Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: Auth conf #71

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

WIP: Auth conf #71

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d8ed327
add auth_conf.xml.sample
lecorguille May 15, 2019
b603581
auth_conf.xml.sample to j2
lecorguille May 15, 2019
17d5dff
auth_conf.xml template and task
lecorguille May 15, 2019
c41ecfe
auth_cong comment ldap settings
lecorguille May 15, 2019
6846b41
auth - remove the task since it existed
lecorguille Jun 30, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,3 +257,34 @@ galaxy_uwsgi_config_default:
# Options include: client / client-production / client-production-maps (default)
galaxy_client_make_target: client-production-maps

#
# Authentification configuration
# authen_conf.xml
# https://github.com/galaxyproject/galaxy/blob/dev/config/auth_conf.xml.sample
#
galaxy_auth:
authenticator:
localdb:
allow-password-change: True
# ldap:
# filter: "'{email}'.endswith('@example.com')"
# allow-register: True
# auto-register: False
# allow-password-change: False
# auto-create-roles: False
# auto-create-groups: False
# auto-assign-roles-to-groups-only: False
# server: "ldap://dc1.example.com"
# ldap-options: "OPT_X_TLS_REQUIRE_CERT=OPT_X_TLS_ALLOW"
# login-use-username: False
# continue-on-failure: False
# search-fields: "uid,mail"
# search-base: "ou=People,dc=example,dc=com"
# search-filter: "(mail={email})"
# search-user: "cn=jsmith,ou=People,dc=domain,dc=com"
# search-password: "mysecret"
# bind-user: "{dn}"
# bind-password: "{password}"
# auto-register-username: "{uid}"
# auto-register-email: "{mail}"
# auto-register-roles: "{gid}"
154 changes: 154 additions & 0 deletions templates/auth_conf.xml.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
<?xml version="1.0"?>
<!--
%
% This file is managed by Ansible.
% Do not edit this file manually.
% Any changes will be automatically reverted.
%
-->
<auth>
{% if 'ldap' in galaxy_auth['authenticator'] %}
<authenticator>
<type>ldap</type>
{% set ldap = galaxy_auth['authenticator']['ldap'] %}

<!-- Replacement fields: instances of {email}, {username} and {password}
are replaced with the corresponding user's values inside the
<filter>, <server>, <ldap-options>, <search-fields>,
<search-filter>, <search-base>, <search-user> and <search-password>
elements. -->
<!-- Filter users for which this authenticator applies. This is a Python
expression which is evaluated after field replacement. -->
{% if ldap['filter'] is defined %}
<filter>ldap['filter']</filter>
{% endif %}
<options>

<!-- Whether to allow user registration. Possible values are True,
False and Challenge (i.e. allow registration in case of
successful authentication). Default is True. -->
{% if ldap['allow-register'] is defined %}
<allow-register>ldap['allow-register']</allow-register>
{% endif %}

<!-- Whether Galaxy should automatically register users when they
first login. Default is False. -->
{% if ldap['auto-register'] is defined %}
<auto-register>ldap['auto-register']</auto-register>
{% endif %}

<!-- Whether users are allowed to change their password. Default is
False. -->
{% if ldap['allow-password-change'] is defined %}
<allow-password-change>ldap['allow-password-change']</allow-password-change>
{% endif %}

<!-- Whether roles should be automatically created if
the attribute specified under auto-register-roles can be found.
Default is False. -->
{% if ldap['auto-create-roles'] is defined %}
<auto-create-roles>ldap['auto-create-roles']</auto-create-roles>
{% endif %}

<!-- Whether groups should be automatically created if
the attribute specified under auto-register-roles can be found.
Can be used in combination with auto-create-roles
Default is False. -->
{% if ldap['auto-create-groups'] is defined %}
<auto-create-groups>ldap['auto-create-groups']</auto-create-groups>
{% endif %}

<!-- If set, roles will be assigned to the auto generated groups,
not to the individual users. Can only be used if auto-create-roles and
auto-create-groups are True. Default is False. -->
{% if ldap['auto-assign-roles-to-groups-only'] is defined %}
<auto-assign-roles-to-groups-only>ldap['auto-assign-roles-to-groups-only']</auto-assign-roles-to-groups-only>
{% endif %}

<!-- LDAP-specific options -->
{% if ldap['server'] is defined %}
<server>ldap['server']</server>
{% endif %}

<!-- Additional options for the LDAP connection. The syntax is:
option1=value1,option2=value2,...
Options and values should match those from the python-ldap
documentation.
The following example allows connecting to ldaps:// (SSL/TLS)
when self-signed certificates are used -->
{% if ldap['ldap-options'] is defined %}
<ldap-options>ldap['ldap-options']</ldap-options>
{% endif %}

<!-- Whether unregistered users should use their LDAP username
instead of the email at their first login when auto-register is
True. Default is False. -->
{% if ldap['login-use-username'] is defined %}
<login-use-username>ldap['login-use-username']</login-use-username>
{% endif %}

<!-- Whether to continue with the following authenticators if LDAP
fails. Default is False. -->
{% if ldap['continue-on-failure'] is defined %}
<continue-on-failure>ldap['continue-on-failure']</continue-on-failure>
{% endif %}

<!-- If search-fields is not specified, all other search-* elements
are ignored.
If search-user is not specified, Galaxy will bind anonymously
to the LDAP server for search. -->
{% if ldap['search-fields'] is defined %}
<search-fields>ldap['search-fields']</search-fields>
{% endif %}
{% if ldap['search-base'] is defined %}
<search-base>ldap['search-base']</search-base>
{% endif %}

{% if ldap['search-filter'] is defined %}
<search-filter>ldap['search-filter']</search-filter>
{% endif %}

{% if ldap['search-user'] is defined %}
<search-user>ldap['search-user']</search-user>
{% endif %}
{% if ldap['search-password'] is defined %}
<search-password>ldap['search-password']</search-password>
{% endif %}


<!-- Replacement fields: instances of {email}, {username},
{password}, {dn} plus all fields defined in <search-fields> are
replaced with the corresponding user's values inside the
<bind-user>, <bind-password>, <auto-register-username> and
<auto-register-email> elements. -->
{% if ldap['bind-user'] is defined %}
<bind-user>ldap['bind-user']</bind-user>
{% endif %}
{% if ldap['bind-password'] is defined %}
<bind-password>ldap['bind-password']</bind-password>
{% endif %}
{% if ldap['auto-register-username'] is defined %}
<auto-register-username>ldap['auto-register-username']</auto-register-username>
{% endif %}
{% if ldap['auto-register-email'] is defined %}
<auto-register-email>ldap['auto-register-email']</auto-register-email>
{% endif %}
{% if ldap['auto-register-roles'] is defined %}
<auto-register-roles>ldap['auto-register-roles']</auto-register-roles>
{% endif %}

</options>
</authenticator>
{% endif %}
{% if 'localdb' in galaxy_auth['authenticator'] %}
<authenticator>
<type>localdb</type>
{% set localdb = galaxy_auth['authenticator']['localdb'] %}
<options>
<!-- Whether users are allowed to change their password. Default is
False. -->
<allow-password-change>{{ localdb['allow-password-change']|default("True", true) }}</allow-password-change>
</options>
</authenticator>
{% endif %}
</auth>