Globus Connect Server Administration Guides
  • Quickstart Guide
  • Installation Guide
  • Data Access Admin Guide
  • Domain Guide
  • HTTPS Access to Collections
  • Identity Mapping Admin Guide
  • Globus OIDC Installation Guide
  • v5.3 Migration Guide
  • Troubleshooting Guide
  • Command-Line Reference
    • Audit
      • Load
      • Query
      • Dump
    • Endpoint
      • Setup
      • Show
      • Update
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription ID
      • Migrate53
      • Cleanup
      • Domain
      • Role
      • Upgrade
    • OIDC
      • Create
      • Delete
      • Register
      • Show
      • Update
    • Node
      • Create
      • Setup
      • List
      • Show
      • Update
      • Cleanup
      • Update Vhost
      • Delete
    • Login
    • Session
      • Consent
      • Show
      • Update
    • Whoami
    • Logout
    • Storage Gateway
      • Create
      • List
      • Show
      • Update
      • Delete
    • Collection
      • Create
      • List
      • Show
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Update
      • Delete
      • Domain
      • Role
    • Sharing Policy
      • Create
      • List
      • Show
      • Delete
    • Self Diagnostic
  • Globus Connect Server Manager API
    • Responses
    • Schemas
    • Authorization
    • Versioning
    • Endpoint
    • Roles
    • Nodes
    • Storage Gateways
    • Collections
    • User Credentials
    • Domains
    • Sharing Policies
    • ActiveScale
    • Azure Blob
      • Azure Blob
    • BlackPearl
    • Box
    • Ceph
    • Google Cloud Storage
    • Google Drive
    • HPSS
    • iRODS Connector
    • OAuth Credential API
    • OneDrive
    • POSIX Connector
    • POSIX Staging Connector
    • S3
  • API Access for Portals
  • Application Migration Guide
  • Change Log
Skip to main content
Globus Docs
  • APIs
    Auth Transfer Groups Search Python SDK Helper Pages
  • How To
  • Guides
    Globus Connect Server High Assurance Collections for Protected Data Command Line Interface Premium Storage Connectors Globus Automation Services Security Modern Research Data Portal
  • Support
    FAQs Mailing Lists Contact Us Check Support Tickets
  1. Home
  2. Globus Connect Server
  3. Installation Guide
  4. Globus Connect Server Manager API

Schemas

Result Document

This is the result envelope returned from all operations in this API. Each operation may add properties to this base document type with additional operation-specific data values. In some responses to GET requests, the has_next_page value will be set to true, and the marker value will be present. In those cases, repeat the original call, passing in the marker query parameter to retrieve the next page of response data.

Name

Type

Description

DATA_TYPE

string result#1.0.0

Type of this document.

http_response_code

integer

Numeric HTTP response code

code

string

String response code

detail

Machine readable response details

message

string

Message describing this result.

data

array (object)

has_next_page

boolean

Boolean flag indicating whether or not additional pages of response data may be requested by passing the marker to the same operation.

marker

string

Opaque marker that may be passed to this API call to fetch the next page of results if the returned document has has_next_page set to true.

{
  "code": "bad_request",
  "message": "Invalid input",
  "DATA_TYPE": "result#1.0.0",
  "has_next_page": false
}

PathRestrictions Document

This object represents the path restrictions for a storage gateway or a sharing path restrictions for a mapped collection.

The values of each of the path lists in this object are interpreted using the POSIX pattern matching notation as described in fnmatch(3) with flags set to 0 with additional support for some special user-specific value interpolation:

~
$HOME

The user’s home directory if the storage gateway supports such a concept, / otherwise

$USER

The effective Storage Gateway-specific username that is being used for data access. For a Guest Collection, this is the username of the identity that created the Guest Collection.

These restrictions are evaluated at every data access. When evaluating restrictions, the user-specific interpolation is applied before the file name matching is evaluated.

