GBrowse
view release on metacpan or search on metacpan
bin/gbrowse_aws_balancer.pl view on Meta::CPAN
ingress rule to allow access to the slave port(s) (see the "ports"
option) from the master's group or IP address.
=back
=head1 CONFIGURING AWS CREDENTIALS
To work, the balancer script must be able to make spot instance
requests and to monitor and terminate instances. To perform these
operations the script must have access to the appropriate AWS
credentials (access key and secret key) on the command line or as
environment variables.
While the script does its best to shield the credentials from prying
eyes, there is still a chance that the credentials can be intercepted
by another party with login access to the machine that the master runs
on and use the credentials to run up your AWS bill. For this reason
some people will prefer to create an EC2 account or role with limited
access to AWS resources.
=over 4
=item 1. Your personal EC2 credentials
You may provide the balancer script with --access_key and --secret_key
command line arguments using your personal EC2 credentials or set the
environment variables EC2_ACCESS_KEY and EC2_SECRET_KEY. If not
provided, the script will interactively prompt for one or both of
these values.
This is the simplest method, but has the risk that if the credentials
are intercepted by a malicious third party, he or she gains access to
all your EC2 resources.
=item 2. The credentials of a restricted IAM account
You may use the Amazon AWS console to create an IAM (Identity Access
and Management) user with restricted permissions, and provide that
user's credentials to the script on the command line or with
environment variables. The following IAM permission policy is the
minimum needed for the balancer script to work properly:
{
"Statement": [
{
"Sid": "BalancerPolicy",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
bin/gbrowse_aws_balancer.pl view on Meta::CPAN
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}
Note that even with these restrictions, an unauthorized user with
access to the credentials could still launch a large number of spot
instances or terminate bona fide instances. This is just a fundamental
limitation of the granularity of EC2's permissions system.
=item 3. Create an IAM role
If the master is running on an EC2 instance, then the most convenient
way to pass credentials is by assigning the instance an IAM role. The
balancer script can then obtain temporary credentials by making
internal EC2 calls. The credentials do not need to be provided on the
command line or in environment variables, and are only valid for short
periods of time, limiting the effect of theft.
First, create an IAM role using the Amazon Console. Select
IAM->Roles->Create New Role, and give the role the name
"GBrowseMaster" (or whatever you prefer).
Next, when prompted for the role type, select AWS Service
Roles->Amazon EC2.
bin/gbrowse_metadb_config.pl view on Meta::CPAN
print "No need to run database metadata configuration script, filesystem-backend will be used.";
exit 0;
}
fix_sqlite_permissions() if $dsn =~ /sqlite/i;
create_mysql_database() if $dsn =~ /mysql/i;
eval "require DBI" or die "DBI module not installed. Cannot continue.";
my $database = DBI->connect($dsn)
or die "Error: Could not open users database, please check your credentials.\n" . DBI->errstr;
my $type = $database->{Driver}->{Name};
my $autoincrement = $type =~ /mysql/i ? 'auto_increment'
:$type =~ /sqlite/i ? 'autoincrement'
:'';
my $last_id = $type =~ /mysql/i ? 'mysql_insertid'
:$type =~ /sqlite/i ? 'last_insert_rowid'
:'';
# Database schema. To change the schema, update/add the fields here, and run this script.
conf/plugins/LDAPAuthenticate.pm view on Meta::CPAN
use base 'Bio::Graphics::Browser2::Plugin::AuthPlugin';
use Net::LDAP;
use Carp 'croak';
#use constant SERVER => 'ldap.res.oicr.on.ca';
#use constant PEOPLE_BASE => 'ou=People,dc=oicr,dc=on,dc=ca';
#use constant GROUPS_BASE => 'ou=Groups,dc=oicr,dc=on,dc=ca';
sub authenticate {
my $self = shift;
my ($name,$password) = $self->credentials;
my $ldap = $self->_ldap_connect or return;
# possibly bind to the server if a root DN and password are needed
$self->_initial_bind($ldap);
# do a search to get the user dn with which to bind
my $search = $ldap->search(
base => $self->people_base,
filter => "(&(objectClass=posixAccount)(uid=$name))"
conf/plugins/LDAPAuthenticate.pm view on Meta::CPAN
For this plugin to work, you must configure an [LDAPAuthenticate:plugin] section
in the main GBrowse.conf file. It will look like this:
[LDAPAuthenticate:plugin]
login hint = your foobar corp account
ldap server = ldap.foobar.com
people base = ou=People,dc=foobar,dc=ny,dc=usa
groups base = ou=Groups,dc=foobar,dc=ny,dc=usa
B<login hint> (optional) is displayed to the user so that he knows
what account credentials he or she is being asked for.
