Privilege separation support

[maikknebel]

I installed galaxy with the ansible-galaxy role from the admin training and used it with galaxy_separate_privileges: true My priviliged user is called gxpriv and the normal user is called galaxy. Folder /server/database has 0755 and gxpriv:galaxy Folder /server/tools has 0755 and gxpriv:galaxy

When i try to install tools with this role, i get a permission denied error on both folders, since the user galaxy is not allowed to write to the defined folders. If i set galaxy_user_name: gxpriv i get the following error during installation:

failed: [192.168.1.1] (item={u'owner': u'devteam', u'tool_panel_section_id': u'BLAST', u'name': u'ncbi_blast_plus'}) => {
    "changed": false,
    "cmd": [
        "/media/tmp//venv/bin/shed-install",
        "-y",
        "name: ncbi_blast_plus\nowner: devteam\ntool_panel_section_id: BLAST\n",
        "-a",
        "*********************",
        "-g",
        "http://127.0.0.1:8080/"
    ],
    "delta": "0:01:01.309185",
    "end": "2019-05-27 06:50:58.395925",
    "failed_when_result": true,
    "invocation": {
        "module_args": {
            "_raw_params": "/media/tmp//venv/bin/shed-install -y \"name: ncbi_blast_plus\nowner: devteam\ntool_panel_section_id: BLAST\n\" -a \"****************\" -g \"http://127.0.0.1:8080/\"",
            "_uses_shell": false,
            "argv": null,
            "chdir": null,
            "creates": null,
            "executable": null,
            "removes": null,
            "stdin": null,
            "warn": true
        }
    },
    "item": {
        "name": "ncbi_blast_plus",
        "owner": "devteam",
        "tool_panel_section_id": "BLAST"
    },
    "msg": "non-zero return code",
    "rc": 1,
    "start": "2019-05-27 06:49:57.086740",
    "stderr": "(1/1) Installing tool ncbi_blast_plus from devteam to section \"BLAST\" at revision e25d3acf6e68 (TRT: 0:00:00.668739)\r\nTraceback (most recent call last):\n  File \"/media/tmp//venv/bin/shed-install\", line 10, in <module>\n    sys.exit(script_main())\n  File \"/media/tmp/venv/local/lib/python2.7/site-packages/ephemeris/shed_install.py\", line 720, in script_main\n    itm.install_tools()\n  File \"/media/tmp/venv/local/lib/python2.7/site-packages/ephemeris/shed_install.py\", line 627, in install_tools\n    install_repository_revision(tool, self.tsc)\n  File \"/media/tmp/venv/local/lib/python2.7/site-packages/ephemeris/shed_install.py\", line 502, in install_repository_revision\n    response = tsc.install_repository_revision(**tool)\n  File \"/media/tmp/venv/local/lib/python2.7/site-packages/bioblend/galaxy/toolshed/__init__.py\", line 146, in install_repository_revision\n    return self._post(url=url, payload=payload)\n  File \"/media/tmp/venv/local/lib/python2.7/site-packages/bioblend/galaxy/client.py\", line 152, in _post\n    files_attached=files_attached)\n  File \"/media/tmp/venv/local/lib/python2.7/site-packages/bioblend/galaxyclient.py\", line 137, in make_post_request\n    timeout=self.timeout)\n  File \"/media/tmp/venv/local/lib/python2.7/site-packages/requests/api.py\", line 116, in post\n    return request('post', url, data=data, json=json, **kwargs)\n  File \"/media/tmp/venv/local/lib/python2.7/site-packages/requests/api.py\", line 60, in request\n    return session.request(method=method, url=url, **kwargs)\n  File \"/media/tmp/venv/local/lib/python2.7/site-packages/requests/sessions.py\", line 533, in request\n    resp = self.send(prep, **send_kwargs)\n  File \"/media/tmp/venv/local/lib/python2.7/site-packages/requests/sessions.py\", line 646, in send\n    r = adapter.send(request, **kwargs)\n  File \"/media/tmp/venv/local/lib/python2.7/site-packages/requests/adapters.py\", line 498, in send\n    raise ConnectionError(err, request=request)\nrequests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine(\"''\",))",
    "stderr_lines": [
        "(1/1) Installing tool ncbi_blast_plus from devteam to section \"BLAST\" at revision e25d3acf6e68 (TRT: 0:00:00.668739)",
        "Traceback (most recent call last):",
        "  File \"/media/tmp//venv/bin/shed-install\", line 10, in <module>",
        "    sys.exit(script_main())",
        "  File \"/media/tmp/venv/local/lib/python2.7/site-packages/ephemeris/shed_install.py\", line 720, in script_main",
        "    itm.install_tools()",
        "  File \"/media/tmp/venv/local/lib/python2.7/site-packages/ephemeris/shed_install.py\", line 627, in install_tools",
        "    install_repository_revision(tool, self.tsc)",
        "  File \"/media/tmp/venv/local/lib/python2.7/site-packages/ephemeris/shed_install.py\", line 502, in install_repository_revision",
        "    response = tsc.install_repository_revision(**tool)",
        "  File \"/media/tmp/venv/local/lib/python2.7/site-packages/bioblend/galaxy/toolshed/__init__.py\", line 146, in install_repository_revision",
        "    return self._post(url=url, payload=payload)",
        "  File \"/media/tmp/venv/local/lib/python2.7/site-packages/bioblend/galaxy/client.py\", line 152, in _post",
        "    files_attached=files_attached)",
        "  File \"/media/tmp/venv/local/lib/python2.7/site-packages/bioblend/galaxyclient.py\", line 137, in make_post_request",
        "    timeout=self.timeout)",
        "  File \"/media/tmp/venv/local/lib/python2.7/site-packages/requests/api.py\", line 116, in post",
        "    return request('post', url, data=data, json=json, **kwargs)",
        "  File \"/media/tmp/venv/local/lib/python2.7/site-packages/requests/api.py\", line 60, in request",
        "    return session.request(method=method, url=url, **kwargs)",
        "  File \"/media/tmp/venv/local/lib/python2.7/site-packages/requests/sessions.py\", line 533, in request",
        "    resp = self.send(prep, **send_kwargs)",
        "  File \"/media/tmp/venv/local/lib/python2.7/site-packages/requests/sessions.py\", line 646, in send",
        "    r = adapter.send(request, **kwargs)",
        "  File \"/media/tmp/venv/local/lib/python2.7/site-packages/requests/adapters.py\", line 498, in send",
        "    raise ConnectionError(err, request=request)",
        "requests.exceptions.ConnectionError: ('Connection aborted.', BadStatusLine(\"''\",))"
    ],
    "stdout": "",
    "stdout_lines": []
}

[maikknebel]

We stopped using ansible and went back to docker images. Closing this so far.