Connecting Your System to Globus (APS Workshop)
0 likes180 views
Connecting a storage system to Globus involves: 1. Registering a Globus Connect Server to get credentials. 2. Installing Globus Connect Server packages and setting up an endpoint and data transfer node. 3. Creating a POSIX storage gateway to make the storage accessible and define authentication policies. 4. Adding a mapped collection to provide access to files in the storage system via Globus. 5. Associating the endpoint with a Globus subscription to enable additional features.
Connecting Your System to Globus (APS Workshop)
- 1. Connecting Your System to Globus Vas Vasiliadis vas@uchicago.edu October 12, 2021
- 2. Hybrid SaaS Architecture DATA Channel CONTROL Channel Source Destination Subscriber owned and administered storage system Globus âconnectorâ software No data relay or staging via Globus cloud service Subscriber Control Domain Globus Control Domain Single, globally accessible multi-tenant service
- 3. Globus Connect Server 3 âą Makes your storage accessible via Globus âą Software/tools installed and managed by sysadmin docs.globus.org/globus-connect-server-installation-guide/ Local system users Local Storage System (HPC cluster, NAS, âŠ) Globus Connect Server DTN âą Default access for all local accounts âą Native packaging Linux: DEB, RPM
- 4. Creating a Globus endpoint Globus Connect Server v5 (GCSv5) should be used for all new endpoint installations
- 5. GCSv5 improvements âą Standards based web authorization (OAuth2, OIDC) âą Modular configuration âą Multiple distinct access policies on a single endpoint âą Simplified multi-DTN endpoint config/management âą Direct browser up/download, with full access control âą Guest collections, with fine-grained access control âą Interoperability with endpoints running older versions
- 6. Globus Connect Server v5 Architecture
- 7. GCS management conceptual architecture 7 Data Transfer Node GCS Command Line Interface GridFTP Server Globus Transfer Service GCS management requests Globus Auth Service GCS Manager authorize request using client ID/secret GCS Manager endpoint: abc.abc.data.globus.org Register a Globus Connect Server at developers.globus.org get GCS client ID, secret Define Globus Transfer resources (gateways, collections, âŠ)
- 8. Requires a Globus subscription GCSv5 installation/configuration summary 1. Register a Globus Connect Server with Globus Auth 2. Install GCS packages on data transfer node (DTN) 3. Set up the endpoint and add node(s) 4. Create a POSIX storage gateway 5. Create a mapped collection 6. Associate endpoint with a subscription 7. Create a guest collection 8. Enable browser down/upload (HTTPS access) 9. Add other storage systems to the endpoint
- 10. Register GCS and get credentials âą Navigate to developers.globus.org and log in âą (Optional) Create a project âą Add a new Globus Connect Server âą Generate a client secret âą Save the client ID and secret
- 11. 1. Register GCS and get credentials developers.globus.org
- 12. 2. Install Globus Connect Server v5 packages $ curl -LOs http://downloads.globus.org/toolkit/gt6/stable/installers/repo/deb/globus- toolkit-repo_latest_all.deb $ dpkg -i globus-toolkit-repo_latest_all.deb $ sed -i /etc/apt/sources.list.d/globus-toolkit-6-stable*.list > -e 's/^# deb /deb /' $ sed -i /etc/apt/sources.list.d/globus-connect-server-stable*.list > -e 's/^# deb /deb /' $ apt-key add /usr/share/globus-toolkit-repo/RPM-GPG-KEY-Globus $ apt-get update $ apt-get --assume-yes install globus-connect-server54 Already done! Youâre welcome J
- 13. Endpoint creation and node setup 13
- 14. 3. Set up endpoint and add node $ globus-connect-server endpoint setup > "My APS Endpoint" > --organization "Argonne National Laboratory" > --client-id 4321dddd-af72-4c4b-9533-a0f4055dd321 > --owner me@anl.gov $ globus-connect-server node setup > --client-id 4321dddd-af72-4c4b-9533-a0f4055dd321 Note: endpoint setup command generates deployment-key.json Use this file when setting up additional data transfer nodes