B<ldap server> (required) is the address of the LDAP server you wish
to contact. If the server is running on a non-standard, port, you can
indicate it as "ldap.foobar.com:1118".
B<people base> (required) is the search base for the People records
where the provided user id will be found.
B<groups base> (required) is the search base for the Group records
where the user's group membership can be determined.
conf/plugins/PamAuthenticate.pm view on Meta::CPAN
use strict;
use base 'Bio::Graphics::Browser2::Plugin::AuthPlugin';
use Authen::Simple::PAM;
use User::grent;
use User::pwent;
use constant DEFAULT_PAM_SERVICE => 'gbrowse';
sub authenticate {
my $self = shift;
my ($name,$password) = $self->credentials;
my $service_name = $self->setting('pam service name') || 'gbrowse';
my $pam = Authen::Simple::PAM->new(
service => $service_name
) or return;
if ($pam->authenticate($name,$password)) {
my $fullname = $self->_get_fullname($name);
return ($name,$fullname||$name);
} else {
return;
}
conf/plugins/TestAuthenticator.pm view on Meta::CPAN
package Bio::Graphics::Browser2::Plugin::TestAuthenticator;
# $Id$
use strict;
use base 'Bio::Graphics::Browser2::Plugin::AuthPlugin';
sub authenticate {
my $self = shift;
my ($name,$password) = $self->credentials;
if ($name eq 'lincoln' && $password eq 'foobar') {
return ($name,'Lincoln Stein'); # username, fullname
} elsif ($name eq 'jane' && $password eq 'foobar') {
return ($name,'Jane Doe');
}
return;
}
1;
htdocs/js/login.js view on Meta::CPAN
}
});
return;
}
//******************************************************************
// Log In Validation Functions:
//******************************************************************
//Checks to make sure that the provided credentials are valid
function login_validation() {
var username = $('loginUser').getValue();
var password = $('loginPass').getValue();
var session = '';
var remember;
if(LoginPage=='edit') {remember=2;}
else {
if($('loginRemember').checked) {remember=1;}
else {remember=0;}
htdocs/js/login.js view on Meta::CPAN
} else {
$('loginWarning').innerHTML = results;
}
UsingOpenID = false;
login_user(username,session,remember);
}
});
return;
}
//Logs in the user or sends them to the proper screen when credentials are provided
function login_user(username,session,remember) {
if ($('loginWarning').innerHTML != 'Success') {
$('loginWarning').show();
login_loading(false);
return;
} else {
switch(LoginPage) {
case 'edit':
CurrentUser = username;
edit_details('home');
lib/Bio/Graphics/Browser2/Plugin/AuthPlugin.pm view on Meta::CPAN
Bio::Graphics::Browser2::Plugin::AuthPlugin -- Base class for authentication plugins
=head1 SYNOPSIS
package Bio::Graphics::Browser2::Plugin::MyPlugin;
use base 'Bio::Graphics::Browser2::Plugin::AuthPlugin';
sub authenticate {
my $self = shift;
my ($user,$password) = $self->credentials;
return unless $user eq 'george' && $password eq 'washington';
return ($user,'George Washington','george@whitehouse.gov');
}
sub user_in_group {
my $self = shift;
my ($user,$group) = @_;
return $user eq 'george' && $group eq 'potomac';
}
lib/Bio/Graphics/Browser2/Plugin/AuthPlugin.pm view on Meta::CPAN
In addition, you may override the user_in_group() method, which takes
two argumetns: the username and group. Return true if the user belongs
to the group, and false otherwise.
Other methods you may wish to override include:
* authentication_hint()
* authentication_help()
* configure_form()
* reconfigure()
* credentials()
These are described below.