Globus Connect Server evaluates its path restrictions from longest leading expression match to shortest. When pattern matching characters are present, they are considered as a lower priority match than a literal character, with more specific pattern characters given precedence. The precedence is thus literal character, bracket expression, ? (single-character wildcard), * (wildcard).

If multiple path restrictions apply, all matches are applied from longest to shortest, with the following rules for overriding values:

longer restriction shorter restriction result

read_write

read

read_write

read_write

none

read_write

read

read_write

read_write

read

none

read

none

read_write

none

none

read

none

Name

Type

Description

DATA_TYPE

string path_restrictions#1.0.0

Type of this document.

read

array (string)

List of paths which are allowed read-only access.

read_write

array (string)

List of paths which are allowed read-write access.

none

array (string)

List of paths which are denied any access.

{
  "DATA_TYPE": "path_restrictions#1.0.0",
  "read": [
    "/public"
  ],
  "read_write": [
    "/home",
    "/projects"
  ],
  "none": [
    "/private"
  ]
}

Info Document

This document contains information about the Globus Connect Server, including its software and supported API version number.

Name

Type

Description

DATA_TYPE

string info#1.0.0

Type of this document

manager_version

string ^(0|​[1-9][0-9]*)\\.(0|​[1-9][0-9]*)\\.(0|​[1-9][0-9]*)$

Globus Connect Server Manager Software version.

api_version

string ^(0|​[1-9][0-9]*)\\.(0|​[1-9][0-9]*)\\.(0|​[1-9][0-9]*)(-.*)?$

Semantic version of the Globus Connect Server API.

client_id

string <uuid>

Client ID which created the endpoint.

endpoint_id

string <uuid>

Transfer endpoint ID managed by this GCS Manager.

domain_name

string <hostname>

DNS Domain name for the GCS Manager service.

{
  "DATA_TYPE": "info#1.0.0",
  "manager_version": "5.4.0",
  "api_version": "1.0.0",
  "client_id": "8668e52f-7e2b-4f84-a03d-945a5ad15e38",
  "endpoint_id": "a0708a2f-6ccf-491f-a0a1-02db5f397cc3",
  "domain_name": "123f2.data.globus.org"
}

Connector Document

Connector extension definition object

Name

Type

Description

DATA_TYPE

string connector#1.0.0

Type of this document

display_name

string

Friendly name for the connector.

id

string <uuid>

UUID of this connector type.

version

string ^(0|​[1-9][0-9]*)\\.(0|​[1-9][0-9]*)\\.(0|​[1-9][0-9]*)(-.*)?$

Semantic version of this connector implementation.

{
  "DATA_TYPE": "connector#1.0.0",
  "display_name": "POSIX",
  "id": "145812c8-decc-41f1-83cf-bb2a85a2a70b",
  "version": "1.0.0"
}

Endpoint Document

A Globus Connect Server endpoint is a deployment of Globus Connect Server version 5. A single endpoint may optionally include multiple data transfer nodes. The endpoint provides a link between a Globus Connect Server deployment and the Globus Transfer service. The endpoint describes services for accessing data via GridFTP and HTTPS and also for configuring and managing the policies associated with that access.

Name

Type

Description

DATA_TYPE

string endpoint#1.0.0

Type of this document

public

boolean

Flag indicating whether this endpoint is visible to all other Globus users. If false, only users which have been granted a role on the endpoint or one of its collections, or belong to a domain allowed access to any of its storage gateways may view it.

id

string <uuid>

Unique identifier string for the endpoint.

display_name

string

Friendly name for the endpoint, not unique. Unicode string, no new lines (\r or \n). Searchable.

gcs_manager_url

string <uri>

URL of the GCS Manager API service for this endpoint.

subscription_id

string anyOf { <uuid>, DEFAULT }

The UUID of the subscription that is managing this endpoint. This may be the special value DEFAULT when using this as input to PATCH or PUT to use the caller’s default subscription id.

network_use

string normal, minimal, aggressive, custom

Allowed values for network_use are:

normal

The default setting. Uses an average level of concurrency and parallelism. The levels depend on the number of physical servers in the endpoint.

