Storage Gateways

A storage gateway provides the access policies for the endpoint’s connected storage systems. It is a named interface by which authorized users can create and manage collections on the connected storage system. A single storage system may be associated with multiple storage gateways, each with its own policies.

Storage gateway policies describe what type connector the storage gateway uses, the paths it allows access to, the login requirements are for the storage gateway, and the algorithm to map Globus identities to the user namespace of the storage gateway (e.g. local accounts).

Connectors

Each Storage Gateway configures access to one type of data storage. The type of storage is referred to as a connector. Globus Connect Server v5.4 supports the following connectors:

POSIX

Local file storage backed by any file system that supports basic POSIX file API operations to access files, directories, and basic metadata.

Google Drive

Cloud data stored in the Google Drive web service service.

Spectra Logic Black Pearl

Archive data storage stored in a Spectra Logic Black Pearl system.

Google Cloud Storage

Cloud data stored in the Google Cloud Storage service.

Amazon S3

Cloud data stored in the Amazon S3 service.

Ceph

Distributed object storage stored in a Ceph RADOS object store.

Box

Cloud data sharing systemd stored in the Box service.

Each of these connectors has some different configuration steps and storage policies. These are described in the individual connector storage gateway management commands.

Note

Connectors other than POSIX are premium features which require a subscription to enable use of those other connectors. See https://globus.org/subscriptions for more information.

High Assurance

When a Storage Gateway is created, it can be configured to require High Assurance for data access. This enhances authentication assurance by enforcing session-based authentication timeouts and higher encryption standards for data in transit. Stricter access controls are employed when accessing the storage gateway configuration and performing data operations on collections created on High Assurance Storage Gateways.

Note

This is a premium feature, and requires a subscription with the high assurance add-on.
Important

If you are using {gcsv5} with high assurance features, you will need to set all storage gateways that have access to restricted data as high assurance.

Commands

globus-connect-server storage-gateway create

Create a storage gateway

globus-connect-server storage-gateway delete

Delete a storage gateway

globus-connect-server storage-gateway list

List storage gateways

globus-connect-server storage-gateway show

Show a storage gateway definition

globus-connect-server storage-gateway update

Update an existing Storage Gateway

StorageGateway Document

Name

Type

Description

DATA_TYPE

string storage_gateway#1.0.0

Type of this document

id

string <uuid>

Unique id string for this Storage Gateway.

display_name

string

Name of the Storage Gateway.

connector_id

string <uuid>

Id of the connector type that this Storage Gateway interacts with.

high_assurance

boolean

Flag indicating if the storage_gateway requires high assurance features.

require_high_assurance (deprecated)

boolean

Alias for high_assurance.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated to access files or create user credentials on this Storage Gateway.

For a high assurance Storage Gateway, this must be done within the current Globus Auth session, otherwise, the caller can perform the authentication with any application which uses Globus Auth.

authentication_assurance_timeout (deprecated)

integer

Alias for authentication_timeout_mins.

allowed_domains

array (string)

List of allowed domains. Users creating credentials or collections on this storage_gateway must have an identity in one of these domains.

identity_mappings

array ( IdentityMapping )

List of identity mappings to attempt to apply to user identities to determine what accounts are available for access.[Private]

users_allow

array (string)

List of connector-specific usernames allowed to access this Storage Gateway.[Private]

users_deny

array (string)

List of connector-specific usernames denied access to this Storage Gateway.[Private]

restrict_paths

One of { object PathRestrictions ​ }

Path restrictions within this Storage Gateway. paths are interpreted as absolute paths in the file namespace of the connector.[Private]

process_user

string

Local POSIX user the GridFTP server should run as when accessing this Storage Gateway.[Private]

load_dsi_module

string

NAme of the DSI module to load by the GridFTP server when accessing this Storage Gateway.[Private]

policies

One of { PosixStoragePolicies , , object , object , , , object , object ​ }

Connector-specific storage policies.

{
  "DATA_TYPE": "storage_gateway#1.0.0",
  "id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "display_name": "string",
  "connector_id": "145812c8-decc-41f1-83cf-bb2a85a2a70b",
  "high_assurance": true,
  "require_high_assurance": true,
  "authentication_timeout_mins": 30,
  "authentication_assurance_timeout": 30,
  "allowed_domains": [
    "example.com"
  ],
  "identity_mappings": [
    {
      "DATA_TYPE": "external_identity_mapping#1.0.0",
      "command": [
        "/opt/globus/bin/python",
        "/opt/globus/map-globus-identity-data"
      ]
    }
  ],
  "users_allow": [
    "user1"
  ],
  "users_deny": [
    "user2"
  ],
  "restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "process_user": "gcsweb",
  "load_dsi_module": "google_drive",
  "policies": {
    "DATA_TYPE": "posix_storage_policies#1.0.0",
    "groups_allow": [
      "globus"
    ],
    "groups_deny": [
      "nonglobus"
    ]
  }
}

© 2010- The University of Chicago Legal