=cut
use strict;
use Bio::Graphics::Browser2::Plugin;
use Bio::Graphics::Browser2::Util 'shellwords';
use CGI qw(:standard);
lib/Bio/Graphics/Browser2/Plugin/AuthPlugin.pm view on Meta::CPAN
=back
=cut
######################################################33
# OVERRIDE THESE METHODS
######################################################33
sub authenticate {
my $self = shift;
my ($name,$password) = $self->credentials;
return;
}
sub user_in_group {
my $self = shift;
my ($user,$group) = @_;
return;
}
=head2 Methods that you may want to customize
=over 4
=item $message = $plugin->authentication_hint
Returns a message printed at the top of the login dialog, that will
help the user know which credentials he is expected to present. For
example, returning "Acme Corp Single Sign-on" will present the user
with "Please log into your Acme Corp Single Sign-on".
The default behavior is to take this value from the "login hint"
option in a stanza named [AuthPlugin:plugin]. Example:
=item $message = $plugin->authentication_help
Returns a message printed at the bottom of the login dialog. It is
expected to be used for a help message or link that will give the user
lib/Bio/Graphics/Browser2/Plugin/AuthPlugin.pm view on Meta::CPAN
This method is called to copy the values from the filled-out form into
the plugin's hash of configuration variables. If you add fields to
configure_form() will you need to adjust this method as well.
=item $plugin->config_defaults()
Set up defaults for the configuration hash. Use this if you wish to
default to a particular username.
=item $plugin->credentials()
This returns a two-element list containing the username and password
last entered into the authentication dialog. It reads these values
from the configuration hash returned by $self->configuration().
If you add additional types of credentials to the login dialog, you
may need to override this method.
=back
=cut
sub config_defaults {
my $self = shift;
return { };
}
lib/Bio/Graphics/Browser2/Plugin/AuthPlugin.pm view on Meta::CPAN
-value => $current_config->{name},
-size => 20))),
TR(th({-align=>'right'},'Password'),
td(password_field(-name => $self->config_name('password'),
-value => '',
-override=>1,
-size => 20)))
);
}
sub credentials {
my $self = shift;
my $current_config = $self->configuration;
return ($current_config->{name},
$current_config->{pass});
}
1;
__END__
lib/Bio/Graphics/Browser2/Render/Slave/AWS_Balancer.pm view on Meta::CPAN
$self->initialize();
return $self;
}
sub logfile {shift->{logfile}}
sub pidfile {shift->{pidfile}}
sub pid {shift->{pid}}
sub user {shift->{user}}
sub daemon {shift->{daemon}}
sub ssh_key {shift->{ssh_key}}
sub ec2_credentials {
my $self = shift;
if ($self->running_as_instance) {
my $credentials = $self->{instance_metadata}->iam_credentials;
return (-security_token => $credentials) if $credentials;
$self->log_debug('No instance security credentials. Does this instance have an IAM role?');
}
$self->{access_key} ||= $self->_prompt('Enter your EC2 access key:');
$self->{secret_key} ||= $self->_prompt('Enter your EC2 secret key:');
return (-access_key => $self->{access_key},
-secret_key => $self->{secret_key})
}
sub logfh {
my $self = shift;
my $d = $self->{logfh};
$self->{logfh} = shift if @_;
lib/Bio/Graphics/Browser2/Render/Slave/AWS_Balancer.pm view on Meta::CPAN
-port => 22,
-source_ip=> "$ip/32"))
if $self->slave_ssh_key;
$sg->update or croak $ec2->error_str;
return $self->{slave_security_group} = $sg;
}
sub ec2 {
my $self = shift;
# create a new ec2 each time because security credentials may expire
my @credentials = $self->ec2_credentials;
return $self->{ec2} = VM::EC2->new(-endpoint => $self->slave_endpoint,
-raise_error => 1,
@credentials);
}
sub internal_ip {
my $self = shift;
return unless $self->running_as_instance;
return $self->{instance_metadata}->privateIpAddress;
}
sub master_security_group {
my $self = shift;
lib/Bio/Graphics/Browser2/UserDB.pm view on Meta::CPAN
# SOME CLARIFICATION ON TERMINOLOGY
# "userid" -- internal dbm ID for a user; a short integer
# "sessionid" -- GBrowse's session ID, a long hexadecimal
# "uploadsid" -- GBrowse's upload ID, a long hexadecimal
sub new {
my $class = shift;
my $globals = shift;
my $VERSION = '0.5';
my $credentials = $globals->user_account_db
|| "DBI:mysql:gbrowse_login;user=gbrowse;password=gbrowse";
my $login = DBI->connect($credentials);
unless ($login) {
confess "Could not open login database $credentials";
}
my $self = bless {
dbi => $login,
globals => $globals,
openid => HAVE_OPENID,
register => HAVE_SMTP,
}, ref $class || $class;
return $self;