minimal

Uses a minimal level of concurrency and parallelism.

aggressive

Uses a high level of concurrency and parallelism.

custom

Uses custom values of concurrency and parallelism set by the endpoint admin. When setting this level, you must also set the max_concurrency, preferred_concurrency, max_parallelism, and preferred_parallelism options.

max_concurrency

integer

Admin-specified value when the network_use property’s value is custom; otherwise the preset value for the specified network_use.

preferred_concurrency

integer

Admin-specified value when the network_use property’s value is custom; otherwise the preset value for the specified network_use.

max_parallelism

integer

Admin-specified value when the network_use property’s value is custom; otherwise the preset value for the specified network_use.

preferred_parallelism

integer

Admin-specified value when the network_use property’s value is custom; otherwise the preset value for the specified network_use.

organization

string

Organization that runs the server(s) represented by the endpoint. Optional to preserve backward compatibility, but will eventually be required and all clients are encouraged to require users to specify it. Unicode string, max 1024 characters, no new lines.

department

string

Department within organization that runs the server(s). Searchable. Optional. Unicode string, max 1024 characters, no new lines.

keywords

array (string)

List of search keywords for the endpoint. Optional. Unicode string, max 1024 characters total across all strings.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the server(s) represented by the endpoint.

contact_info

string

Other non-email contact information for the endpoint, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint. The administrator is responsible for running a website at this URL and verifying that it is accepting public connections.

allow_udt

boolean

Allow data transfer on this endpoint using the UDT protocol.

{
  "DATA_TYPE": "endpoint#1.0.0",
  "public": true,
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "display_name": "string",
  "gcs_manager_url": "https://gcs.data.globus.org/",
  "subscription_id": "2d99530d-3b20-44cb-94d3-61d8f85cd896",
  "network_use": "normal",
  "max_concurrency": 1,
  "preferred_concurrency": 1,
  "max_parallelism": 1,
  "preferred_parallelism": 1,
  "organization": "string",
  "department": "string",
  "keywords": [
    "string"
  ],
  "description": "string",
  "contact_email": "user@example.com",
  "contact_info": "string",
  "info_link": "http://example.com",
  "allow_udt": false
}

Role Document

The "Role" document type represents the assignment of a role on an Endpoint or Collection to a Globus identity or group.

Name

Type

Description

DATA_TYPE

string role#1.0.0

Type of this document

id

string <uuid>

Unique id string for this role assignment. This is system generated and should not be included in create requests.

collection

string <uuid>

Collection Id. This value is omitted when creating an endpoint role or when creating role definitions when creating collections.

principal

string ^(urn:globus:auth:identity|​urn:globus:groups:id):[a-f0-9-]*$

Auth identity or group id URN.

role

string owner, administrator, access_manager, activity_manager, activity_monitor

Role assigned to the principal.

{
  "DATA_TYPE": "role#1.0.0",
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "collection": "65986b24-c0b1-41fa-b21f-4a319273f511",
  "principal": "string",
  "role": "owner"
}

Node (v1.0.0) Properties Document

Name

Type

Description

id

string <uuid>

Unique id string for this node. This is system generated and should not be included in create requests.

ip_addresses

array (string)

IP addresses of the node.

status

string active, inactive

Current status of the Node. If a Node is marked inactive, it will be removed from the DNS entries for this endpoint and will return an error on any attempt to use the Manager API or attempt a Transfer using this node.

incoming_port_range

array (integer)

Allowed port range for incoming TCP data connections.

outgoing_port_range

array (integer)

Port range used as the source for outgoing TCP data connections.

{
  "id": "5a91ee5a-b28f-44b8-b0cb-2adbd5beee2c",
  "ip_addresses": [
    "192.168.44.2"
  ],
  "status": "active",
  "incoming_port_range": [
    50000,
    51000
  ],
  "outgoing_port_range": [
    50000,
    51000
  ]
}

Node (v1.1.0) Properties Document

Name

Type

Description

data_interface

string One of { <ipv4>, <ipv6>​ }

IP address for data transfers.

