===============================
Client configuration (AER 2.32)
===============================

.. raw:: html

    <p>The Anaconda Client gives you the ability to upload packages to your on-site Anaconda repository and provides highly granular access control capabilities.  Here is how to configure your client to use your local repository instead of Anaconda Cloud.</p>
    <div class="section" id="anaconda-client-configuration">
    <h2>Anaconda client configuration<a class="headerlink" href="#anaconda-client-configuration" title="Permalink to this headline">¶</a></h2>
    <p>On each machine that will access your on-site Anaconda repository, run this command as the machine&#8217;s local user:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">anaconda</span> <span class="n">config</span> <span class="o">--</span><span class="nb">set</span> <span class="n">url</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">your</span><span class="o">.</span><span class="n">server</span><span class="o">.</span><span class="n">name</span><span class="p">:</span><span class="o">&lt;</span><span class="n">port</span><span class="o">&gt;/</span><span class="n">api</span>
    </pre></div>
    </div>
    <p>Or to set the default repo on a system wide basis, run this command:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">anaconda</span> <span class="n">config</span> <span class="o">--</span><span class="nb">set</span> <span class="n">url</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">your</span><span class="o">.</span><span class="n">server</span><span class="o">.</span><span class="n">name</span><span class="p">:</span><span class="o">&lt;</span><span class="n">port</span><span class="o">&gt;/</span><span class="n">api</span> <span class="o">--</span><span class="n">site</span>
    </pre></div>
    </div>
    <p>The system level config file will only be used if no user level config file is present.</p>
    <p>To show the system and user config file locations and configuration settings:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">anaconda</span> <span class="n">config</span> <span class="o">--</span><span class="n">show</span>
    </pre></div>
    </div>
    </div>
    <div class="section" id="conda-configuration">
    <h2>Conda configuration<a class="headerlink" href="#conda-configuration" title="Permalink to this headline">¶</a></h2>
    <p>With the above anaconda config steps you can access all packages and channels from the local onsite Anaconda
    repository instead of the public Anaconda.org.</p>
    <p>Users can then add individual accounts to their .condarc file by running the following command:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">conda</span> <span class="n">config</span> <span class="o">--</span><span class="n">add</span> <span class="n">channels</span> <span class="n">USERNAME</span>
    </pre></div>
    </div>
    <p>If you still wish to access certain channels from the public Anaconda.org:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">conda</span> <span class="n">config</span> <span class="o">--</span><span class="n">add</span> <span class="n">channels</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">conda</span><span class="o">.</span><span class="n">anaconda</span><span class="o">.</span><span class="n">org</span><span class="o">/&lt;</span><span class="n">USERNAME</span><span class="o">&gt;</span>
    </pre></div>
    </div>
    <div class="section" id="conda-channel-priority">
    <h3>Conda channel priority<a class="headerlink" href="#conda-channel-priority" title="Permalink to this headline">¶</a></h3>
    <p>To set a preferred priority for the channels conda will search for package installs edit your ~/.condarc file and change the order. Channels at the top are searched first.</p>
    <p>For example:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">channels</span><span class="p">:</span>
      <span class="o">-</span> <span class="n">channel</span>
      <span class="o">-</span> <span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">conda</span><span class="o">.</span><span class="n">anaconda</span><span class="o">.</span><span class="n">org</span><span class="o">/</span><span class="n">t</span><span class="o">/&lt;</span><span class="n">token</span><span class="o">&gt;/&lt;</span><span class="n">channel2</span><span class="o">&gt;</span>
      <span class="o">-</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">conda</span><span class="o">.</span><span class="n">anaconda</span><span class="o">.</span><span class="n">org</span><span class="o">/&lt;</span><span class="n">channel1</span><span class="o">&gt;</span>
      <span class="o">-</span> <span class="n">defaults</span>
    </pre></div>
    </div>
    <p>The order of search is now</p>
    <ol class="arabic simple">
    <li>private onsite Anaconda repository channel</li>
    <li>private Anaconda.org channel2</li>
    <li>public Anaconda.org channel1</li>
    <li>default channel on onsite Anaconda repository</li>
    </ol>
    </div>
    </div>
    <div class="section" id="pip-configuration">
    <h2>pip configuration<a class="headerlink" href="#pip-configuration" title="Permalink to this headline">¶</a></h2>
    <p>To install pypi packages from your Anaconda repository, add your channel to your ~/.pip/pip.conf configuration file.</p>
    <p>Edit the file and add an extra-index-url entry to the global config section:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="k">global</span><span class="p">]</span>
    <span class="n">extra</span><span class="o">-</span><span class="n">index</span><span class="o">-</span><span class="n">url</span> <span class="o">=</span> <span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">your</span><span class="o">.</span><span class="n">server</span><span class="o">.</span><span class="n">name</span><span class="p">:</span><span class="o">&lt;</span><span class="n">port</span><span class="o">&gt;/</span><span class="n">pypi</span><span class="o">/&lt;</span><span class="n">username</span><span class="o">&gt;/</span><span class="n">simple</span>
    </pre></div>
    </div>
    </div>
    <div class="section" id="kerberos">
    <h2>Kerberos<a class="headerlink" href="#kerberos" title="Permalink to this headline">¶</a></h2>
    <p>If you have enabled Kerberos authentication as described in the <a class="reference internal" href="advanced.html"><span class="doc">Advanced Installation Options</span></a>
    installation guide, your browser and anaconda-client should be able to authenticate
    to Anaconda repository using Kerberos.</p>
    <p>In OS X/Unix, configure the file <code class="docutils literal"><span class="pre">/etc/krb5.conf</span></code>:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">libdefaults</span><span class="p">]</span>
    <span class="n">default_realm</span> <span class="o">=</span> <span class="n">YOUR</span><span class="o">.</span><span class="n">DOMAIN</span>