lib/Bio/Graphics/Browser2/UserDB.pm view on Meta::CPAN
#####################################
# BUG!
# Everything below here supports the
# login.js script, which expects return
# values as various combinations of
# strings and JSON structures.
# This means API is strongly tied
# to database queries.
#####################################
# Validate - Ensures that a non-openid user's credentials are correct.
sub do_validate {
my $self = shift;
my ($user,$pass,$remember) = @_;
my $userdb = $self->{dbi};
my $update;
# remove dangling unconfirmed accounts here
$self->check_old_confirmations();
lib/Bio/Graphics/Browser2/UserDB.pm view on Meta::CPAN
my $openid = "";
return $self->string_result($user) unless $rows == 1;
if (@openids) {foreach(@openids) {$openid .= "$_\n ";}}
else {$openid = "None\n";}
my $pass = $self->create_key('8');
my $message = "\nYour password has been reset to the one seen below. To fix this,";
$message .= " select \"My Account\" from the log in menu and log in with the";
$message .= " credentials found below.\n\n Username: $user\n ";
$message .= "Password: $pass\n\n OpenIDs: $openid\n\n";
$message .= $self->get_footer();
my ($status,$err) = $self->Bio::Graphics::Browser2::SendMail::do_sendmail({
from => $globals->email_address,
from_title => $globals->application_name,
to => $email,
subject => $globals->application_name . " Account Information",
msg => $message
},$globals);
lib/Bio/Graphics/Browser2/UserDB.pm view on Meta::CPAN
# this shouldn't work, but oddly it does.
# it has something to do with prototype ajax and the Location: string
return (200,'text/html',"Location: $check_url"); # shouldn't work?
# this should work, but oddly it doesn't
# return (302,undef,$check_url);
}
# Confirm OpenID - Checks that the returned credentials are valid.
sub do_confirm_openid {
my $self = shift;
my ($callbacks, $sessionid, $option,$email,$fullname) = @_;
my $userdb = $self->{dbi};
my ($error, @results, $select, $user, $only);
my $csr = Net::OpenID::Consumer->new(
ua => LWP::UserAgent->new,
lib/Bio/Graphics/Browser2/UserTracks/Database.pm view on Meta::CPAN
use CGI qw(param url header());
use Carp qw(confess cluck);
use File::Path qw(rmtree);
sub _new {
my $class = shift;
my $self = $class->SUPER::_new(@_);
# Attempt to login to the database or die, and access the necessary tables or create them.
my $globals = $self->globals;
my $credentials = $globals->user_account_db or warn "No credentials given to uploads DB in GBrowse.conf";
my $uploadsdb = DBI->connect($credentials);
unless ($uploadsdb) {
print header();
print "Error: Could not open user account database. If you are the administrator, run gbrowse_metadb_config.pl";
die "Could not open user account database with $credentials";
}
$self->uploadsdb($uploadsdb);
# Check to see if user accounts are enabled, set some commonly-used variables.
if ($globals->user_accounts) {
# BUG: Two copies of UserDB; one here and one in the Render object
$self->{userdb} = Bio::Graphics::Browser2::UserDB->new($globals);
$self->{username} = $self->{userdb}->username_from_sessionid($self->sessionid);
$self->{userid} = $self->{userdb}->userid_from_sessionid($self->sessionid);
}
( run in 0.292 second using v1.01-cache-2.11-cpan-4d50c553e7e )