Globus Connect Server Administration Guides
  • Quickstart Guide
  • Installation Guide
  • Data Access Admin Guide
  • Domain Guide
  • HTTPS Access to Collections
  • Identity Mapping Admin Guide
  • Globus OIDC Installation Guide
  • Troubleshooting Guide
  • Command-Line Reference
    • Command summary
    • Audit
      • Load
      • Query
      • Dump
    • Endpoint
      • Setup
      • Show
      • Update
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription ID
      • Cleanup
      • Key Convert
      • Domain
      • Role
      • Upgrade
    • OIDC
      • Create
      • Delete
      • Register
      • Show
      • Update
    • Node
      • Create
      • Disable
      • Enable
      • New Secret
      • Setup
      • List
      • Show
      • Update
      • Cleanup
      • Delete
    • Login
    • Session
      • Consent
      • Show
      • Update
    • Whoami
    • Logout
    • Storage Gateway
      • Create
      • List
      • Show
      • Update
      • Delete
    • Collection
      • Create
      • List
      • Show
      • Batch Delete
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription Admin Verified Collection Property
      • Update
      • Delete
      • Domain
      • Check
      • Role
    • Auth Policy
      • Create
      • List
      • Show
      • Update
      • Delete
    • Sharing Policy
      • Create
      • List
      • Show
      • Delete
    • User Credentials
      • Activescale Create
      • OAuth Create
      • Delete
      • List
      • S3 Create
      • S3 Keys Add
      • S3 Keys Delete
      • S3 Keys Update
    • Self Diagnostic
  • Globus Connect Server Manager API
    • Authorization
    • Versioning
    • Endpoint
    • Roles
    • Nodes
    • Storage Gateways
    • Collections
    • User Credentials
    • Domains
    • Sharing Policies
  • API Access for Portals
  • Automated Endpoint Deployment
  • Data Access Application Guide
  • Application Migration Guide
  • Change Log
Skip to main content
Globus Docs
  • APIs
    Auth Flows Groups Search Timers Transfer Globus Connect Server Compute Helper Pages
  • Applications
    Globus Connect Personal Globus Connect Server Premium Storage Connectors Compute Command Line Interface Python SDK JavaScript SDK
  • Guides
  • Support
    FAQs Mailing Lists Contact Us Check Support Tickets
  1. Home
  2. Globus Connect Server
  3. v5.4
  4. Command-Line Reference
  5. Storage Gateway
  6. Update
  7. POSIX Staging

Globus Connect Server Storage Gateway Update POSIX Staging

Name

globus-connect-server storage-gateway update posix-staging - Update a POSIX Staging Storage Gateway

Synopsis

globus-connect-server storage-gateway update posix STORAGE_GATEWAY_ID [OPTIONS]…​

Description

The globus-connect-server storage-gateway update posix-staging command updates a storage gateway. When updating a storage gateway, provide the policies to access a storage system via Globus Connect Server collections.

There is one required argument to this command: STORAGE_GATEWAY_ID. This is the id of the storage gateway to update. The id value is displayed when the storage gateway is created, or may be found by running the globus-connect-server storage gateway list command.

Authentication Policies

There are three command-line options that control which user identities are allowed access to the data on a storage gateway: --domain, --authentication-timeout-mins, and --high-assurance.

The value of the --domain command-line option restricts access to users who have an identity in the given domain. This may be configured to be multiple values to allow authentication by multiple identity providers. If more than one domain is allowed, the storage gateway needs to have an identity mapping method configured to decide how to process names from the different identity namespaces. See Identity Mapping Policies for more information.

Note

The --domain command-line option is only available to domains associated with identity providers listed by Globus Auth. Linked email identities, and the domains associated with them, are not supported by this policy.

The value of the --authentication-timeout-mins command-line option defines the timeout (in minutes) after which a user will need to re-authenticate in order to access mapped collections on non high assurance storage gateways or for any data access on high assurance storage gateways. If this is not supplied, the default value of this timeout is 11 days.

The value of the --high-assurance command-line option defines whether the storage gateway manages high assurance data. If it is set, then the authentication timeout is enforced on per application sessions. This option can only be set when the storage gateway is created and is immutable.

Identity Mapping Policies

Globus Connect Server v5.4 supports a flexible system for mapping user identity information in Globus to the local account needed to access data on a variety of storage systems. This includes a default mapping for cases where there is only one allowed domain, as well as pattern-based mappings and callouts to external programs for custom mapping algorithms.

Default Identity to Username Mapping

When Globus Connect Server maps an identity to an account, it strips off the data after the @ character by default, so the username user@example.org is mapped to the account user.