{
  "data_interface": "192.168.44.2"
}

Node 1.0.0 Document

Name

Type

Description

id

string <uuid>

Unique id string for this node. This is system generated and should not be included in create requests.

ip_addresses

array (string)

IP addresses of the node.

status

string active, inactive

Current status of the Node. If a Node is marked inactive, it will be removed from the DNS entries for this endpoint and will return an error on any attempt to use the Manager API or attempt a Transfer using this node.

incoming_port_range

array (integer)

Allowed port range for incoming TCP data connections.

outgoing_port_range

array (integer)

Port range used as the source for outgoing TCP data connections.

DATA_TYPE

string node#1.0.0

Type of this document

{
  "id": "5a91ee5a-b28f-44b8-b0cb-2adbd5beee2c",
  "ip_addresses": [
    "192.168.44.2"
  ],
  "status": "active",
  "incoming_port_range": [
    50000,
    51000
  ],
  "outgoing_port_range": [
    50000,
    51000
  ],
  "DATA_TYPE": "node#1.0.0"
}

Node 1.1.0 Document

Name

Type

Description

id

string <uuid>

Unique id string for this node. This is system generated and should not be included in create requests.

ip_addresses

array (string)

IP addresses of the node.

status

string active, inactive

Current status of the Node. If a Node is marked inactive, it will be removed from the DNS entries for this endpoint and will return an error on any attempt to use the Manager API or attempt a Transfer using this node.

incoming_port_range

array (integer)

Allowed port range for incoming TCP data connections.

outgoing_port_range

array (integer)

Port range used as the source for outgoing TCP data connections.

data_interface

string One of { <ipv4>, <ipv6>​ }

IP address for data transfers.

DATA_TYPE

string node#1.1.0

Type of this document

{
  "id": "5a91ee5a-b28f-44b8-b0cb-2adbd5beee2c",
  "ip_addresses": [
    "192.168.44.2"
  ],
  "status": "active",
  "incoming_port_range": [
    50000,
    51000
  ],
  "outgoing_port_range": [
    50000,
    51000
  ],
  "data_interface": "192.168.44.2",
  "DATA_TYPE": "node#1.1.0"
}

Node Document

Services for Globus Connect Server endpoints may be deployed on multiple different physical resources, referred to as Data Transfer Nodes. Each node may have one or more IP addresses, TCP incoming and outgoing port ranges, and a status value indicating whether it is configured to actively respond to requests or is in maintenance mode.

Name

Type

Description

Node

Node One of { Node 1.0.0 , Node 1.1.0 ​ }

Services for Globus Connect Server endpoints may be deployed on multiple different physical resources, referred to as Data Transfer Nodes. Each node may have one or more IP addresses, TCP incoming and outgoing port ranges, and a status value indicating whether it is configured to actively respond to requests or is in maintenance mode.

{
  "id": "5a91ee5a-b28f-44b8-b0cb-2adbd5beee2c",
  "ip_addresses": [
    "192.168.44.2"
  ],
  "status": "active",
  "incoming_port_range": [
    50000,
    51000
  ],
  "outgoing_port_range": [
    50000,
    51000
  ],
  "DATA_TYPE": "node#1.0.0"
}

StorageGateway (v1.0.0) Properties Document

Name

Type

Description

id

string <uuid>

Unique id string for this Storage Gateway.

display_name

string

Name of the Storage Gateway.

connector_id

string <uuid>

Id of the connector type that this Storage Gateway interacts with.

high_assurance

boolean

Flag indicating if the storage_gateway requires high assurance features.

require_high_assurance (deprecated)

boolean

Alias for high_assurance.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated to access files or create user credentials on this Storage Gateway.

