[arvados] Allowing arvados to use authentication information from web server

George Chlipala gchlip2 at uic.edu
Fri Aug 26 18:38:20 EDT 2016

In case anyone is interested...

We wanted to have Arvados use the authentication information provided by
the web server.  This is due to the fact that we already have setup a
single-sign-on system for our webservers and wanted Arvados integrate with
the existing infrastructure.

We made the changes to the user_sessions_controller.rb for the API service,
see following patch.  Then setup the web server to authenticate users
accessing the path "/login" for the API server.

For example, we use Shibboleth and added the following configuration to our
web server.

<Location /login >
  AuthType shibboleth
  ShibCompatWith24 On
  ShibRequestSetting requireSession 1
  require shib-session

Then made sure that shibboleth provided the "eppn", which is equivalent to
an email address, as the REMOTE_USER parameter.  The following is a snippet
from our shibboleth2.xml file.

<ApplicationDefaults entityID="..." REMOTE_USER="eppn uid">

Restarted the shibd and webserver and now the webserver will authenticate
users and then Arvados will use the user ID to authorize the user.  We are
not allowing registration for Arvados so, we just manually add users from
the workbench...at least for now.

--- a/services/api/app/controllers/user_sessions_controller.rb
+++ b/services/api/app/controllers/user_sessions_controller.rb
@@ -100,6 +100,15 @@
   # to save the return_to parameter (if it exists; see the application
   # controller). /auth/joshid bypasses the application controller.
   def login
+    # Added to allow Arvados to use user ID from web server.
+    # This assumes that the user ID is the email address of the user.
+    if request.env["REMOTE_USER"] then
+      logger.warn "Using REMOTE_USER from webserver"
+      current_user = User.find_by_email(request.env["REMOTE_USER"])
+      Thread.current[:user] = current_user
+    end
     auth_provider = if params[:auth_provider] then
"auth_provider=#{CGI.escape(params[:auth_provider])}" else "" end

     if current_user and params[:return_to]
@@ -111,9 +120,9 @@

       send_api_token_to(params[:return_to], current_user)
     elsif params[:return_to]
-      redirect_to "/auth/joshid?return_to=#{CGI.
+      redirect_to "#{root_path}auth/joshid?return_to=#{CGI.escape(params[
-      redirect_to "/auth/joshid?#{auth_provider}"
+      redirect_to "#{root_path}auth/joshid?#{auth_provider}"

George Chlipala, Ph.D.
Senior Research Specialist
Research Resources Center
University of Illinois at Chicago

phone: 312-413-1700
email: gchlip2 at uic.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.arvados.org/pipermail/arvados/attachments/20160826/fbfd2ccf/attachment.html>

More information about the arvados mailing list