Globus Connect Server Administration Guides
  • Quickstart Guide
  • Installation Guide
  • Data Access Admin Guide
  • Domain Guide
  • HTTPS Access to Collections
  • Identity Mapping Admin Guide
  • Globus OIDC Installation Guide
  • Troubleshooting Guide
  • Command-Line Reference
    • Command summary
    • Audit
      • Load
      • Query
      • Dump
    • Endpoint
      • Setup
      • Show
      • Update
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription ID
      • Cleanup
      • Key Convert
      • Domain
      • Role
      • Upgrade
    • OIDC
      • Create
      • Delete
      • Register
      • Show
      • Update
    • Node
      • Create
      • Disable
      • Enable
      • New Secret
      • Setup
      • List
      • Show
      • Update
      • Cleanup
      • Delete
    • Login
    • Session
      • Consent
      • Show
      • Update
    • Whoami
    • Logout
    • Storage Gateway
      • Create
      • List
      • Show
      • Update
      • Delete
    • Collection
      • Create
      • List
      • Show
      • Batch Delete
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription Admin Verified Collection Property
      • Update
      • Delete
      • Domain
      • Check
      • Role
    • Auth Policy
      • Create
      • List
      • Show
      • Update
      • Delete
    • Sharing Policy
      • Create
      • List
      • Show
      • Delete
    • User Credentials
      • Activescale Create
      • OAuth Create
      • Delete
      • List
      • S3 Create
      • S3 Keys Add
      • S3 Keys Delete
      • S3 Keys Update
    • Self Diagnostic
  • Globus Connect Server Manager API
    • Authorization
    • Versioning
    • Endpoint
    • Roles
    • Nodes
    • Storage Gateways
    • Collections
    • User Credentials
    • Domains
    • Sharing Policies
  • API Access for Portals
  • Automated Endpoint Deployment
  • Data Access Application Guide
  • Application Migration Guide
  • Change Log
Skip to main content
Globus Docs
  • APIs
    Auth Flows Groups Search Timers Transfer Globus Connect Server Compute Helper Pages
  • Applications
    Globus Connect Personal Globus Connect Server Premium Storage Connectors Compute Command Line Interface Python SDK JavaScript SDK
  • Guides
  • Support
    FAQs Mailing Lists Contact Us Check Support Tickets
  1. Home
  2. Globus Connect Server
  3. v5.4
  4. Command-Line Reference
  5. Collection
  6. Create

Globus Connect Server Collection Create

Name

globus-connect-server collection create - Create a collection

Synopsis

globus-connect-server collection create STORAGE_GATEWAY_ID BASE_PATH DISPLAY_NAME [OPTIONS]…​

Description

The globus-connect-server collection create command creates a new mapped collection. When you create a mapped collection, you are allow your users access to their own data on a Storage Gateway via the GridFTP and HTTPS protocols.

There are three required arguments to this command:

STORAGE_GATEWAY_ID

The ID of the storage gateway which contains the data you want to provide access to. This will need to be created before creating the collection by using the storage-gateway create command.

BASE_PATH

This is the path which is the root of the mapped collection. You can use / to provide access to the entire namespace of the storage gateway (depending on the path restrictions policy of the gateway), or you can restrict it to some subtree of the data available by using a different value here. The path may include $USER or $HOME. As of version 5.4.67, it may also include ~.

DISPLAY_NAME

The name of the collection. This is not guaranteed to be unique, but can be used as a first piece of information for for your users to find the collection.

Other command line options allow additional metadata to help users search for the collection, control visibility of the collection, provide policies for sharing data on a collection, or requiring data encryption when accessing the collection.

Note that any of the options used when creating the collection may be updated using the globus-connect-server collection update command.

Visibility

A collection can be public or private. A public collection may show up in search results for any globus users. A private collection is only visible by those with role assignments.

The --public and --private command-line options determine whether a collection is public or not.

Metadata

Many of the options to this command allow you to set metadata on your collection to help your users find the collections that are relevant to their needs. The more metadata you supply, the easier it will be for them to find relevant collections.

The --keywords, --department, --organization, and --description options all provide data to improve results when searching for collections.

The --contact-email, --contact-info, and --info-link options will provide data that will help your users find out more about what data you provide in the collection.

Guest Collections

With Globus Connect Server v5.4, it is possible to create guest collections that allow users to share access to their data on a mapped collection with other Globus users. This must be explicitly enabled on a mapped collection by using the --allow-guest-collections command-line option. If this is not set, then users are not allowed to share data.

