Apache mod_headers documentation:

%{FOOBAR}e

The contents of the environment variable FOOBAR.

%{FOOBAR}s

The contents of the SSL environment variable FOOBAR, if mod_ssl is enabled.

mod_auth_kerb

If you are deploying kerberos, it is assumed you know the basics of configuring kerberos enabled webpages.

   1 <Location "/galaxy/">
   2         AuthName "Galaxy"
   3         AuthType Kerberos
   4         KrbAuthRealms REALM.EDU
   5         KrbServiceName HTTP/server.realm.edu@REALM.EDU
   6         Krb5Keytab /etc/http_server_realm.edu.keytab
   7         KrbSaveCredentials On
   8         Require valid-user
   9         RequestHeader set REMOTE_USER %{REMOTE_USER}s # for some reason you need this statement.
  10 </Location>

We chose to seperate out the keytab for apache, hence the use of Krb5Keytab. Normally that defaults to /etc/krb5.keytab.

Note the S/E after substituted variables, transcluded from the Apache mod_headers documentation:

%{FOOBAR}e

The contents of the environment variable FOOBAR.

%{FOOBAR}s

The contents of the SSL environment variable FOOBAR, if mod_ssl is enabled.

Logging out Basic Auth'd Users

It's not supposed to be possible due to how HTTP authentication works.

However, this is a common problem and many people have come up with varying quality solutions:

This was discussed on the galaxy-dev mailing list, and the solution provided by Tim Booth is detailed below. Please test this thoroughly before using it in your galaxy.

Creating the Logout area

A world-accessible folder needs to be created, probably named something like "logout". Taking /usr/share/galaxy-server/logout/ as our example, inside that folder you need to create a .htaccess file

# Hack based on http://stackoverflow.com/questions/4163122/http-basic-authentication-log-out
# Authname must match the one for your galaxy server.

AuthType Basic
AuthName Galaxy_Server

AuthUserFile /usr/share/galaxy-server/logout/.htpasswd
Require user logout

The /usr/share/galaxy-server/logout/.htpasswd file should contain

#Password is logout.  This in not a secret.
logout:$apr1$0eB1iURY$kwqa0c8tXksbjPQLYqr6s.

Modifications to your universe_wsgi.ini

You will probably need to add

# Not yet tested on IE.
remote_user_logout_href = javascript:var r=new XMLHttpRequest();r.onreadystatechange=function(){if(r.readyState==4)window.location.replace('logout.html')};r.open('get','logout.html',true,'logout','logout');r.send();

This code sends an AJAX request to logout.html with the username and password of "logout" (variables 4 and 5 in the r.open snippet)