- 15. Set up endpoint and add a DTN âą Access server: ssh adminN@apsN.globusdemo.org âą Switch to root: sudo su âą Run: globus-connect-server endpoint setup ... â Ensure --owner is the identity you used to register the GCS âą Run: globus-connect-server node setup ... âą Run: systemctl restart apache2 âą Display endpoint details: â globus-connect-server login localhost â globus-connect-server endpoint show Cheatsheet bit.ly/apsglobus
- 16. Our setup so far Run globus-connect-server node setup to set up additional data transfer nodes Copy deployment-key.json from original DTN
- 17. Storage Gateways define a set of access policies âą Authentication for local account-holders â Which identity domain(s) are acceptable? â How are identities mapped from domain(s) to local accounts? âą Policy scope â Which parts of the storage system are accessible via Globus? â Which local accounts does this policy allow (or deny)? âą High Assurance settings âą MFA requirements
- 18. Authentication for local account-holders âą Primary access (via a mapped collection) requires an account on the host system* âą Two-part authentication configuration: 1. Pick one or more identity domains 2. Configure the method to map the authenticated identity to an account on your system * You may allow primary users to share with others who donât have accounts on your system
- 19. Picking identity domains âą User must present identity from one of the configured domains â On access attempts, linked identities will be scanned for a match â If no identity from the required domain(s), will be asked to link one âą Identity domains may include⊠â âŠany organization in Globus federated list (incl. anl.gov, bnl.gov) â âŠyour institutionâs identity provider trusted by Globus â âŠa local OpenID Connect (OIDC) server using your PAM stack
- 20. Mapping identities to local accounts âą Default: Strip identity domain (everything after â@â) â e.g. userX@globusdemo.org maps to local account userX â Best for campus identities w/synchronized local accounts âą Use --identity-mapping option on storage gateway â Specify expression in a JSON document â Execute a custom script docs.globus.org/globus-connect-server/v5.4/identity-mapping-guide/
- 21. Create a POSIX storage gateway 21
- 22. Creating a storage gateway âą Our storage gateway will access a POSIX system â This is the only type permitted without a subscription âą It will allow access to users with credentials from the anl.gov (or bnl.gov) domain âą Reauthentication will be required every 12 hours Cheatsheet bit.ly/apsglobus
- 23. 4. Create a storage gateway $ globus-connect-server storage-gateway create posix > "My APS Storage Gateway" > --domain anl.gov > --authentication-timeout-mins 720 Allowed authentication domain Duration of user session when accessing collections via this storage gateway
- 24. Our setup so farâŠ
- 25. Create a mapped collection on the POSIX gateway 25
- 26. Creating a collection âą Our collection will use the default identity mapping âą It will be ârootedâ at the userâs home directory âą Access will require authentication with an identity from the anl.gov (or bnl.gov) domain Cheatsheet bit.ly/apsglobus
- 27. 5. Create a mapped collection $ globus-connect-server collection create > f77ff456-1f18-41d3-94a7-f3fd8858ea4d > / > "My APS Mapped Collection" Collections are rooted at the specified base path Specifying "/" as the base path sets the collection root to the local userâs home directory Storage gateway ID Collection base path
- 28. Common Collection configuration options âą Restrict access: local users, local groups âą Allow guest collections Ă enables sharing âą Restrict sharing: paths, local users, local groups âą Enable HTTPS access âą Force data channel encryption
- 29. Local account restrictions âą Note: These only apply to mapped collections âą A storage gatewayâs allowed identity domains and identity mapping method determine the universe of local accounts that may access the mapped collection âą You can further narrow the access universe using⊠--user-allow --user-deny --posix-group-allow (POSIX storage gateways only) --posix-group-deny (POSIX storage gateways only)
- 30. Our setup so farâŠ
- 33. Alternative authentication flow (if not using Globus trusted IdP)
- 34. Path restrictions âą Always use the narrowest base path possible for your storage gateway(s) and collection(s) â Storage gateway base specifies where collections may be created â Collection base specifies the base directory for the collection âą POSIX storage gateway â Use --restrict_paths to specify narrower read, read/write, or none access for specific paths â You provide a JSON doc that lists paths for each permission type â Note: These are absolute paths on the host system âą Collection: specify narrowest base path that satisfies the need
- 35. Restrict collection access to filesystem 35
- 36. Setting path restrictions âą A new storage gateway will limit access to /home âą We specify the path restrictions in paths.json â This file is in your admin userâs home directory âą Run: storage-gateway create command with the --restrict-paths option âą Create a new POSIX mapped collection Cheatsheet bit.ly/apsglobus
- 37. Create a restricted storage gateway, collection $ globus-connect-server storage-gateway create posix > "My APS Storage Gateway - Restricted" > --domain anl.gov > --authentication-timeout-mins 720 > --restrict-paths file:/home/adminN/paths.json $ globus-connect-server collection create > 3926bf02-6bc3-11e7-a9c6-22000bf2d287 > / > "My APS Mapped Collection â Restricted" Fully qualified filename containing rule(s) for restricting access to specific filesystem paths
- 38. Revisit your mapped collections âą Your will need to authenticate as user@anl.gov on your new (restricted access) collection, and consent âą Note the access behavior differences between the two mapped collections âą Move some files, if you like!
- 39. Subscriptions and Endpoint Roles âą Subscription(s) configured for your institution âą Multiple Subscription Managers per subscription âą Subscription Manager ties endpoint to subscription â Results in a âmanagedâ endpoint âą Assign additional roles for endpoint management â Administrator, Manager, Monitor
- 40. Associate the endpoint with a subscription 40
- 41. 6. Associate endpoint with a subscription âą Subscription managers can enable subscription features on an endpoint âą If you are not the subscription manager, just send your endpoint ID to your subscription manager and ask them to add it.
- 42. Make your endpoint âManagedâ âą Option A: Put your endpoint ID in the spreadsheet and Greg will make it managed âą Option B: Run globus-connect-server endpoint set-subscription-id âą Confirm: globus-connect-server endpoint show Cheatsheet bit.ly/apsglobus
- 43. 6. Associate endpoint with a subscription $ globus-connect-server endpoint set-subscription-id DEFAULT $ globus-connect-server endpoint set-subscription-id > 3926bf02-6bc3-11e7-a9c6-22000bf2d287 Can also be set via the web app Endpoints page app.globus.org/endpoints (search for endpoint name) Your anl.gov/bnl.gov identity may already be a subscription manager on this subscription
- 44. Be identity-, role-, and permission-aware âą Default: Only endpoint owner can configure an endpoint âą Delegate administrator role to other sysadmins â Best practice: Delegate to a Globus group, not individuals âą Check identity using the session command âą Check resource permissions on storage gateways and collections with --include-private-policies option docs.globus.org/globus-connect-server/v5.4/reference/role/
- 45. 7. Create a guest collection âą Created by user, not endpoint administrator âą Grants access to specific Globus users without a mapped local account âą âGuestâ users have same (or more limited) permissions as the guest collection creator â Access logs show access by the collection creator* âą Guest collectionâs root is relative to the mapped collectionâs base path * High Assurance collections log guest user identities to enable auditing
- 46. Sharing restrictions âą Guest collections may be created in any directory accessible by the collection, by any authorized local account âą You can restrict the authorized accounts⊠--sharing-user-allow --sharing-user-deny --posix-sharing-group-allow --posix-sharing-group-deny âą âŠand sharing paths⊠--sharing-restrict-paths (specify JSON PathRestrictions) âą You can also set policies for specific user/path combinations $ globus-connect-server sharing-policy create ...
- 47. Create and access a guest collection 47
- 48. Create and access a guest collection âą Enable creation of guest collections âą Run: globus-connect-server collection update âą Access the mapped collection âą Create a guest collection on your /projects directory âą Grant read access to the âTutorial Usersâ group âą Authenticate and browse guest collection
- 49. 8. Enable web browser upload/download âą Authorized users can upload, download files via a browser âą Must have permissions to the collection â Collection configuration governs access â Web server is a different application (separate authentication)
- 51. Enable HTTPS access âą Run: globus-connect-server collection update âą Access your mapped collection âą Download the James Webb PNG file Cheatsheet bit.ly/apsglobus
- 52. 9. Add other storage systems to the endpoint âą Update your GCS packages âą Add the appropriate storage gateway â Non-POSIX systems require add-on connector subscription(s) âą Gateway configuration options vary by connector â e.g., specify bucket name(s) for AWS S3 âą Collection authentication options vary by connector â e.g., provide user access key and secret key for AWS S3
- 54. Accessing an object store (AWS S3) âą An S3 storage gateway and a mapped collection exist â Access is restricted to two buckets within the AWS account âą Authenticating to the mapped collection(s) requires a credential from the specified domain⊠⹠âŠas well as S3 access credentials that allows access to buckets and objects
- 56. Things to do with the management console âą Monitor current transfers on your endpoints â See whatâs going on at the transfer request level â Much better than watching individual file transfers âą Pause (and later resume) a transfer in progress â Sends a notice to the transfer owner âą Set a pause rule for current and future transfers â Ideal for maintenance mode â Notifies transfer owners, â Tasks resume when endpoint is un-paused docs.globus.org/management-console-guide/
- 57. Migrating an endpoint to a new host (server) âą An endpoint is a logical construct â You can replace the host system without disrupting the endpoint â Thereâs a lot of hard-to-replace configuration data in your endpoint (esp. if you have guest collections!) â Researchers may have built things (automation, workflows, etc.) that use your endpoint UUIDs âą Use GCSâs multi-node configuration to migrate â First, add the new node(s) to the existing endpoint â Then, remove the original node(s)
- 58. When you really need a clean slate⊠⹠Proper clean-upâboth on your system and in the Globus serviceâis important! âą Execute these commands in the specified order: o globus-connect-server node cleanup o globus-connect-server endpoint cleanup âą Delete the GCS registration at developers.globus.org âą Donât use the same Client ID for another endpoint!
- 59. Clean up endpoint and delete registration 59
- 60. Cleaning up (deleting) an endpoint âą You MUST follow these steps in the order specified â Otherwise you will end up with an âorphanedâ GCS registration 1. Cleanup the data transfer node from the endpoint globus-connect-server node cleanup 2. Cleanup the endpoint globus-connect-server endpoint cleanup 3. Delete the registration at developers.globus.org Cheatsheet bit.ly/apsglobus
- 63. Balance: performance - reliability âą Network use parameters: concurrency, parallelism âą Maximum, Preferred values for each âą Transfer considers source and destination endpoint settings min( max(preferred src, preferred dest), max src, max dest ) âą Service limits, e.g. concurrent requests 63
- 65. Setting network use parameters âą May only be changed on managed endpoints âą Modify via the web app: Endpoints Ă Server tab âą Modify via Globus Connect Server CLI â Run globus-connect-server endpoint modify âą Strong recommendation: Do not change network use parameters before establishing baseline performance 65
- 66. GCSv5 resources â please consult these first âą Quickstart Guide docs.globus.org/globus-connect-server/v5.4/quickstart âą GCS Command Line Reference docs.globus.org/globus-connect-server/v5.4/reference âą Video walkthrough of an installation www.youtube.com/watch?v=8ILtsSRiML8
- 67. General Resources âą Access the service: app.globus.org âą Documentation: docs.globus.org/globus-connect-server âą Engage: discuss@globus.org âą Subscribe: globus.org/subscriptions âą Need help? support@globus.org âą Follow us: @globus