For a high assurance Storage Gateway, this must be done within the current Globus Auth session, otherwise, the caller can perform the authentication with any application which uses Globus Auth.

authentication_assurance_timeout (deprecated)

integer

Alias for authentication_timeout_mins.

allowed_domains

array (string)

List of allowed domains. Users creating credentials or collections on this storage_gateway must have an identity in one of these domains.

identity_mappings

array ( IdentityMapping )

List of identity mappings to attempt to apply to user identities to determine what accounts are available for access.[Private]

users_allow

array (string)

List of connector-specific usernames allowed to access this Storage Gateway.[Private]

users_deny

array (string)

List of connector-specific usernames denied access to this Storage Gateway.[Private]

restrict_paths

One of { object PathRestrictions ​ }

Path restrictions within this Storage Gateway. paths are interpreted as absolute paths in the file namespace of the connector.[Private]

process_user

string

Local POSIX user the GridFTP server should run as when accessing this Storage Gateway.[Private]

load_dsi_module

string

NAme of the DSI module to load by the GridFTP server when accessing this Storage Gateway.[Private]

policies

One of { AzureBlobStoragePolicies , BlackPearlStoragePolicies , object BoxStoragePolicies , object CephStoragePolicies , GoogleDriveStoragePolicies , GoogleCloudStoragePolicies , HpssStoragePolicies , IrodsStoragePolicies , OneDriveStoragePolicies , PosixStoragePolicies , PosixStagingStoragePolicies , object S3StoragePolicies , object ​ }

Connector-specific storage policies.

{
  "id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "display_name": "Posix Storage Gateway",
  "connector_id": "145812c8-decc-41f1-83cf-bb2a85a2a70b",
  "high_assurance": true,
  "require_high_assurance": true,
  "authentication_timeout_mins": 30,
  "authentication_assurance_timeout": 30,
  "allowed_domains": [
    "example.com"
  ],
  "identity_mappings": [
    {
      "DATA_TYPE": "external_identity_mapping#1.0.0",
      "command": [
        "/opt/globus/bin/python",
        "/opt/globus/map-globus-identity-data"
      ]
    }
  ],
  "users_allow": [
    "user1"
  ],
  "users_deny": [
    "user2"
  ],
  "restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "process_user": "gcsweb",
  "load_dsi_module": "google_drive",
  "policies": {
    "DATA_TYPE": "azure_blob_storage_policies#1.0.0",
    "client_id": "string",
    "secret": "string",
    "tenant": "string",
    "auth_type": "string",
    "account": "string",
    "adls": true,
    "auth_callback": "https://example.globus.org/api/v1/authcallback"
  }
}

StorageGateway (v1.1.0) Properties Document

Name

Type

Description

require_mfa

boolean

Flag indicating if the storage_gateway requires multi- factor authentication. Only usable on high assurance storage gateways.

{
  "require_mfa": true
}

StorageGateway 1.0.0 Document

Name

Type

Description

id

string <uuid>

Unique id string for this Storage Gateway.

display_name

string

Name of the Storage Gateway.

connector_id

string <uuid>

Id of the connector type that this Storage Gateway interacts with.

high_assurance

boolean

Flag indicating if the storage_gateway requires high assurance features.

require_high_assurance (deprecated)

boolean

Alias for high_assurance.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated to access files or create user credentials on this Storage Gateway.

For a high assurance Storage Gateway, this must be done within the current Globus Auth session, otherwise, the caller can perform the authentication with any application which uses Globus Auth.

authentication_assurance_timeout (deprecated)

integer

Alias for authentication_timeout_mins.

allowed_domains

array (string)

List of allowed domains. Users creating credentials or collections on this storage_gateway must have an identity in one of these domains.

identity_mappings

array ( IdentityMapping )

List of identity mappings to attempt to apply to user identities to determine what accounts are available for access.[Private]

users_allow

array (string)

List of connector-specific usernames allowed to access this Storage Gateway.[Private]

users_deny

array (string)