Additionally, you can set path restrictions for guest collections. For example, you could allow read-only access to the data on the storage gateway, or completely deny access to some subdirectories. Use the --sharing-restrict-paths command line option to configure this. By default, if guest collections are allowed, and the sharing path restrictions are not set, then users may share any paths visible on the collection via a guest collection.

In GCSv5.4.18 and higher, it is possible to set user specific sharing policies. These are managed by the globus-connect-server sharing-policy command. These policies allow additional path restrictions to be applied to allow or deny sharing of paths to individual users.

Also, you can restrict which accounts on the storage gateway can create guest collections. You can either provide a list of local user accounts which can create guest collections, or provide a list of local user accounts which can not create guest collections. For the POSIX connector, you can also perform restrictions on which POSIX groups the account is a member of. You can use --sharing-user-allow, --sharing-user-deny, --posix-sharing-group-allow, --posix-sharing-group-deny (New in GCSv5.4.8), --posix-staging-sharing-group-allow, and -posix-staging-sharing-group-deny to configure these policies (New in GCSv5.4.10).

As of GCSv5.4.57, you can restrict which domains can be used in guest collection permissions and apply session authentication requirements with the use of Auth policies. An Auth policy can be created using the globus-connect-server auth-policy command which can restrict which identity domains will be allowed in guest collection permissions. Use the collection option --guest-auth-policy-id to assign the policy to a mapped collection.

As of GCSv5.4.74, you can configure the maximum lifetime of a permission on a high assurance guest collection. After expiration, the permission is no longer valid and will be removed from the guest collection. Use the --acl-expiration-mins option to specify the number of mins before the permission expires. If this value is not set, guest collection permissions will persist indefinitely.

Currently, guest collections can be created using the Globus Web App, the GCS Manager API or the Globus CLI’s globus collection create guest command. For most users, it’s easiest to visit the mapped collection on the web, click on the Shares tab and then the Create New Shared Collection button.

Note

Guest collections are a premium feature and require the Globus Connect Server endpoint to be associated with a subscription.

Options

-h, --help

Show help message and exit.

--version

Show the version and exit.

-F, --format "text"|"json"

Output format for this command. If the format is json, then the resulting role document is displayed.

--use-explicit-host IP_ADDRESS (new in 5.4.23)

IP address of the GCS node to use for this request. If not specified, any available GCS node in the endpoint will be used.

--public
--private

Set the Collection to be public or private (defaults to public)

--domain-name TEXT (new in 5.4.13)

DNS host name for the collection (mapped collections only). This may be either a host name or a fully-qualified domain name, but if it is the latter it must be a subdomain of the endpoint’s domain.

--allow-guest-collections
--no-allow-guest-collections

Allow guest collections to be created on this collection. This option is only usable on mapped collections. If this option is disabled on a mapped collection which already has associated Guest Collections, those collections will no longer be accessible.

--guest-auth-policy-id [UUID|null] (new in 5.4.57)

Set the auth policy on a mapped collection which is inherited by all guest collections attached to the mapped collection. Pass '--guest-auth-policy-id null' to remove the auth policy from the collection. This option is only usable on mapped collections.

--disable-anonymous-writes (new in 5.4.27)
--enable-anonymous-writes

Allow anonymous write permissions on Guest Collections attached to this Mapped Collection. This option is only usable on non high assurance Mapped Collections and the setting is inherited by the hosted Guest Collections. Anonymous write permissions are enabled by default.

--sharing-restrict-paths JSON|file:JSON_FILE

Path restrictions for sharing data on guest collections based on this collection. This option is only usable on mapped collections. In the first syntax, you pass a PathRestrictions as a string; in the second syntax you pass the path to a file containing the PathRestrictions object. Support for $HOME and ~ was added in version 5.4.67.

--sharing-user-allow USERNAME (new in 5.4.8)
--sharing-user-allow file:PATH (new in 5.4.79)

Allow a user on this collection’s storage gateway to create guest collections. This option can be included multiple times on a single command-line invocation to allow multiple users. When updating a collection, setting the value to an empty string will clear this restriction. This policy is only evaluated if the account passes the storage gateway user and (if applicable) group allowed checks. If the parameter value begins with file:, read the input file path and parse as one or more lines of a whitespace delimited list of users to allow access to this storage gateway.

--sharing-user-deny USERNAME (new in 5.4.8)
--sharing-user-deny file:PATH (new in 5.4.79)

Deny a user on this collection’s storage gateway permission to create guest collections. This option can be included multiple times on a single command-line invocation to deny multiple users. When updating a collection, setting the value to an empty string will clear this restriction. This policy is only evaluated if the account passes the storage gateway user and (if applicable) group allowed checks. If the parameter value begins with file:, read the input file path and parse as one or more lines of a whitespace delimited list of users to deny access to this storage gateway.