Custom Identity to Username Mapping

The --identity-mapping command-line option configures a storage gateway to use either an expression based identity mapping or an external identity mapping program. See the Identity Mapping Guide for more information.

The --identity-mapping command-line option can be passed on the command-line with a few different types of data as its arguments:

--identity-mapping external:CMD

When mapping a identity to a username, Globus Connect Server invokes the command-line program CMD to map the identity. The value of the CMD string will be parsed as a shell command-line, so arguments may be included if quoted. A full description of the input, output, and arguments to the program are included in Identity Mapping Guide.

--identity-mapping file:JSON_FILE
--identity-mapping JSON

The JSON_FILE argument is a path to a file which contains a JSON document containing the mapping configuration, as described in the Identity Mapping Guide. The JSON argument is the json document itself.

User Policies

The --user-allow and --user-deny command-line options control which users may access data on a storage gateway. These operate on the result of the identity mapping, a user name that is in the namespace of storage gateway. This may be a user name, id, or email address based on the storage gateway requirements.

A username is allowed or denied access depending on whether the --user-allow and --user-deny command-line option are set on a storage gateway, and whether the username is present in one or both of those policies. In general, if a username is in the value of --user-deny it is always denied, and if a --user-allow policy is provided the username must be in the policy value in order to be allowed access.

The full set of effects of these policies are contained in the following table:

--user-allow --user-deny result

member

-

Allowed

member

not a member

Allowed

-

-

Conditionally Allowed

-

not a member

Conditionally Allowed

-

member

DENIED

not a member

-

Conditionally Denied

not a member

not a member

Conditionally Denied

not a member

member

DENIED

member

member

DENIED

In addition, the --posix-group-allow and --posix-group-deny command-line options provides addition controls to allow or deny access to a storage gateway based on membership of the user in POSIX groups on the Data Transfer Node.

These are evaluated if the result from the table is Conditionally Allowed or Conditionally Denied. In that case, the effects of these policies are contained in the following table:

--posix-group-allow --posix-group-deny Conditionally Allowed Conditionally Denied

-

-

Allowed

DENIED

-

not a member

Allowed

DENIED

member

-

Allowed

Allowed

member

not a member

Allowed

Allowed

-

member

DENIED

DENIED

not a member

-

DENIED

DENIED

not a member

not a member

DENIED

DENIED

not a member

member

DENIED

DENIED

member

member

DENIED

DENIED

Data Access Policies

The --restrict-paths command-line option controls access to subtrees of the data provided by the storage gateway. This is configured using the PathRestrictions document type.

Path restrictions provide a framework for administrators to constrain data access on the storage gateway. Restrictions can be set at the folder level. They may allow read, write, or deny access to data. These are absolute paths from the root of the storage gateway virtual file system.

Network Use Policies

The command line option --network-use alters the network performance and scalability parameters used by collections created using this storage gateway, overriding the default behavior set on the endpoint. This feature can only be used with a Globus subscription.

If the network use is set to custom, then all of the --preferred-parallelism, --max-parallelism, --preferred-concurrency, and --max-concurrency options must also be set. See the network use section of the installation guide for a description of what these values mean.

If the network use is set to null, then the default behavior is restored, and collections use the settings on the endpoint.

File Staging Policies

In addition, the --posix-stage-app and --posix-staging-environment command-line options allow the administrator to configure a program to run to stage files to local storage prior to transferring the file using Globus.

The command named by the parameter to the --posix-stage-app option is run prior to transferring each file as the user that the access has been mapped to. A full description of the inputs and outputs of this application is included in the POSIX Staging Connector Documentation.

The variables specified as the argument to the --posix-staging-environment option (in the form NAME=VALUE) are included in the environment of the stage app. This option may be included multiple times to set multiple environment variables.

OPTIONS

-h, --help

Show help message and exit.

--version

Show the version and exit.

-F, --format "text"|"json"

Output format for this command. If the format is json, then the resulting role document is displayed.

--use-explicit-host IP_ADDRESS (new in 5.4.23)

IP address of the GCS node to use for this request. If not specified, any available GCS node in the endpoint will be used.

--user-deny username
--user-deny file:PATH (new in 5.4.79)

Connector-specific username for a user denied access to this Storage Gateway. Give this option multiple times to deny multiple users. Set a value of "" to clear this value. If the parameter value begins with file:, read the input file path and parse as one or more lines of a whitespace delimited list of usernames to deny access to this storage gateway.

--user-allow username
--user-allow file:PATH (new in 5.4.79)

Connector-specific username for a user allowed access to this Storage Gateway. Give this option multiple times to allow multiple users. Set a value of "" to clear this value. If the parameter value begins with file:, read the input file path and parse as one or more lines of a whitespace delimited list of usernames to allow access to this storage gateway.

