@@ -113,7 +113,7 @@ You can consult the `Kombu documentation
113113even more information.
114114
115115User Authentication/Authorization
116- `````````````
116+ `````````````````````````````````
117117
118118You can configure Pulsar to authenticate user during request processing and check
119119if this user is allowed to run a job.
@@ -222,6 +222,190 @@ In the event that the connection to the AMQP server is lost during message
222222publish, the Pulsar server can retry the connection, governed by the
223223``amqp_publish* `` options documented in `app.yml.sample `_.
224224
225+ Message Queue (pulsar-relay)
226+ -----------------------------
227+
228+ Pulsar can also communicate with Galaxy via an experimental **pulsar-relay ** server,
229+ an HTTP-based message proxy. This mode is similar to the AMQP message queue mode but uses
230+ HTTP long-polling instead of a message broker like RabbitMQ. This can help when:
231+
232+ * Galaxy cannot directly reach Pulsar (e.g., due to firewall restrictions)
233+ * You want to avoid deploying and managing a RabbitMQ server
234+ * You prefer HTTP-based communication for simplicity and observability
235+
236+ Architecture
237+ ````````````
238+
239+ In this mode:
240+
241+ 1. **Galaxy → Pulsar **: Galaxy posts control messages (job setup, status requests,
242+ kill commands) to the proxy via HTTP POST
243+ 2. **Pulsar → Galaxy **: Pulsar polls the proxy via HTTP long-polling to receive
244+ these messages
245+ 3. **Pulsar → Galaxy **: Pulsar posts status updates to the proxy
246+ 4. **Galaxy → Pulsar **: Galaxy polls the proxy to receive status updates
247+ 5. **File Transfers **: Pulsar transfers files directly to/from Galaxy via HTTP
248+ (not through the proxy)
249+
250+ ::
251+
252+ Galaxy ──POST messages──> pulsar-relay ──poll──> Pulsar Server
253+ │
254+ │
255+ Galaxy <────────direct HTTP for file transfers─────────┘
256+
257+ Pulsar Configuration
258+ ````````````````````
259+
260+ To configure Pulsar to use pulsar-relay, set the ``message_queue_url `` in
261+ ``app.yml `` with a ``http:// `` or ``https:// `` prefix::
262+
263+ message_queue_url: http://proxy-server.example.org:9000
264+ message_queue_username: admin
265+ message_queue_password: your_secure_password
266+
267+ The ``http:// `` / ``https:// `` prefix tells Pulsar to use the proxy communication mode instead
268+ of AMQP.
269+
270+ .. note ::
271+
272+ Unlike AMQP mode, the pulsar-relay mode does **not ** require the ``kombu ``
273+ Python dependency. It only requires the ``requests `` library, which is a
274+ standard dependency of Pulsar.
275+
276+ Galaxy Configuration
277+ ````````````````````
278+
279+ In Galaxy's job configuration (``job_conf.yml ``), configure a Pulsar destination
280+ with proxy parameters::
281+
282+ runners:
283+ pulsar:
284+ load: galaxy.jobs.runners.pulsar:PulsarMQJobRunner
285+ # Proxy connection
286+ proxy_url: http://proxy-server.example.org:9000
287+ proxy_username: your_username
288+ proxy_password: your_secure_password
289+
290+
291+ execution:
292+ default: pulsar_relay
293+ environments:
294+ pulsar_relay:
295+ runner: pulsar
296+ # Galaxy's URL (for Pulsar to reach back for file transfers)
297+ url: http://galaxy-server.example.org:8080
298+ # Remote job staging directory
299+ jobs_directory: /data/pulsar/staging
300+
301+
302+ Authentication
303+ ``````````````
304+
305+ The pulsar-relay uses JWT (JSON Web Token) authentication. Galaxy and Pulsar
306+ authenticate with the proxy using the username and password provided in the
307+ configuration. Tokens are automatically managed and refreshed as needed.
