In universe_wsgi.ini, remove the single quotes from the value of
remote_user_header, e.g.:
remote_user_header = HTTP_AUTH_USER
If that doesn't fix it, please make sure you don't have local changes
interfering, e.g. inspect `hg diff`.
--nate
On Fri, Jan 3, 2014 at 2:21 PM, Velayutham, Prakash (Prakash)
<prakash.velayut...@cchmc.org> wrote:
> [srv-galaxy@bmigalaxyp1 galaxy-dist]$ hg summary
> parent: 11939:e92e13e9c103 tip
> Allow changing the header for remote user.
> branch: default
> commit: 1 modified, 1 unknown
> update: (current)
> [srv-galaxy@bmigalaxyp1 galaxy-dist]$
>
> Prakash
>
> On Jan 3, 2014, at 2:11 PM, Nate Coraor <n...@bx.psu.edu>
> wrote:
>
>> Hi Prakash,
>>
>> Could you send the output of `hg summary`?
>>
>> Thanks,
>> --nate
>>
>> On Fri, Jan 3, 2014 at 1:41 PM, Velayutham, Prakash (Prakash)
>> <prakash.velayut...@cchmc.org> wrote:
>>> Hi Nate,
>>>
>>> I just updated my copy and the changes you pushed are in. However, the auth
>>> part is not working still. I added
>>>
>>> remote_user_header = 'HTTP_AUTH_USER'
>>>
>>> to universe_wsgi.ini and restarted Galaxy. When I hit the site, after
>>> logging into the front end proxy server, I get this.
>>>
>>> Access to Galaxy is denied
>>>
>>> Galaxy is configured to authenticate users via an external method (such as
>>> HTTP authentication in Apache), but a username was not provided by the
>>> upstream (proxy) server. This is generally due to a misconfiguration in the
>>> upstream server.
>>>
>>> Please contact your local Galaxy administrator.
>>>
>>>
>>> I am capturing all the header variables in a file and this is what the
>>> contents of the file is after the above DENIED message.
>>>
>>> [srv-galaxy@bmigalaxyp1 galaxy-dist]$ cat file.py
>>> HTTP_X_FORWARDED_SERVER: galaxy.research.cchmc.org
>>> HTTP_COOKIE:
>>> galaxysession=c6ca0ddb55be603ac556311ffa6257cd21da46c2083580c93cee9aaaf9c0c67c8e80f388ebf98dff;
>>> BIGipServerbmigw-pool=626771722.20480.0000;
>>> ObSSOCookie=QF4kYG5VvhHej14EN4XRqPVEgJ7ukfSLFWTmDjibS5YUstElLeDIwcxFAgtZhGi3uJGhh4f6lFQcmAl2B1%2FM%2BptbBKwkCGNQGkJhKhu1Pz4x7bjDOaifC9t%2Fhgy%2FN3FAoXSQUFFg0cVkXnKKhoA5Hxkt%2BcvkQObSn7Mr1Vi0xPakNoRcEC7k%2BhhR3Vp8oGUEkODLotLSAvkPfj8xL0rfzgYuLI3aY8F77M2Sj7vcDiOB03VOiBddelvOqLTHfYwlktQ81MlQq%2BjQPMX5wo9g7DhD7nwtSBgvozJ0VvmNmMfn%2BKvkgEXo8YbyQakY5PXg2pJE6IjUJTF%2FpKOfO5W2IKYzkqbDgicaMjTKq1Q7zr%2BW0BQKzhsEIjhHkneH2NRiIUiriemEbJVVo9nrMsxviT8Hah7X5YZ5kVGjBpX5owA%3D
>>> HTTP_ACCEPT_LANGUAGE: en-us
>>> paste.recursive.include: <paste.recursive.Includer from />
>>> SCRIPT_NAME:
>>> REQUEST_METHOD: GET
>>> PATH_INFO: /
>>> HTTP_ORIGIN: https://login.research.cchmc.org
>>> SERVER_PROTOCOL: HTTP/1.1
>>> QUERY_STRING:
>>> paste.throw_errors: True
>>> CONTENT_LENGTH: 0
>>> weberror.evalexception: <weberror.evalexception.middleware.EvalException
>>> object at 0x8d02d50>
>>> HTTP_USER_AGENT: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_4)
>>> AppleWebKit/536.30.1 (KHTML, like Gecko) Version/6.0.5 Safari/536.30.1
>>> HTTP_CONNECTION: Keep-Alive
>>> SERVER_NAME: 0.0.0.0
