Authentication

Galaxy supports the following authentication mechanisms:

Galaxy Database

Without any additional configuration Galaxy will simply use its database to maintain usernames and passwords. The Galaxy user interface and API provide functions allowing users to register accounts, change passwords, etc….

If deploying Galaxy using the default authentication option, user activation can be enabled also. This is documented below.

OIDC and OAuth2.0

Leveraging OpenID Connect (OIDC) protocol, we enable login to Galaxy without explicitly creating a Galaxy user. This feature is disabled by default. In short, to enable this feature, a Galaxy server admin has to take the following two steps:

  1. Define the Galaxy instance on an OIDC identity provider. At the moment, we support Google and Okta. To set a Galaxy instance on Google, go to credentials section at developers console, and configure the instance. At the end, you’ll receive client ID and client secret take a note of these two tokens. For Okta, create a new application in Okta, type web. At the end you should take note of the client ID and client secret tokens.

  2. Configure Galaxy. In the galaxy.yml file enable the OIDC service using the enable_oidc key and set the two configuration files (i.e., oidc_config_file and oidc_backends_config_file), based on the IdP information.

The configuration is explained with provider-specific details at User Authentication Configuration. How to authenticate from the user perspective we describe here.

Authentication Framework

Galaxy is distributed with a plugin-driven authentication framework for which the default database authentication is just one (and the default plugin). This framework can be used to allow Galaxy to delegate authentication to an LDAP server, an Active Directory server, or to PAM.

Currently, we provide two variants of the LDAP authenticator namely, ldap and ldap3. Both are identical implementations that use different Python modules for binding and making queries to a LDAP server. The authenticator ldap is based on the python-ldap module which is a wrapper around the OpenLDAP’s client library libldap. Currently, python-ldap does not provide pre-built Python wheel packages and hence, the OpenLDAP client libraries are needed to install python-ldap on the Galaxy server.

On the otherhand, ldap3 is a pure-Python implementation of the OpenLDAP client library and has no external dependencies. This package can be installed out-of-the-box, so we recommend to use it when the OpenLDAP client libraries are not available on the Galaxy server.

These same mechanisms can also be configured by proxies serving Galaxy (e.g. nginx or Apache), but configuring them within Galaxy allows users to use the Galaxy UI for logging in instead of relying on a proxy.

To configure one or more authentication plugins, simply copy config/auth_conf.xml.sample to config/auth_conf.xml. The provided sample configuration file has numerous commented out examples and serves as the most up-to-date source of documentation on configuring these plugins.

It is relatively straight-forward to add a custom authenticator to the framework. In this example, we will demonstrate a new authenticator based on the LDAP authenticator that performs custom checks besides password verification for authenticating a user on the Galaxy instance. First, we will create an authenticator source file lib/galaxy/auth/providers/ldap_custom.py with the following content:

import logging
import ipaddress

from ..providers.ldap_ad import LDAP

log = logging.getLogger(__name__)


class LDAPCustom(LDAP):
    """
    Attempts to authenticate users against an LDAP server.
    """

    plugin_type = "ldap_custom"

    def __init__(self):
        super().__init__()

    def authenticate(self, email, username, password, options, request):
        """
        See abstract method documentation.
        """
        if options.get("continue-on-failure", "False") == "False":
            failure_mode = None  # reject and do not continue
        else:
            failure_mode = False  # reject but continue
        # Check if user's remote IP is declared in whitelisted IPs
        if "white-listed-ips" in options:
            user_remote_ip = request.remote_addr
            # Get all white listed IPs from the config file
            white_listed_ips = options.get("white-listed-ips")
            # Convert them into a list
            white_listed_ips = white_listed_ips.split(' ')
            # Convert user remote IP into IPv4Address object
            user_remote_ip_obj = ipaddress.IPv4Address(user_remote_ip)
            white_listed_ip_objs = [ipaddress.IPv4Network(ip) for ip in white_listed_ip_objs]
            # Make sure white_listed_ip_objs is not empty
            if white_listed_ip_objs:
                # Effectively we are checking if remote ip network subnet
                # is subset of allowed subnets. If at least one subnet matches,
                # we allow user to authenticate
                allowed = any(user_remote_ip_obj in sn for sn in white_listed_ip_objs)
                if not allowed:
                    log.info("LDAP authentication: User remote IP is not listed in whitelisted IPs")
                    return failure_mode, "", ""
        return super().authenticate(email, username, password, options, request)

__all__ = ("LDAPCustom",)

In this simple custom LDAP authenticator, we are verifying the remote IP address of the client is declared in the whitelisted IP addresses. The so-called white-listed-ips can be provided within the auth_config.xml file. However this can be done in many ways depending on the deployments like getting white listed IPs from LDAP query or simply reading it from a file on the file system. This list of IP addresses can be a global whitelist or IP addresses per user. In order to use this authenticator, we need to declare it in the auth_config.xml file as <type>ldap_custom</type>.