--identity-mapping external:CMD
--identity-mapping file:JSON_FILE | JSON

Identity Mapping configuration for use in this Storage Gateway. You can use JSON input to specify a complete mapping document, or, if you want to use an external command for mapping, use external:command --arguments. Give this option multiple times to set multiple mappings in order of precedence. Set a value of null to clear this value.

--restrict-paths JSON | file:JSON_FILE

Path restrictions for accessing data on collections created using this storage gateway.

--domain DOMAIN

Allowed domain. Give this option multiple times to allow multiple domains. Users creating credentials or collections on this storage gateway must have an identity in one of these domains.

--authentication-timeout-mins INT

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

--mfa / --no-mfa (new in 5.4.21)

Flag indicating that access to collections on this storage gateway require that the user has authenticated with multi factor authentication using an identity in the allowed_domains. Only usable on high assurance storage gateways.

--network-use "normal"|"minimal"|"aggressive"|"custom"|"null" (new in 5.4.76)

Set storage gateway network use. If custom, the storage gateway’s max and preferred concurrency and parallelism must be set. If this is set to a non-null value, then all collections which use this storage gateway will use this value instead of the endpoint’s network use setting.

--preferred-parallelism INTEGER

Set the storage gateway’s preferred parallelism; requires --network-use=custom

--max-parallelism INTEGER

Set the storage gateway’s max parallelism; requires --network-use=custom

--preferred-concurrency INTEGER

Set the storage gateway’s preferred concurrency; requires --network-use=custom

--max-concurrency INTEGER

Set the storage gateway’s max concurrency; requires --network-use=custom

--posix-group-deny GROUP
--posix-group-deny file:PATH (new in 5.4.79)

POSIX group denied access to this Storage Gateway. Give this option multiple times to deny multiple groups. Set a value of "" to clear this. If the parameter value begins with file:, read the input file path and parse as one or more lines of a whitespace delimited list of groups to deny access to this storage gateway.

--posix-group-allow GROUP
--posix-group-allow file:PATH (new in 5.4.79)

POSIX group allowed access to this Storage Gateway. Give this option multiple times to allow multiple groups. Set a value of "" to clear this. If the parameter value begins with file:, read the input file path and parse as one or more lines of a whitespace delimited list of groups to allow access to this storage gateway.

--posix-stage-app PATH

Path to the stage app to run to process data staging requests for this connector. This will be invoked as described in the posix staging connector documentation.

--posix-staging-environment NAME=VALUE

Environment value to set in the environment of the stage app. Give this option multiple times to set multiple environment values.Set a value of "" to clear this.

  • Quickstart Guide
  • Installation Guide
  • Data Access Admin Guide
  • Domain Guide
  • HTTPS Access to Collections
  • Identity Mapping Admin Guide
  • Globus OIDC Installation Guide
  • Troubleshooting Guide
  • Command-Line Reference
    • Command summary
    • Audit
      • Load
      • Query
      • Dump
    • Endpoint
      • Setup
      • Show
      • Update
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription ID
      • Cleanup
      • Key Convert
      • Domain
      • Role
      • Upgrade
    • OIDC
      • Create
      • Delete
      • Register
      • Show
      • Update
    • Node
      • Create
      • Disable
      • Enable
      • New Secret
      • Setup
      • List
      • Show
      • Update
      • Cleanup
      • Delete
    • Login
    • Session
      • Consent
      • Show
      • Update
    • Whoami
    • Logout
    • Storage Gateway
      • Create
      • List
      • Show
      • Update
      • Delete
    • Collection
      • Create
      • List
      • Show
      • Batch Delete
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription Admin Verified Collection Property
      • Update
      • Delete
      • Domain
      • Check
      • Role
    • Auth Policy
      • Create
      • List
      • Show
      • Update
      • Delete
    • Sharing Policy
      • Create
      • List
      • Show
      • Delete
    • User Credentials
      • Activescale Create
      • OAuth Create
      • Delete
      • List
      • S3 Create
      • S3 Keys Add
      • S3 Keys Delete
      • S3 Keys Update
    • Self Diagnostic
  • Globus Connect Server Manager API
    • Authorization
    • Versioning
    • Endpoint
    • Roles
    • Nodes
    • Storage Gateways
    • Collections
    • User Credentials
    • Domains
    • Sharing Policies
  • API Access for Portals
  • Automated Endpoint Deployment
  • Data Access Application Guide
  • Application Migration Guide
  • Change Log
© 2010- The University of Chicago Legal Privacy Accessibility