We review the Globus Connect Server v5 (GCSv5) architecture and deployment model, and describe the process for creating a Globus endpoint on your HPC cluster, lab server, or other multi-user storage system. You will experiment with installing Globus Connect Server, and configuring basic options on the endpoint.
1. Introduction to Globus for System
Administrators
Brigitte Raumann
braumann@uchicago.edu
Case Western Reserve University
October 23, 2023
2. Our focus in this session
ā¢ Step by step tutorial on how to make your multi-user
storage accessible by your users via Globus
ā¢ Overview of configuration options and best practices
11. Globus Connect Server
install walkthrough
docs.globus.org/globus-connect-server
docs.globus.org/globus-connect-server/v5.4/quickstart
12. Globus Connect Server
install walkthrough
Key Prerequisite: Network Accessibility
docs.globus.org/globus-connect-server/v5.4/#open-tcp-ports_section
Port 443
must be publicly routable
Ports 50000-51000
used only during transfers as needed
can be on private net
13. Globus Connect Server
install walkthrough
Preliminaries
Satisfy technical prerequisites
Install GCS packages on your server
Deploy Globus Connect Server
1. Set up the endpoint
2. Add data transfer node(s) to the endpoint
3. Create a POSIX storage gateway
4. Create a mapped collection
14. Configure subscription features
5. Associate endpoint with a subscription
6. Create a guest collection to enable data sharing
7. Enable browser down/upload (HTTPS access)
8. Add non-POSIX storage systems to the endpoint
Globus Connect Server
install walkthrough
15. GCS v5 install walkthrough
Preliminaries
Satisfy technical prerequisites
Install GCS packages on your server
Already done on your servers.
16. GCS v5 install walkthrough
Install GCS packages on your server
$ curl -LOs http://downloads.globus.org/globus-connect-
server/stable/installers/repo/deb/globus-repo_latest_all.deb
$ dpkg -i globus-repo_latest_all.deb
$ apt-key add /usr/share/globus-repo/RPM-GPG-KEY-Globus
$ apt-get update
$ apt-get --assume-yes install globus-connect-server54
Already done on your servers.
docs.globus.org/globus-connect-server/v5.4/#install_section
17. Claim your server
1. Log into Globus at
app.globus.org
2. Select āclaim your
virtual machineā at
bit.ly/gw-tut
3. Enter your name,
email address, and
identity used to log
into Globus then note
the number in your
server DNS name
bit.ly/gw-tut
18. SSH into your server
1. Open a terminal window on your laptop
2. $ ssh admin<#>@tut<#>.globusdemo.org
$ Passwd:
$ ssh admin3@tut3.globusdemo.org
Example
# of your DNS server
from the spreadsheet
Commands at
bit.ly/gw-tut
20. 1. Create the Endpoint
$ globus-connect-server endpoint setup
> "My Endpoint"
> --organization "My Organization"
> --contact-email me@uchicago.edu
> --owner me@globusid.org
Commands at
bit.ly/gw-tut
docs.globus.org/globus-connect-server/v5.4/#create_the_endpoint
21. What does endpoint setup do?
ā¢ Creates your endpoint in the Globus services
ā¢ Creates the endpoint in Globus Transfer service
ā¢ Registers a Globus Auth client
ā¢ Registers a domain name of endpoint
ā¢ Obtain host certificate for interaction with endpoint
ā¢ Writes deployment-key.json
22. The Deployment Key
ā¢ Generated by the endpoint setup command
ā¢ Located in deployment-key.json
ā¢ Contains
ā¢ Client ID and secret
ā¢ Encryption key to endpoint configuration stored in the Globus
service
ā¢ Used to add data transfer nodes to the endpoint
ā¢ Can be used to recover your deployment
ā¢ Cannot be recovered by Globus
ā¢ Treat it like a password ā know where it is and secure it
25. Data Transfer Node set up
$ sudo globus-connect-server node setup
Note: deployment-key.json should be in same directory or specified location
What does node setup do?
ā¢ It adds your machine to your endpoint
ā¢ Starts services on your machine
Commands at
bit.ly/gw-tut
docs.globus.org/globus-connect-server/v5.4/#gcsv5-node-setup
26. Display endpoint details
$ globus-connect-server login localhost
$ globus-connect-server endpoint show
Commands at
bit.ly/gw-tut
docs.globus.org/globus-connect-server/v5.4/reference/
29. Storage Gateways policies defineā¦
ā¢ Who may use Globus to access your storage?
ā¢ Which parts of the file system are accessible via
Globus?
ā¢ What are the authentication requirements?
ā¢ What type of storage?
āPOSIX or AWS S3* or Google Cloud* or Box* or ā¦
*Subscription feature
30. Who may use Globus to access your storage
ā¢ Which Globus users?
āSelect one or more Globus identity domains
ā¢ Which local users?
ā Deny or allow local users or groups
ā¢ How do Globus users relate (map) to local users?