308+
309+ .. tip ::
310+
311+ In production, always use HTTPS for the proxy URL to encrypt credentials
312+ and message content during transit::
313+
314+ message_queue_url: https://proxy-server.example.org:443
315+
316+ Security Considerations
317+ ```````````````````````
318+
319+ * **Use HTTPS **: Always use HTTPS for the proxy URL in production
320+ * **Strong Passwords **: Use strong, unique passwords for proxy authentication
321+ * **Network Isolation **: Deploy the proxy in a DMZ accessible to both Galaxy
322+ and Pulsar
323+ * **Firewall Rules **:
324+ * Galaxy → Proxy: Allow outbound HTTPS
325+ * Pulsar → Proxy: Allow outbound HTTPS
326+ * Pulsar → Galaxy: Allow outbound HTTP/HTTPS for file transfers
327+
328+ Multiple Pulsar Instances
329+ ``````````````````````````
330+
331+ You can deploy multiple Pulsar instances with different managers, all using the
332+ same proxy. Messages are routed by topic names that include the manager name.
333+
334+ For example, configure two Pulsar servers:
335+
336+ **Pulsar Server 1 ** (``app.yml ``)::
337+
338+ message_queue_url: http://proxy-server:9000
339+ message_queue_username: admin
340+ message_queue_password: password
341+ managers:
342+ cluster_a:
343+ type: queued_slurm
344+
345+ **Pulsar Server 2 ** (``app.yml ``)::
346+
347+ message_queue_url: http://proxy-server:9000
348+ message_queue_username: admin
349+ message_queue_password: password
350+ managers:
351+ cluster_b:
352+ type: queued_condor
353+
354+ In Galaxy's job configuration, route jobs to specific clusters using the
355+ ``manager `` parameter::
356+
357+ execution:
358+ environments:
359+ cluster_a_jobs:
360+ runner: pulsar
361+ proxy_url: http://proxy-server:9000
362+ manager: cluster_a
363+ # ... other settings
364+
365+ cluster_b_jobs:
366+ runner: pulsar
367+ proxy_url: http://proxy-server:9000
368+ manager: cluster_b
369+ # ... other settings
370+
371+ Topic Naming
372+ ````````````
373+
374+ Messages are organized by topic with automatic naming based on the manager name:
375+
376+ * Job setup: ``job_setup_{manager_name} `` or ``job_setup `` (for default manager)
377+ * Status requests: ``job_status_request_{manager_name} ``
378+ * Kill commands: ``job_kill_{manager_name} ``
379+ * Status updates: ``job_status_update_{manager_name} ``
380+
381+ This allows multiple Pulsar instances to share the same proxy without message
382+ conflicts.
383+
384+ Comparison with AMQP Mode
385+ ``````````````````````````
386+
387+ +------------------------+---------------------------+-------------------------+
388+ | Feature | AMQP (RabbitMQ) | pulsar-relay |
389+ +========================+===========================+=========================+
390+ | Protocol | AMQP over TCP | HTTP/HTTPS |
391+ +------------------------+---------------------------+-------------------------+
392+ | Dependencies | kombu, RabbitMQ server | requests (built-in) |
393+ +------------------------+---------------------------+-------------------------+
394+ | Deployment Complexity | Moderate (broker setup) | Simple (HTTP service) |
395+ +------------------------+---------------------------+-------------------------+
396+ | Message Delivery | Push-based | Long-polling |
397+ +------------------------+---------------------------+-------------------------+
398+ | Observability | Queue monitoring tools | HTTP access logs |
399+ +------------------------+---------------------------+-------------------------+
400+ | SSL/TLS | Via AMQPS | Via HTTPS |
401+ +------------------------+---------------------------+-------------------------+
402+ | Firewall Friendly | Moderate | High (standard HTTP) |
403+ +------------------------+---------------------------+-------------------------+
404+
405+ For more information on deploying pulsar-relay, see the `pulsar-relay documentation `_.
406+
407+ .. _pulsar-relay documentation : https://github.com/galaxyproject/pulsar-relay
408+
225409Caching (Experimental)
226410----------------------
227411
0 commit comments