Globus Connect Server Stream Gateway Create

Name

globus-connect-server stream-gateway create - Create a stream gateway

Synopsis

globus-connect-server stream-gateway create [OPTIONS]…

Description

The globus-connect-server stream-gateway create command creates a new stream gateway and access point. At creation time, you provide policies to map and authorize users and configure which networks the stream gateway can use.

Authentication Policies

The value of the --domain command-line option restricts access to users who have an identity in the given domain. This may be configured to be multiple values to allow authentication by multiple identity providers. If more than one domain is allowed, the stream gateway needs to have an identity mapping method configured to decide how to process names from the different identity namespaces. See Identity Mapping Policies for more information.

Note

The --domain command-line option is only available to domains associated with identity providers listed by Globus Auth. Linked email identities, and the domains associated with them, are not supported by this policy.

Identity Mapping Policies

Globus Connect Server supports a flexible system for mapping user identity information in Globus to an account name. For stream gateways, the account name is used to enforce user allow/deny policies and does not represent an account on the POSIX system running Globus Connect Server.

Default Identity to Username Mapping

By default, if the stream gateway is configured to allow identities from a single domain the mapping is the identity mapping: the name used for access controls is the same as the name of the Globus identity.

Custom Identity to Username Mapping

The --identity-mapping command-line option configures a stream gateway to use either an expression based identity mapping or an external identity mapping program. See the Identity Mapping Guide for more information.

The --identity-mapping command-line option can be passed on the command-line with a few different types of data as its arguments:

--identity-mapping external:CMD: When mapping a identity to a username, Globus Connect Server invokes the command-line program CMD to map the identity. The value of the CMD string will be parsed as a shell command-line, so arguments may be included if quoted. A full description of the input, output, and arguments to the program are included in Identity Mapping Guide.
--identity-mapping file:JSON_FILE
--identity-mapping JSON: The JSON_FILE argument is a path to a file which contains a JSON document containing the mapping configuration, as described in the Identity Mapping Guide. The JSON argument is the json document itself.

User Policies

The --user-allow and --user-deny command-line options control which users may create tunnels on a stream access point. These operate on the result of the identity mapping.

A username is allowed or denied access depending on whether the --user-allow and --user-deny command-line option are set on a stream gateway, and whether the username is present in one or both of those policies. In general, if a username is in the value of --user-deny it is always denied, and if a --user-allow policy is provided the username must be in the policy value in order to be allowed access.

The full set of effects of these policies are contained in the following table:

--user-allow	--user-deny	result
member	-	Allowed
member	not a member	Allowed
-	-	Allowed
-	not a member	Allowed
-	member	DENIED
not a member	-	DENIED
not a member	not a member	DENIED
not a member	member	DENIED
member	member	DENIED

Metadata

Many of the options to this command allow you to set metadata on your stream gateway to help your users find the stream access points that are relevant to their needs. The more metadata you supply, the easier it will be for them to find relevant collections.

The --keywords, --department, --organization, and --description options all provide data to improve results when searching for collections.

The --contact-email, --contact-info, and --info-link options will provide data that will help your users find out more about what data you provide in the collection.

Network policies

A stream gateway can be restricted to specific lan origin network. To do so, set the --lan-name option to the name of a lan that corresponds to a lan address used by the endpoint’s nodes.

Lan Secrets

A stream gateway can require applications that connect to a tunnel to use a shared secret. To enable this behavior, use the --lan-secret-required option.

OPTIONS

-h, --help: Show help message and exit.
--version: Show the version and exit.
-F, --format "text"|"json": Output format for this command. If the format is json, then the resulting role document is displayed.
--use-explicit-host IP_ADDRESS: IP address of the GCS node to use for this request. If not specified, any available GCS node in the endpoint will be used.
--user-deny username
--user-deny file:PATH: Connector-specific username for a user denied access to this Stream Gateway. Give this option multiple times to deny multiple users. Set a value of "" to clear this value. If the parameter value begins with file:, read the input file path and parse as one or more lines of a whitespace delimited list of usernames to deny access to this stream gateway.
--user-allow username
--user-allow file:PATH: Connector-specific username for a user allowed access to this Stream Gateway. Give this option multiple times to allow multiple users. Set a value of "" to clear this value. If the parameter value begins with file:, read the input file path and parse as one or more lines of a whitespace delimited list of usernames to allow access to this stream gateway.
--identity-mapping external:CMD
--identity-mapping file:JSON_FILE | JSON: Identity Mapping configuration for use in this Stream Gateway. You can use JSON input to specify a complete mapping document, or, if you want to use an external command for mapping, use external:command --arguments. Give this option multiple times to set multiple mappings in order of precedence. Set a value of null to clear this value.
--domain DOMAIN: Allowed domain. Give this option multiple times to allow multiple domains. Users creating credentials or collections on this stream gateway must have an identity in one of these domains.

--lan-secret-required: If set, require that a user create a secret to authenticate the lan connection
--lan-name NAME: Name associated with a LAN address to indicate which network interface to use for the LAN stream connection
--keywords string,string,…: Comma separated list of keywords to help searches for the collection
--department DEPARTMENT: Department which operates the collection
--organization ORGANIZATION: Organization for the Collection
--contact-email EMAIL: Email address of the support contact for this collection. This is visible to end users so that they may contact your organization for support.
--contact-info INFO: Other non-email contact information for the collection, e.g. phone and mailing address. This is visible to end users for support.
--info-link URL: Link to a web page containing info about the collection.
--description STRING: Description of the collection.