āConfigure the method to map Globus user to local account
Storage Gateways policies defineā¦
docs.globus.org/globus-connect-server/v5.4/data-access-guide/#creating_a_storage_gateway
31. Which Globus users?
ā¢ User must have an identity from one of the configured
domains
ā On access attempts, linked identities will be scanned for a match
ā If no identity from the required domain(s), user will be asked to link one
ā Note: Domain restriction for data sharing are configured on mapped
collection, not storage gateway
ā¢ Identity domains may includeā¦
ā any organization in the Globus federated IdP list
ā your institutionās identity provider trusted by Globus
ā a local OpenID Connect (OIDC) server using your PAM stack
docs.globus.org/globus-connect-server/v5.4/data-access-guide/#authentication_policies
32. Which local users?
ā¢ You can further narrow the access universe usingā¦
--user-allow
--user-deny
--posix-group-allow (POSIX storage gateways only)
--posix-group-deny (POSIX storage gateways only)
docs.globus.org/globus-connect-server/v5.4/data-access-guide/#user_access_overview
33. How do Globus users and local users relate (map)?
ā¢ Default: Strip identity domain (everything after ā@ā)
ā e.g. userX@globusdemo.org maps to local account userX
ā Best for campus identities w/synchronized local accounts
ā¢ Use --identity-mapping option on storage gateway
ā Specify expression in a JSON document
ā Execute a custom script which Globus Connect Server calls
when it needs to map an identity.
docs.globus.org/globus-connect-server/v5.4/identity-mapping-guide/
docs.globus.org/globus-connect-server/v5.4/data-access-guide/#identity_mapping_overview
35. What parts of the file system are accessible via Globus
ā¢ Can restrict user access via Globus to subtrees
ārestrict access via Globus to userās home directory, for example
ā¢ Use --restrict_paths to specify narrower read,
read/write, or deny access for specific paths
ā You provide a JSON doc that lists paths for each permission type
Storage Gateways policies defineā¦
docs.globus.org/globus-connect-server/v5.4/data-access-guide/#data_access_policies
36. What are the authentication requirements
ā¢ How often should users reauthenticate?
āDefault 11 days
ā¢ Should extra authentication assurances be required?*
āSession isolation?
āMFA?
*Subscription feature
Storage Gateways policies defineā¦
docs.globus.org/globus-connect-server/v5.4/data-access-guide/#authentication_policies
37. 3. Create a storage gateway
$ globus-connect-server storage-gateway create
posix
> "My POSIX Storage Gateway"
> --domain globusid.org
> --user-deny root
> --authentication-timeout-mins 180
$ globus-connect-server storage-gateway list
Commands at
bit.ly/gw-tut
40. Mapped Collection
A collection is the data access interface that Globus
presents to your user.
A mapped collection is only accessible to Globus users
that āmapā to a local account.
docs.globus.org/globus-connect-server/v5.4/data-access-guide/#mapped_collection
41. Mapped collection policies to consider
ā¢ What is the base path or root of your mapped collection?
ā¢ Topmost directory available to user. Recommend narrowest base path
possible
ā¢ Must all transfers be encrypted?
ā¢ Can HTTPS be used to move data?
ā¢ Are users allowed to share* data? If so, what are sharing
policies?
ā¢ More policiesā¦
*Subscription feature
docs.globus.org/globus-connect-server/v5.4/data-access-guide/#data_access_collection_create
42. 4. Create a mapped collection
$ globus-connect-server collection create
> f77ff456-1f18-41d3-94a7-f3fd8858ea4d
> /
> "State University HPC Center"
> --organization "State University"
> --contact-email support@example.org
> --description "Gamma storage at State U"
Specifying "/" as the base path sets the collection root to the local userās home directory
Adding metadata to your collection will help your users.
Collection base path Storage gateway UUID
Commands at
bit.ly/gw-tut
Collection name
45. We are using the default identity
mapping, soā¦
Create a local user account that is the same are your user name
in the storage gatewayās allowed domain.
ā e.g., for jbaer@case.edu create local account ājbaerā
$ sudo adduser --disabled-password --gecos 'jbaer' jbaer
Access your mapped collection via the web appā¦
ā¦and move some files, if you like
Commands at
bit.ly/gw-tut
47. 5. Associating your endpoint with a subscription
Must be subscription manager.
$ globus-connect-server endpoint set-subscription-id
or go to app.globus.org/console/endpoints
Confirm: $ globus-connect-server endpoint show
Commands at
bit.ly/gw-tut
48. Globus Data Sharing
ā¢ Primary access (via a mapped collection) requires an
account on the host system
ā¢ Subscribers may allow mapped collection users to
share with others who donāt have accounts on the
host system (via guest collections)
49. 6. Enabling sharing (guest collections)
ā¢ Configure sharing policies on mapped collection
ā¢ You can restrict the authorized accountsā¦
o --sharing-user-allow
--sharing-user-deny
o --posix-sharing-group-allow
o --posix-sharing-group-deny
ā¢ ā¦and sharing pathsā¦
o --sharing-restrict-paths (specify JSON PathRestrictions)
ā¢ You can also set policies for specific user/path
combinations
o $ globus-connect-server sharing-policy create ...
50. Data sharing configuration considerations
Any restrictions on the sharing permissions levels? Read-only sharing? Read-
only for some paths and read/write for other paths?
Any restrictions on which users may share? Only users with training may
share?
Any restrictions on paths that may be shared with guests? Only share home
directory?
Any user specific sharing policies? Can Alice share any folder she can access,
but Bob can only share folders in his home directory?
Any restrictions on the identity domain of the guest? No sharing with
gmail.com?
51. Data sharing monitoring and management
Admins of mapped collections mayā¦
View access control lists.
Delete access control lists.
Delete guest collections.
Delete guest collections according to last time they were accessed or created.
52. 7. Enable web browser upload and
download
ā¢ Authorized users can
upload, download files via a
browser
ā¢ Must have permissions to
the collection
ā Collection configuration governs
access
ā Web server is a different
application (separate
authentication)
54. The Management Console
Monitor and manage transfers*
ā¢ Real time overview of transfers in and out of your system
ā¢ Pause or cancel transfers by endpoint or by user
Set a pause rule for current and future transfers or
users*
ā¢ Ideal for maintenance mode
Manage your endpoint
ā¢ Edit metadata*
ā¢ Associate it with a subscription
Manage your clients
*Subscription feature