Recommended approach for restricting access to a prototype cBioPortal server

57 views
Skip to first unread message

Daniel Hurley

unread,
Jul 8, 2021, 4:31:20 AM7/8/21
to cBioPortal for Cancer Genomics Discussion Group

Hi everyone,

I'm setting up a prototype cBioPortal environment, and I'd like to implement a very basic username and password access restriction in front of it.  I don't need users to be able to sign up, just to block access to all but a specific list of usernames and passwords. 

Has anyone tried to do this before?  If so, what's the recommended approach?  I've thought about just having an Apache server in front of the cBioPortal instance and proxying to it, and using Apache basic authentication, but if I'm using the docker-compose setup this might get a bit fiddly. 

I've read through the authentication and authorisation section of the documentation here:


but these approaches (Keycloak, SAML) seem quite heavyweight and require configuration of other services.  I'd like to avoid doing this if I possibly can for this initial setup. 

Thanks,

Daniel

Pim van Nierop

unread,
Jul 8, 2021, 8:51:04 AM7/8/21
to Daniel Hurley, cBioPortal for Cancer Genomics Discussion Group
Hi Daniel,

Is there a reason why you not use the approach described in https://docs.cbioportal.org/2.2-authorization-and-authentication/user-authorization? This documentation relates to the mechanism that does NOT include SAML or OIDC providers. All is needed is to manually populate the user information and permissions tables. This approach will result in a cBioPortal instance that can be accessed by anyone, but that will only show studies that the user has access to. cBioPortal does not provide any premade scripts for user-authorization using the internal database so you need to manually do this in the MySQL console.

Bye, Pim 


--
You received this message because you are subscribed to the Google Groups "cBioPortal for Cancer Genomics Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cbioportal+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cbioportal/e509ac6c-95cb-43f9-b100-a2a968386708n%40googlegroups.com.


--

Pim van Nierop

Software Engineer / cBioPortal specialist


E p...@thehyve.nl

T +31(0)30 700 9713

M +31(0)6 29464525

W thehyve.nl



    

Daniel Hurley

unread,
Jul 9, 2021, 3:10:45 PM7/9/21
to cBioPortal for Cancer Genomics Discussion Group
Hi Pim - thanks for your message.  How are the users authenticated in this situation once those tables are populated?    I don't see any discussion in the documentation of a basic username and password login page, for instance. 

Thanks,

DAniel

Pim van Nierop

unread,
Jul 15, 2021, 4:49:55 AM7/15/21
to Daniel Hurley, cBioPortal for Cancer Genomics Discussion Group
Hi Daniel,

I think you still need to set up an external social IDP for it. cBioPortal supports Google and Microsoft out of the box. For Google integration you can follow the step described in here and add the is/key and secret to the portal properties. I have no personal experience with this. From your description I think you require a setup where the user MUST login in order to access the portal. My best guess would be to use the googleplus authentication method as described here using the key and secret generated with Google Dev Account. Please note that this IDP integration is only used for establishing the user identity. The user permissions should be added to the database. It is important to properly match the email address of Google witht the email address in the cBioPortal database. If all authenticated users should see all studies you can consider adding a group to the meta file of the studies at load-time (as described here) and set the always_show_study_groupproperty in portal propertiesl
I hope this helps. 

Reply all
Reply to author
Forward
0 new messages