name: inverse layout: true class: center, middle, inverse
--- # User, Group and Quota managment .footnote[Tip: press `P` to view the presenter notes] ??? Presenter notes contain extra information which might be useful if you intend to use these slides for teaching. Press `P` again to switch presenter notes off Press `C` to create a new window where the same presentation will be displayed. This window is linked to the main window. Changing slides on one will cause the slide to change on the other. Useful when presenting. --- ### <i class="far fa-question-circle" aria-hidden="true"></i><span class="visually-hidden">question</span> Questions - How does Galaxy manage users and groups? - How can I assign Quotas to specific users/groups? --- ### <i class="fas fa-bullseye" aria-hidden="true"></i><span class="visually-hidden">objectives</span> Objectives - Learn the Galaxy user/group management and assign Quotas. - Understand the Role Based Access Control (RBAC) of Galaxy. --- # Users, Groups, Quotas .footnote[\#usegalaxy / @galaxyproject] --- class: left ## Overview This section will cover handling of users, groups and quotas for Galaxy. We will look at the following in particular: * User Activation and Control * User Passwords and Session Policies * Setting Admin users and admin control of users * User Privacy * Roles and Groups * Setting permissions on Libraries and Datasets * Quotas * Introduction to alternate authentication ??? - Lots of different topics, but everything is related to users and permissions - As an admin you have lots of control over this - Most configuration in galaxy.yml file --- ## User Control option | description ---- | ---- `require_login` | Prevent anonymous access. `show_welcome_with_login` | Show welcome page next to login page. `allow_user_creation` | Allow user registration. When False, admins must create users; often coupled with `require_login`. `allow_user_dataset_purge` | Users can purge (permanently delete) their datasets. `api_allow_run_as` | List of email addresses of API users who can make calls on behalf of other users. `expose_dataset_path` | Users to see the full path of datasets via the "View Details" option in the history. .footnote[.center[options in `galaxy.yml`]] ??? These options let you control anonymous access, if users can register themselves or an admin needs to create them, and what sort of responsibility they have --- class: left ## User Activation Require verification that a user's email is real. You must enable SMTP first. option | description ---- | ---- `user_activation_on` | Require users to click link in email before running jobs. `activation_grace_period` | Time (hours) that a user can 'explore' Galaxy before activation lockout. `inactivity_box_content` | Message provided to non-activated users. `blacklist_file` | Defines domains in XXX.YYY format that will be rejected as user emails. Exercise: - Enable User activation - Register a new user (second email / firstname.lastname@example.org) - Upload a Dataset .footnote[.center[options in `galaxy.yml`]] ??? - Whenever a user registers, user activation settings control how this process goes - If you want require activation, let them explore first, or blacklist certain email domains --- ## Password & Session Policies option | description ---- | ---- `password_expiration_period` | Days before requiring a user to change password. ([NIST recommends not requiring password changes.](https://en.wikipedia.org/wiki/Password_policy#NIST_guidelines)) `session_duration` | Minutes before invaliding a user's session, requiring re-login. .footnote[.center[options in `galaxy.yml`]] ??? - Some options are related to IT security policies --- class: left ## Admin Control option | description ---- | ---- `admin_users` | Comma-separated list of admin users' emails. `allow_user_deletion` | Admins can delete users. `allow_user_impersonation` | Admins can become other users. Great for debugging / user assistance. `master_api_key` | Admin super-key allows many API admin actions without having a real admin user. Exercise: - Enable user impersonation - Log in as admin and become other user - View existing and create Histories and Datasets. .footnote[.center[options in `galaxy.yml`]] ??? - You used `admin_users` in the basic admin training to define an admin email address - User impersonation is a very commonly used feature, allowing admins to debug issues in their users' histories - A master api key can be set but there are some caveats, as it isn't tied to a user account. --- class: left ## User Privacy option | description ---- | ---- `expose_user_name` | Users can view other registered usernames. `expose_user_email` | Users can view other registered emails. `new_user_dataset_access_role_default_private` | Newly created datasets are private to the creating user. .footnote[.center[options in `galaxy.yml`]] ??? - These options control if the username/email is shown as a dropdown in the history sharing dialogue. - The `new_user_dataset_access_role_default_private` is important, by default when users share-by-link, all datasets are public. When you set this option, datasets are private, even thoughthe history is shared via link. Users complain when it doesn't work, and have to be educated to click the appropriate buttons. --- class: left ## Roles and Groups #### Role Based Access Control (RBAC) **Admin** can: * create roles (each user automatically has their own 'private' role) * create groups * assign roles to groups * assign users to groups * assign groups to roles * assign users to roles * assign permission sets to roles * assign permission sets to groups ??? - Galaxy uses RBAC for permissions in many places. Roles can be creaed, and assigned permissions. Roles and groups behave similarly, grouping users together and granting permisisons. --- class: left ## Dataset Roles .left-column50[ **manage permissions** * Users who have associated role on a dataset can manage the roles associated it. **access** * Users having associated role can use/view/download a dataset for analysis. Users must have every role associated with a dataset in order to access it **new_user_dataset_access_role_default_private** (`galaxy.yml`) * When this is set, datasets are private by default. ] .right-column50[.middle[.image-90[ ![User_roles](../../images/dataset_roles.png) ]]] --- ## Library Roles .left-column50[ * **modify library item**: Users having associated role can modify this library item * **access library**: Restrict access to this library to only users having associated role * **add library item**: Users having associated role can add library items to this library item * **manage library permissions**: Users having associated role can manage roles associated with permissions on this library item ] .left-column50[.image-90[ ![Library_roles](../../images/Library_roles.png) ]] --- class: left ## Role Demo * We will now demonstrate creation of Groups and Roles. * We will show how restricting access to a Dataset prevents usage or download. --- class: left, reduce90 ## Quotas Used to control user disk usage. option | description ---- | ---- `enable_quotas` | Enable enforcement of quotas. Quotas can be set from the Admin interface (under Data). Must create quotas in admin interface before any quota will be enforced, otherwise 'unlimited' Amounts: - Examples: "10000MB", "99 gb", "0.2T", "unlimited" - = / + / - Default for user class: - None (No) - Unregistered Users - Registered Users or associated with Groups or Users .footnote[.center[options in `galaxy.yml`]] ??? - You can enable quotas in your galaxy.yml file - When the user has more data than their quotum permits, they are prevented from starting new jobs. - many sites setup a "quote increase request" form, to let users request increases for specific, temporary projects --- class: left ## Quota Details - Quotas can be set for Users, or all users of a Group - But it is not a "group quota" - The quota is applied to individual users Storage - Quotas are stored in the DB tables `galaxy_user`, `galaxy_group`, and `quota` --- class: left ## Quota Automation - There is currently no quota automation. - Some individuals have written their own quota automation but it is quite ugly ([usegalaxy-eu/quota-sync](https://github.com/usegalaxy-eu/quota-sync)) - Could be nicer with a lot of work - Quotas are like group/user management: not managed by files, only within UI/API --- ### <i class="fas fa-key" aria-hidden="true"></i><span class="visually-hidden">keypoints</span> Key points - Galaxy has a powerful user and group managment system that can be utilized for Quota management. --- ## Thank you! This material is the result of a collaborative work. Thanks to the [Galaxy Training Network](https://wiki.galaxyproject.org/Teach/GTN) and all the contributors!
This material is licensed under the
Creative Commons Attribution 4.0 International License