--posix-sharing-group-allow GROUPNAME (new in 5.4.8)
--posix-sharing-group-allow file:PATH (new in 5.4.79)

Allow a user on this collection’s storage gateway to create guest collections if they are a member of the POSIX group GROUPNAME. This option can be included multiple times on a single command-line invocation to allow multiple groups. This is can only be used with collection on POSIX storage gateways. This policy is only evaluated if the account passes the storage gateway user and group allowed checks, and is not explicitly allowed or denied by the --sharing-user-allow and --sharing-user-deny values configured on this collection. If the parameter value begins with file:, read the input file path and parse as one or more lines of a whitespace delimited list of groups to allow access to this storage gateway.

--posix-sharing-group-deny GROUPNAME (new in 5.4.8)
--posix-sharing-group-deny file:PATH (new in 5.4.79)

Deny a user on this collection’s storage gateway permission to create guest collections if they are a member of the POSIX group GROUPNAME. This option can be included multiple times on a single command-line invocation to deny multiple groups. When updating a collection, setting the value to an empty string will clear this restriction. This is can only be used with collection on POSIX storage gateways. This policy is only evaluated if the account passes the storage gateway user and group allowed checks, and is not explicitly allowed or denied by the --sharing-user-allow and --sharing-user-deny values configured on this collection. If the parameter value begins with file:, read the input file path and parse as one or more lines of a whitespace delimited list of groups to deny access to this storage gateway.

--posix-staging-sharing-group-allow GROUPNAME (new in 5.4.10)
--posix-staging-sharing-group-allow file:PATH (new in 5.4.79)

Allow a user on this collection’s storage gateway to create guest collections if they are a member of the POSIX group GROUPNAME. This option can be included multiple times on a single command-line invocation to allow multiple groups. This is can only be used with collection on POSIX Staging storage gateways. This policy is only evaluated if the account passes the storage gateway user and group allowed checks, and is not explicitly allowed or denied by the --sharing-user-allow and --sharing-user-deny values configured on this collection. If the parameter value begins with file:, read the input file path and parse as one or more lines of a whitespace delimited list of groups to allow access to this storage gateway.

--posix-staging-sharing-group-deny GROUPNAME (new in 5.4.10)
--posix-staging-sharing-group-deny file:PATH (new in 5.4.79)

Deny a user on this collection’s storage gateway permission to create guest collections if they are a member of the POSIX group GROUPNAME. This option can be included multiple times on a single command-line invocation to deny multiple groups. When updating a collection, setting the value to an empty string will clear this restriction. This is can only be used with collection on POSIX Staging storage gateways. This policy is only evaluated if the account passes the storage gateway user and group allowed checks, and is not explicitly allowed or denied by the --sharing-user-allow and --sharing-user-deny values configured on this collection. If the parameter value begins with file:, read the input file path and parse as one or more lines of a whitespace delimited list of groups to allow deny to this storage gateway.

--force-encryption
--no-force-encryption

When set, all transfers to and from this collection are always encrypted. If not set, this can be configured on a per-transfer basis. If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

--keywords string,string,…​

Comma separated list of keywords to help searches for the collection

--department DEPARTMENT

Department which operates the collection

--organization ORGANIZATION

Organization for the Collection

--contact-email EMAIL

Email address of the support contact for this collection. This is visible to end users so that they may contact your organization for support.

--contact-info INFO

Other non-email contact information for the collection, e.g. phone and mailing address. This is visible to end users for support.

--info-link URL

Link to a web page containing info about the collection.

--description STRING

Description of the collection.

--identity-id IDENTITY

Globus Auth identity to act as the owner of this collection. This only needs to be used if you have multiple linked identities that match the storage gateway policies and allows you to select which of those will act as the owner of this collection. The identity must have an endpoint administrator or endpoint owner role on the endpoint and must be in your current identity set.

--google-project-id PROJECT

For Google Cloud Storage backed Collections only. The Google Cloud Platform project ID to use when accessing this collection. When a project ID is specified, users that access the collection must be a member of the project, and the buckets of this project are listed in the root directory. When the storage gateway has a single project ID configured, that will be the default project ID for collections. When no project is set on the collection or storage gateway, any user may access the collection and any buckets their credentials permit, but will not be able to list buckets in the root directory.

--user-message MESSAGE (new in 5.4.5)

A message for clients to display to users when interacting with this collection. This can only be set on mapped collections, but its value is inherited by related guest collections.