    <span class="p">[</span><span class="n">realms</span><span class="p">]</span>
    <span class="n">YOUR</span><span class="o">.</span><span class="n">DOMAIN</span> <span class="o">=</span> <span class="p">{</span>
      <span class="n">kdc</span> <span class="o">=</span> <span class="n">your</span><span class="o">.</span><span class="n">kdc</span><span class="o">.</span><span class="n">server</span>
    <span class="p">}</span>

    <span class="p">[</span><span class="n">domain_realm</span><span class="p">]</span>
    <span class="n">your</span><span class="o">.</span><span class="n">anaconda</span><span class="o">.</span><span class="n">server</span> <span class="o">=</span> <span class="n">YOUR</span><span class="o">.</span><span class="n">DOMAIN</span>
    </pre></div>
    </div>
    <p>If your configuration is correct, you should be able to authenticate using the command-line
    tool <code class="docutils literal"><span class="pre">kinit</span></code>:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">kinit</span> <span class="n">jsmith</span>
    <span class="n">anaconda</span> <span class="n">login</span>
    </pre></div>
    </div>
    <div class="section" id="browser-setup">
    <h3>Browser Setup<a class="headerlink" href="#browser-setup" title="Permalink to this headline">¶</a></h3>
    <p>Many browsers do not present your Kerberos credentials by default, to prevent
    leaking credentials to untrusted parties. In order to use Kerberos authentication,
    you must white-list Anaconda repository as a trusted party to receive credentials.</p>
    <p>You must restart your browser after configuring the whitelist in order for
    changes to be reflected.</p>
    <div class="section" id="safari">
    <h4>Safari<a class="headerlink" href="#safari" title="Permalink to this headline">¶</a></h4>
    <p>Safari requires no configuration - it will automatically present your
    credentials without white-listing.</p>
    </div>
    <div class="section" id="chrome">
    <h4>Chrome<a class="headerlink" href="#chrome" title="Permalink to this headline">¶</a></h4>
    <p>The <code class="docutils literal"><span class="pre">AuthServerWhitelist</span></code> policy must be set to <code class="docutils literal"><span class="pre">your.anaconda.server</span></code> -
    this will allow Chrome to present credentials to Anaconda Repository with
    the hostname <code class="docutils literal"><span class="pre">your.anaconda.server</span></code>.
    Depending on your DNS configuration, <cite>DisableAuthNegotiateCnameLookup</cite> may also be required -
    this will prevent Chrome from canonicalizing the hostname before generating a
    service name.</p>
    <p>To configure on OS X:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">defaults</span> <span class="n">write</span> <span class="n">com</span><span class="o">.</span><span class="n">google</span><span class="o">.</span><span class="n">Chrome</span> <span class="n">AuthServerWhitelist</span> <span class="s2">&quot;your.anaconda.server&quot;</span>
    </pre></div>
    </div>
    <p>On Linux:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">mkdir</span> <span class="o">-</span><span class="n">p</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">chrome</span><span class="o">/</span><span class="n">policies</span><span class="o">/</span><span class="n">managed</span>
    <span class="n">mkdir</span> <span class="o">-</span><span class="n">p</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">chrome</span><span class="o">/</span><span class="n">policies</span><span class="o">/</span><span class="n">recommended</span>
    <span class="n">chmod</span> <span class="o">-</span><span class="n">w</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">chrome</span><span class="o">/</span><span class="n">policies</span><span class="o">/</span><span class="n">managed</span>
    <span class="n">echo</span> <span class="s1">&#39;{&quot;AuthServerWhitelist&quot;: &quot;your.anaconda.server&quot;}&#39;</span> <span class="o">&gt;</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">chrome</span><span class="o">/</span><span class="n">policies</span><span class="o">/</span><span class="n">managed</span><span class="o">/</span><span class="n">anaconda_repo_policy</span><span class="o">.</span><span class="n">json</span>
    </pre></div>
    </div>
    <p>On Windows, use Group Policy objects to set the &#8220;Authentication server
    whitelist&#8221; setting to &#8220;your.anaconda.server&#8221;.</p>
    <p>For more information, see Chrome&#8217;s <a class="reference external" href="http://www.chromium.org/developers/design-documents/http-authentication">SPNEGO authentication</a>
    and <a class="reference external" href="https://www.chromium.org/administrators">administration</a> documentation.</p>
    </div>
    <div class="section" id="firefox">
    <h4>Firefox<a class="headerlink" href="#firefox" title="Permalink to this headline">¶</a></h4>
    <ul class="simple">
    <li>Navigate to the configuration page <code class="docutils literal"><span class="pre">about:config</span></code></li>
    <li>Search for &#8220;negotiate&#8221;</li>
    <li>Set the configuration item <code class="docutils literal"><span class="pre">network.negotiate-auth.trusted-uris</span></code> to <code class="docutils literal"><span class="pre">your.anaconda.server</span></code></li>
    </ul>
    </div>
    <div class="section" id="internet-explorer">
    <h4>Internet Explorer<a class="headerlink" href="#internet-explorer" title="Permalink to this headline">¶</a></h4>
    <ul class="simple">
    <li>Open the menu item <em>Internet Options &gt; Tools &gt; Advanced Tab</em></li>
    <li>In the <em>Security</em> section, select &#8220;Enable Integrated Windows Authentication&#8221;</li>
    </ul>
    </div>
    </div>
    </div>