>>> REMOTE_ADDR: 10.199.194.17
>>> ORGINAL_REMOTE_ADDR: 10.199.92.37
>>> wsgi.url_scheme: http
>>> SERVER_PORT: 8080
>>> paste.recursive.forward: <paste.recursive.Forwarder from />
>>> paste.recursive.script_name:
>>> paste.evalexception: <weberror.evalexception.middleware.EvalException object
>>> at 0x8d02d50>
>>> wsgi.input: <socket._fileobject object at 0x8d9eb50 length=0>
>>> HTTP_HOST: galaxy.research.cchmc.org
>>> paste.recursive.include_app_iter: <paste.recursive.IncluderAppIter from />
>>> wsgi.multithread: True
>>> HTTP_CONFVER: 1
>>> HTTP_CACHE_CONTROL: max-age=0
>>> HTTP_ACCEPT: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>>> wsgi.version: (1, 0)
>>> HTTP_AUTH_USER: prakash.velayut...@cchmc.org
>>> wsgi.run_once: False
>>> wsgi.errors: <galaxy.util.pastescript.serve.LazyWriter object at 0x239db10>
>>> wsgi.multiprocess: False
>>> HTTP_X_FORWARDED_HOST: galaxy.research.cchmc.org
>>> HTTP_X_FORWARDED_FOR: 10.199.194.17
>>> CONTENT_TYPE:
>>> request_id: 34e3f63274a611e3aaf1005056a84587
>>> paste.httpserver.thread_pool: <paste.httpserver.ThreadPool object at
>>> 0x8da5750>
>>> ORGINAL_HTTP_HOST: bmigalaxyp1.chmcres.cchmc.org:8080
>>> HTTP_UID: VELGE9
>>> [srv-galaxy@bmigalaxyp1 galaxy-dist]$
>>>
>>> Obviously, I am logging in using HTTP_AUTH_USER, which does exist in the
>>> file, but auth is not going forward.
>>>
>>> Please note that without the recent changes, I was able to change every
>>> instance of REMOTE_USER in the source code with AUTH_USER and that worked
>>> without issues.
>>>
>>> Thanks,
>>> Prakash
>>>
>>> On Jan 3, 2014, at 11:45 AM, Nate Coraor <n...@bx.psu.edu> wrote:
>>>
>>> Hi Prakash,
>>>
>>> This was not previously possible, but I have added a config option for it:
>>>
>>>
>>> https://bitbucket.org/galaxy/galaxy-central/commits/e92e13e9c103cc1f36dff65e1523479bf5cb17ed
>>>
>>> If you're running the stable branch, you can apply the changes from this
>>> commit manually.
>>>
>>> --nate
>>>
>>>
>>> On Thu, Jan 2, 2014 at 11:09 AM, Jennifer Jackson <j...@bx.psu.edu> wrote:
>>>>
>>>> Hello Prakash,
>>>> I am going to move this over to the galaxy-...@bx.psu.edu mailing list
>>>> where it will have greater visibility within our development community.
>>>> Best,
>>>> Jen
>>>> Galaxy team
>>>> https://wiki.galaxyproject.org/MailingLists#The_lists
>>>>
>>>>
>>>> On 1/2/14 7:27 AM, Velayutham, Prakash (Prakash) wrote:
>>>>
>>>> Hi,
>>>>
>>>> We have a SSO environment provided by Oracle Fusion products and for some
>>>> reason, they don't like to send over HTTP_REMOTE_USER as a header variable
>>>> to downstream servers. I have seen it before with other web sites I have
>>>> integrated with Oracle Access Manager. Is there a way Galaxy can accept
>>>> another HEADER variable than REMOTE_USER for its external authentication?
>>>>
>>>> As an extension:
>>>>
>>>> With just enabling HTTP_REMOTE_USER as a header variable from an external
>>>> authenticator, Galaxy works without any issues. I tried this with a default
>>>> Apache/mod_ldap/mod_authnz_ldap setup.