--user-message-link URL (new in 5.4.5)

Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an http or https URL with this collection. This can only be set on mapped collections, but its value is inherited by related guest collections.

--enable-https, --disable-https (new in 5.4.5)

Enable or disable the HTTPS interface to this collection. If HTTPS access is enabled for a mapped collection, it may be selectively disabled for individual guest collections. If HTTPS is is disabled for a mapped collection, it can not be enabled for a guest collection.

--verify [force|disable|default] (new in 5.4.21)

Set the policy for this collection for file integrity verification after transfer. 'force' requires all transfers to perform verification. 'disable' disables all verification checks. 'default' allows the user to decide on verification at Transfer task submit time. When set on mapped collections, this policy is inherited by any guest collections.

--default-directory TEXT

Default directory when browsing the collection. This value may include $USER. If the collection’s BASE_PATH is /, this may also include $HOME or ~.

--delete-protected (new in 5.4.57)

Create the collection with delete protection enabled. When enabled, the mapped collection can not be deleted. An administrator can use the globus-connect-server collection update command to disable delete protection. As of GCS v5.4.69, this option is set by default.

--acl-expiration-mins (new in 5.4.74)

Length of time that guest collection permissions are valid. Only settable on HA mapped collections and used by the guest collections attached to it. (new in 5.4.75) Settable on HA guest collections. When set on both the HA mapped collection and guest collection, the lesser value is in effect.

--restrict-transfers-to-high-assurance [inbound|outbound|all] (new in 5.4.79)

Restrict inbound, outbound, or all transfers between high assurance collections. Only settable on high assurance mapped collections and inherited by all attached guest collections. Setting this feature will disable HTTPS access on the mapped collection and its attached guest collections.

--auto-delete-timeout INT (new in 5.4.82)

Number of days before unused guest collections will be auto deleted. Only settable on mapped collections. Defaults to disabled.

--skip-auto-delete (new in 5.4.82)

When set on a guest collection, the guest will not be auto deleted when unused for greater than auto-delete-timeout days. Only settable on guest collections. Defaults to False (resulting in guest collections being in scope of the auto_delete_timeout threshold).

--flow-transfer-source UUID (new in 5.4.84)

Restrict transfers using the collection as the source to only transfers invoked by the given Globus flow. UUID is the value of ID of the Globus flow. Specify null to remove the collection’s association with the flow. When this is enabled, retrieving files via the collection HTTPS interface is disabled.

--flow-transfer-destination UUID (new in 5.4.84)

Restrict transfers using the collection as the destination to only transfers invoked by the given Globus flow. UUID is the value of ID of the Globus flow. Specify null to remove the collection’s association with the flow. When this is enabled, storing files via the collection HTTPS interface is disabled.

  • Quickstart Guide
  • Installation Guide
  • Data Access Admin Guide
  • Domain Guide
  • HTTPS Access to Collections
  • Identity Mapping Admin Guide
  • Globus OIDC Installation Guide
  • Troubleshooting Guide
  • Command-Line Reference
    • Command summary
    • Audit
      • Load
      • Query
      • Dump
    • Endpoint
      • Setup
      • Show
      • Update
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription ID
      • Cleanup
      • Key Convert
      • Domain
      • Role
      • Upgrade
    • OIDC
      • Create
      • Delete
      • Register
      • Show
      • Update
    • Node
      • Create
      • Disable
      • Enable
      • New Secret
      • Setup
      • List
      • Show
      • Update
      • Cleanup
      • Delete
    • Login
    • Session
      • Consent
      • Show
      • Update
    • Whoami
    • Logout
    • Storage Gateway
      • Create
      • List
      • Show
      • Update
      • Delete
    • Collection
      • Create
      • List
      • Show
      • Batch Delete
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription Admin Verified Collection Property
      • Update
      • Delete
      • Domain
      • Check
      • Role
    • Auth Policy
      • Create
      • List
      • Show
      • Update
      • Delete
    • Sharing Policy
      • Create
      • List
      • Show
      • Delete
    • User Credentials
      • Activescale Create
      • OAuth Create
      • Delete
      • List
      • S3 Create
      • S3 Keys Add
      • S3 Keys Delete
      • S3 Keys Update
    • Self Diagnostic
  • Globus Connect Server Manager API
    • Authorization
    • Versioning
    • Endpoint
    • Roles
    • Nodes
    • Storage Gateways
    • Collections
    • User Credentials
    • Domains
    • Sharing Policies
  • API Access for Portals
  • Automated Endpoint Deployment
  • Data Access Application Guide
  • Application Migration Guide
  • Change Log
© 2010- The University of Chicago Legal Privacy Accessibility