===========================
Configuring Anaconda Client
===========================

.. contents::
   :local:
   :depth: 1


Anaconda Client gives you the ability to upload packages to your
on-site Anaconda Repository and provides highly granular access
control capabilities. The instructions below describe how to
configure Client to use your local Repository instead of Anaconda
Cloud.

Client configuration
====================

On each machine that accesses your on-site Repository, run this
command as the machine's local user::

  anaconda config --set url http://your.server.name:<port>/api

Or, to set the default repo on a system-wide basis, run this command::

  anaconda config --set url http://your.server.name:<port>/api --site



NOTE: Replace ``your.server.name`` with the name of your local
Repository and ``<port>`` with the name of the port used by Repository.

The system level ``config`` file is used only if no user-level
``config`` file is present.

To show the system and user ``config`` file locations and
configuration settings::

  anaconda config --show

Conda configuration
===================

When the above ``anaconda config`` steps are completed, you can access
all packages and channels from the local on-site Repository instead of
the public Anaconda.org.

Users can then add individual accounts to their ``.condarc`` file by
running the following command::

  conda config --add channels USERNAME

If you still want to access certain channels from the public
Anaconda.org, run::

  conda config --add channels http://conda.anaconda.org/USERNAME



NOTE: Replace ``USERNAME`` with your username.

Conda channel priority
----------------------

To set a preferred priority for the channels conda searches for package
installs, edit your ``~/.condarc file`` and change the order. Channels
at the top are searched first.

For example::

  channels:
    - channel
    - https://conda.anaconda.org/t/<token>/<channel2>
    - http://conda.anaconda.org/<channel1>
    - defaults

The order of search is:

#. Private on-site Repository channel.

#. Private Anaconda.org channel2.

#. Public Anaconda.org channel1.

#. Default channel on the on-site Repository.

Pip configuration
=================

To install PyPI packages from your Repository, add your channel to
your ``~/.pip/pip.conf`` configuration file.

Edit the file and add an extra-index-url entry to the global
config section::

  [global]
  extra-index-url = http://your.server.name:<port>/pypi/USERNAME/simple



NOTE: Replace ``your.server.name`` with the name of your local
Repository, ``<port>`` with the name of the port used by Repository
and ``USERNAME`` with your username.

Kerberos configuration
======================

If you have enabled Kerberos authentication as described in
:doc:`config-repo-use-kerberos`, your browser and Client should
be able to authenticate to Repository using Kerberos.

In macOS/Unix, configure the file ``/etc/krb5.conf``::

    [libdefaults]
    default_realm = YOUR.DOMAIN

    [realms]
    YOUR.DOMAIN = {
      kdc = your.kdc.server
    }

    [domain_realm]
    your.anaconda.repository = YOUR.DOMAIN

NOTE: Replace ``YOUR.DOMAIN`` with your domain, ``your.kdc.server``
with your Kerberos key distribution center (KDC) and
``your.anaconda.repository`` with your local Repository server.

If your configuration is correct, you should be able to authenticate
using the command line tool ``kinit``::

    kinit jsmith
    anaconda login

NOTE: Replace ``jsmith`` with your username.

Browser Setup
-------------

Many browsers do not present your Kerberos credentials by default, to
prevent leaking credentials to untrusted parties. In order to use
Kerberos authentication, you must whitelist Repository as a trusted
party to receive credentials.

You must restart your browser after configuring the whitelist in order
for changes to be reflected.

Safari
^^^^^^

Safari requires no configuration---it automatically presents your
credentials without whitelisting.

Chrome
^^^^^^

The AuthServerWhitelist policy must be set to
``your.anaconda.repository`` to allow Chrome to present credentials
to Repository with the hostname ``your.anaconda.repository``.
Depending on your DNS configuration,
DisableAuthNegotiateCnameLookup may also be required to prevent
Chrome from canonicalizing the hostname before generating a
service name.

NOTE: Replace ``your.anaconda.repository`` with your local Repository
server.

To configure on macOS::

  defaults write com.google.Chrome AuthServerWhitelist "your.anaconda.repository"



On Linux::

  mkdir -p /etc/opt/chrome/policies/managed
  mkdir -p /etc/opt/chrome/policies/recommended
  chmod -w /etc/opt/chrome/policies/managed
  echo '{"AuthServerWhitelist": "your.anaconda.repository"}' > /etc/opt/chrome/policies/managed/anaconda_repo_policy.json



On Windows, use Group Policy objects to set the Authentication
server whitelist setting to ``your.anaconda.repository``.

For more information, see Chrome's `SPNEGO authentication <http://
www.chromium.org/developers/design-documents/http-authentication>`_ and
`administration <https://www.chromium.org/administrators>`_
documentation.


Firefox
^^^^^^^

#. Navigate to the configuration page ``about:config``.

#. Search for ``negotiate``.

#. Set the configuration item
   ``network.negotiate-auth.trusted-uris`` to
   ``your.anaconda.repository``

NOTE: Replace ``your.anaconda.repository`` with your local Repository
server.

Internet Explorer
^^^^^^^^^^^^^^^^^

#. In the **Tools** menu, select Internet Options.

#. On the **Advanced** tab, in the Security section, select
   Enable Integrated Windows Authentication.

.. https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM
