Globus Automation Overview

The key to the platform is enabling users to orchestrate multiple processing steps into a single workflow, or flow. Some of these steps are provided by Globus and others of which may be custom implementations supporting a specific need. Examples of these workflows might be:

An action provider is an HTTP accessible service which acts as a single step in a process and implements the action provider interface. When an action provider is invoked, it creates (or "provides") an action which represents a single unit of work. Examples of units of work are running a file transfer using Globus Transfer or ingesting data into Globus Search.

Each action provider expects to be invoked with parameters particular to the service it provides. To support usability and discovery, each can be introspected to determine what its input schema or input properties are. Introspection also provides information such as who operates the action provider, descriptive text on the service it provides, and who can use the service. Access to action providers and their invocation is controlled via Globus Auth. Some of these services may be synchronous meaning that an invocation will complete in the context of the HTTP request that triggered it. Other services support asynchronous activities, meaning that the invocation will persist beyond the HTTP request that invoked it and the caller must monitor the action for updates on when it is completed and its result.

Globus operates a series of these action providers available for public use. For a full list of these action providers, see the hosted action providers documentation. Globus also supports users writing their own action providers via the Globus Action Provider Toolkit - a Python SDK that makes it easy to provide custom services that can be tied into the Globus automation ecosystem.

These action providers form the foundation of the Globus automation ecosystem and are primarily used by referencing their URLs in flows. Globus Flows allows users to flexibly piece together these individual services to create reliable high level workflows.

An action represents a single, discrete invocation of an action provider. It is record of an operation and includes details for its result, its current execution status, and metadata dictating which Globus Auth identities are allowed to read or modify the action’s state. Globus Flows allows orchestrating these individual actions into robust processes that can tolerate their distinct execution states, including success and failure. Users will not often need to operate on actions directly, rather, the User will start a run of a flow and the run will invoke action providers, creating actions as necessary to accomplish the automation.

A flow represents a single process that orchestrates a series of services into a self-contained operation. One can think of a flow as a declaratively defined ordering of action providers with condition handling to define expected success or failure scenarios.

A flow may be defined and deployed to the Globus Flows service by any user. When deploying, the user may control which other users can discover the flow and separately, which users can run the flow. All access control is provided by Globus Auth. Thus, flows can easily and safely be shared among users.

It may also be interesting to note that once deployed, the flow will implement the action provider interface. What this means is that a flow is technically a form of action provider, and as such it can be referenced by other flows by its flow URL. This allows for modularity in defining flows and in a separation of concerns where "sub-flows" can be trusted to provide some process or behavior.

When users start a flow, we call that a run. A run shares the action interface, supporting operations such as viewing its status, cancelling its execution, and removing its execution state. This allows for common tooling and terminology for working with runs and actions. In general, any operation available on an action will be possible on a run and vice versa.

Globus Flows imposes no restrictions on how long a run may execute or on the number of units of work defined in a flow. We support long-lived runs by providing monitoring and status updates.

An important consideration in the Globus automation platform is authentication and authorization. All interactions with action providers, actions, and flows are authenticated by Globus Auth.

For action providers and flows, authorization lists exist to control which identities can view its details and which identities can invoke an action or run of a Flow in the service. For actions and runs, authorization lists exist to enforce which identities may view its execution details and which identities may modify the execution status. For these authorization lists, identities may be specified as individual Globus users or as Globus Groups. Thus, while the Globus automation platform is open to all users with access, it is possible to carefully control which users have access to your resources.

The authorization lists for a Flow definition are as follows:

Once a Flow has been started, a "run" object is created for monitoring and managing the particular run. Authorization lists are created to determine which users may perform these operations as follows:

For both flows and runs, the authorization lists are "cumulative"in the sense that a user in a particular list (termed having that "role") may also perform all the operations of users in the roles listed prior to it in the list. Thus, for example, a user in the flow_administrators list can perform all the operations associated with those in the flow_viewers and the flow_starters lists. Similarly, a user in run_managers can do all that those in run_monitors can.

Values within the authorization lists take the form of urns specifying individual users or groups of users based on Globus Groups. When specifying a user in an authorization list, the principal value will be the user’s UUID prefixed with urn:globus:auth:identity:. When specifying a Globus Group in the list, the principal value needs to be the Group’s UUID prefixed with urn:globus:groups:id:.

Two special values, public and all_authenticated_users may also be used in some authorization lists. public indicates that the operation is allowed for requests that have no authorization and may be used in the flow_viewers list, and all_authenticated_users indicates that any user who presents a Globus Auth credential in the form of an access token is permitted access and may be used in a flow_starters list.