Remote User Authentication

If Galaxy is deployed with either nginx or Apache serving as a front-end proxy for Galaxy requests, they can be configured to authenticate users and pass this authentication information along to Galaxy using the HTTP remote user mechanism. See, for example, the authentication and authorization guide for the Apache Web server for an impression of the possibilities. Thus, by the time Galaxy is aware of a request, the user identity will have been determined and there will be no need for Galaxy to do any additional authentication work, such as showing a login screen or checking user credentials.

However, accepting an identity asserted by the Web server does not relieve Galaxy from having to create a user account for such an identity. Thus, Galaxy automatically creates a user for each identity of this kind, recording that the user is “external” and also creating a random password in order to effectively disable traditionally performed logins for the user, although the remote user mechanism should normally prohibit any login mechanism other than that imposed by the Web server, and the “external” flag should itself prohibit the traditional mechanism being used with the user concerned. When a remote user returns to Galaxy and is not already logged in, the details of the user are retrieved according to the identity information supplied by the Web server.

Enabling remote user authentication requires you to edit Galaxy’s configuration file and set use_remote_user to true. This file is likely located in config/galaxy.yml and can be created by copying Galaxy’s sample config/galaxy.yml.sample.

Additional Galaxy configuration options related to remote user authentication are documented in Galaxy’s sample configuration file. The options remote_user_maildomain, remote_user_header, and normalize_remote_user_email can adapt Galaxy to different responses from the proxy, while remote_user_secret can be used to provide added security, and remote_user_logout_href can be used to fix Galaxy’s logout for the deployed setup.

User Activation

Galaxy admins using the default authentication mechanism have an option to turn on the email verification feature to require users to provide working email during the registration. You can also turn on the disposable email domains filter to disable registration for users using known disposable email provider.

How to set up this config is presented here.

Note: SQLite database is not supported with this feature. Please use PostgreSQL.

Account activation feature

In the Galaxy config file config/galaxy.yml there is the user activation setting that you have to turn on. By default it is off.

user_activation_on: true

There is also the option for tracking jobs in database that is required to be turned on for the account activation to be effective. By default it is off.

track_jobs_in_database: true

After you turn on both of these every user that will try to register after this configuration file takes effect will have the activation email sent to the email address provided. Unless the activation_grace_period (see below) is set, the user won’t be able to login before the activation happens.

Furthermore in order for this to work correctly smtp server and email need be set:

smtp_server: some.server.edu:587
smtp_username: example_username
smtp_password: example_passsword
email_from: galaxy-instance@example.com

Smtp server takes care of the email sending and the email_from is used as the From address in the verification email.

Email template

You can modify the activation email body by modifying the provided templates. You can use them in html or txt depending on your emailing configuration.

The mapping of mentioned templates’ variables to config options is as follows:

"terms_url": config.terms_url,
"contact_email": config.error_email_to,
"instance_resource_url": config.instance_resource_url,
"custom_message": config.custom_activation_email_message,

Changing email address

If an activated user changes email address in user settings, their account will be deactivated. A new activation link will be sent and the user will have to visit it to activate the account again.

Grace period

In case you want the account activation feature but don’t want to disable login completely you can set the activation_grace_period parameter. It specifies, in hours, the period in between registration time and the login time that the user will be allowed to log in even with an inactive account.

# Activation grace period. Activation is not forced (login is not disabled) until
# grace period has passed. Users under grace period can't run jobs (see inactivity_box_content).
# In hours. Default is 3. Enter 0 to disable grace period.
# Users with OpenID logins have grace period forever.
#activation_grace_period = 3

However with inactive account the user won’t be able to run jobs and warning message will be shown to them at the top of the page. It is customizable via the inactivity_box_content parameter.

# Used for warning box for inactive accounts (unable to run jobs).
# In use only if activation_grace_period is set.
#inactivity_box_content = Your account has not been activated yet. Please activate your account by verifying your email address. For now you can access everything at Galaxy but your jobs won't run.

Disposable email address filtering

To prevent users from using unwanted email addresses for the email activation admins can select from two methods of filtering: domain blocking and allowing.

Blocklist

The domain blocklist can be turned on through the email_domain_blocklist_file path parameter. Users that use disposable email domains defined at the file in this provided path will be refused registration.

# E-mail domains blocklist is used for filtering out users that are using disposable email address
# during the registration. If their address domain matches any domain in the BL they are refused the registration.
email_domain_blocklist_file = config/disposable_email_blocklist.conf

In the file each domain is on its own line and without the @ sign. Example of the blocklist file format:

drdrb.com
mailinator.com
sogetthis.com
spamgourmet.com
trashmail.net

A disposable domains blocklist file for download and modification is at GitHub

Allowlist

The domain allowlist can be turned on through the email_domain_allowlist_file path parameter. The file has the same format as the email_domain_blocklist_file above. The difference is that domains outside of the allowlist will not be allowed for account registration.