>>>> However, when I mix the Oracle gateways into the mix, things break down.
>>>>
>>>> I made OAM send HTTP_AUTH_USER over to Galaxy.
>>>> I changed all instances of REMOTE_USER to AUTH_USER in the installed
>>>> location of Galaxy in my server.
>>>> Authentication works fine, but I get issues with HISTORY part of Galaxy
>>>> (below), when I access a workflow or basically any part of Galaxy that
>>>> depends on HISTORY
>>>>
>>>>
>>>> Error Traceback:
>>>>
>>>> View as: Interactive | Text | XML (full)
>>>> ⇝ AttributeError: 'NoneType' object has no attribute 'user'
>>>> URL:
>>>> http://xxx.xxx.xxx/dataset/list?sort=-update_time&f-name=All&f-tags=All&f-deleted=False
>>>> Module weberror.evalexception.middleware:364 in respond <Mail
>>>> Attachment.jpeg> view
>>>>>> app_iter = self.application(environ, detect_start_response)
>>>> Module paste.recursive:84 in __call__ <Mail Attachment.jpeg> view
>>>>>> return self.application(environ, start_response)
>>>> Module galaxy.web.framework.middleware.remoteuser:91 in __call__ <Mail
>>>> Attachment.jpeg> view
>>>>
>>>>>> return self.app( environ, start_response )
>>>> Module paste.httpexceptions:633 in __call__ <Mail Attachment.jpeg>
>>>> view
>>>>>> return self.application(environ, start_response)
>>>> Module galaxy.web.framework.base:132 in __call__ <Mail
>>>> Attachment.jpeg> view
>>>>
>>>>>> return self.handle_request( environ, start_response )
>>>> Module galaxy.web.framework.base:190 in handle_request <Mail
>>>> Attachment.jpeg> view
>>>>
>>>>>> body = method( trans, **kwargs )
>>>> Module galaxy.web.framework:98 in decorator <Mail Attachment.jpeg>
>>>> view
>>>>
>>>>>> return func( self, trans, *args, **kwargs )
>>>> Module galaxy.webapps.galaxy.controllers.dataset:555 in list <Mail
>>>> Attachment.jpeg> view
>>>>
>>>>>> status, message = self._copy_datasets( trans, hda_ids,
>>>>>> target_histories )
>>>> Module galaxy.webapps.galaxy.controllers.dataset:1127 in _copy_datasets
>>>> <Mail Attachment.jpeg> view
>>>>>> if user != history.user:
>>>> AttributeError: 'NoneType' object has no attribute 'user'
>>>>
>>>> Thanks,
>>>> Prakash
>>>>
>>>>
>>>> ___________________________________________________________
>>>> The Galaxy User list should be used for the discussion of
>>>> Galaxy analysis and other features on the public server
>>>> at usegalaxy.org. Please keep all replies on the list by
>>>> using "reply all" in your mail client. For discussion of
>>>> local Galaxy instances and the Galaxy source code, please
>>>> use the Galaxy Development list:
>>>>
>>>> http://lists.bx.psu.edu/listinfo/galaxy-dev
>>>>
>>>> To manage your subscriptions to this and other Galaxy lists,
>>>> please use the interface at:
>>>>
>>>> http://lists.bx.psu.edu/
>>>>
>>>> To search Galaxy mailing lists use the unified search at:
>>>>
>>>> http://galaxyproject.org/search/mailinglists/
>>>>
>>>>
>>>> --
>>>> Jennifer Hillman-Jackson
>>>> http://galaxyproject.org
>>>>
>>>>
>>>> ___________________________________________________________
>>>> Please keep all replies on the list by using "reply all"
>>>> in your mail client. To manage your subscriptions to this
>>>> and other Galaxy lists, please use the interface at:
>>>> http://lists.bx.psu.edu/
>>>>
>>>> To search Galaxy mailing lists use the unified search at:
>>>> http://galaxyproject.org/search/mailinglists/
>>>
>>>
>>>
>
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at:
http://galaxyproject.org/search/mailinglists/
