Globus Connect Server Storage Gateway Update POSIX Staging

There are three command-line options that control which user identities are allowed access to the data on a storage gateway: --domain, --authentication-timeout-mins, and --high-assurance.

The value of the --domain command-line option restricts access to users who have an identity in the given domain. This may be configured to be multiple values to allow authentication by multiple identity providers. If more than one domain is allowed, the storage gateway needs to have an identity mapping method configured to decide how to process names from the different identity namespaces. See Identity Mapping Policies for more information.

The value of the --authentication-timeout-mins command-line option defines the timeout (in minutes) after which a user will need to re-authenticate in order to access mapped collections on non high assurance storage gateways or for any data access on high assurance storage gateways. If this is not supplied, the default value of this timeout is 11 days.

The value of the --high-assurance command-line option defines whether the storage gateway manages high assurance data. If it is set, then the authentication timeout is enforced on per application sessions. This option can only be set when the storage gateway is created and is immutable.

Globus Connect Server v5.4 supports a flexible system for mapping user identity information in Globus to the local account needed to access data on a variety of storage systems. This includes a default mapping for cases where there is only one allowed domain, as well as pattern-based mappings and callouts to external programs for custom mapping algorithms.

The --user-allow and --user-deny command-line options control which users may access data on a storage gateway. These operate on the result of the identity mapping, a user name that is in the namespace of storage gateway. This may be a user name, id, or email address based on the storage gateway requirements.

A username is allowed or denied access depending on whether the --user-allow and --user-deny command-line option are set on a storage gateway, and whether the username is present in one or both of those policies. In general, if a username is in the value of --user-deny it is always denied, and if a --user-allow policy is provided the username must be in the policy value in order to be allowed access.

The full set of effects of these policies are contained in the following table:

In addition, the --posix-group-allow and --posix-group-deny command-line options provides addition controls to allow or deny access to a storage gateway based on membership of the user in POSIX groups on the Data Transfer Node.

These are evaluated if the result from the table is Conditionally Allowed or Conditionally Denied. In that case, the effects of these policies are contained in the following table:

The --restrict-paths command-line option controls access to subtrees of the data provided by the storage gateway. This is configured using the PathRestrictions document type.

Path restrictions provide a framework for administrators to constrain data access on the storage gateway. Restrictions can be set at the folder level. They may allow read, write, or deny access to data. These are absolute paths from the root of the storage gateway virtual file system.

The command line option --network-use alters the network performance and scalability parameters used by collections created using this storage gateway, overriding the default behavior set on the endpoint. This feature can only be used with a Globus subscription.

If the network use is set to custom, then all of the --preferred-parallelism, --max-parallelism, --preferred-concurrency, and --max-concurrency options must also be set. See the network use section of the installation guide for a description of what these values mean.

If the network use is set to null, then the default behavior is restored, and collections use the settings on the endpoint.

In addition, the --posix-stage-app and --posix-staging-environment command-line options allow the administrator to configure a program to run to stage files to local storage prior to transferring the file using Globus.

The command named by the parameter to the --posix-stage-app option is run prior to transferring each file as the user that the access has been mapped to. A full description of the inputs and outputs of this application is included in the POSIX Staging Connector Documentation.

The variables specified as the argument to the --posix-staging-environment option (in the form NAME=VALUE) are included in the environment of the stage app. This option may be included multiple times to set multiple environment variables.