List of connector-specific usernames denied access to this Storage Gateway.[Private]

restrict_paths

One of { object PathRestrictions ​ }

Path restrictions within this Storage Gateway. paths are interpreted as absolute paths in the file namespace of the connector.[Private]

process_user

string

Local POSIX user the GridFTP server should run as when accessing this Storage Gateway.[Private]

load_dsi_module

string

NAme of the DSI module to load by the GridFTP server when accessing this Storage Gateway.[Private]

policies

One of { AzureBlobStoragePolicies , BlackPearlStoragePolicies , object BoxStoragePolicies , object CephStoragePolicies , GoogleDriveStoragePolicies , GoogleCloudStoragePolicies , HpssStoragePolicies , IrodsStoragePolicies , OneDriveStoragePolicies , PosixStoragePolicies , PosixStagingStoragePolicies , object S3StoragePolicies , object ​ }

Connector-specific storage policies.

DATA_TYPE

string storage_gateway#1.0.0

Type of this document

{
  "id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "display_name": "Posix Storage Gateway",
  "connector_id": "145812c8-decc-41f1-83cf-bb2a85a2a70b",
  "high_assurance": true,
  "require_high_assurance": true,
  "authentication_timeout_mins": 30,
  "authentication_assurance_timeout": 30,
  "allowed_domains": [
    "example.com"
  ],
  "identity_mappings": [
    {
      "DATA_TYPE": "external_identity_mapping#1.0.0",
      "command": [
        "/opt/globus/bin/python",
        "/opt/globus/map-globus-identity-data"
      ]
    }
  ],
  "users_allow": [
    "user1"
  ],
  "users_deny": [
    "user2"
  ],
  "restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "process_user": "gcsweb",
  "load_dsi_module": "google_drive",
  "policies": {
    "DATA_TYPE": "azure_blob_storage_policies#1.0.0",
    "client_id": "string",
    "secret": "string",
    "tenant": "string",
    "auth_type": "string",
    "account": "string",
    "adls": true,
    "auth_callback": "https://example.globus.org/api/v1/authcallback"
  },
  "DATA_TYPE": "storage_gateway#1.0.0"
}

StorageGateway 1.1.0 Document

Name

Type

Description

id

string <uuid>

Unique id string for this Storage Gateway.

display_name

string

Name of the Storage Gateway.

connector_id

string <uuid>

Id of the connector type that this Storage Gateway interacts with.

high_assurance

boolean

Flag indicating if the storage_gateway requires high assurance features.

require_high_assurance (deprecated)

boolean

Alias for high_assurance.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated to access files or create user credentials on this Storage Gateway.

For a high assurance Storage Gateway, this must be done within the current Globus Auth session, otherwise, the caller can perform the authentication with any application which uses Globus Auth.

authentication_assurance_timeout (deprecated)

integer

Alias for authentication_timeout_mins.

allowed_domains

array (string)

List of allowed domains. Users creating credentials or collections on this storage_gateway must have an identity in one of these domains.

identity_mappings

array ( IdentityMapping )

List of identity mappings to attempt to apply to user identities to determine what accounts are available for access.[Private]

users_allow

array (string)

List of connector-specific usernames allowed to access this Storage Gateway.[Private]

users_deny

array (string)

List of connector-specific usernames denied access to this Storage Gateway.[Private]

restrict_paths

One of { object PathRestrictions ​ }

Path restrictions within this Storage Gateway. paths are interpreted as absolute paths in the file namespace of the connector.[Private]

process_user

string

Local POSIX user the GridFTP server should run as when accessing this Storage Gateway.[Private]

load_dsi_module

string

NAme of the DSI module to load by the GridFTP server when accessing this Storage Gateway.[Private]

policies

One of { AzureBlobStoragePolicies , BlackPearlStoragePolicies , object BoxStoragePolicies , object CephStoragePolicies , GoogleDriveStoragePolicies , GoogleCloudStoragePolicies , HpssStoragePolicies , IrodsStoragePolicies , OneDriveStoragePolicies , PosixStoragePolicies , PosixStagingStoragePolicies , object S3StoragePolicies , object ​ }

Connector-specific storage policies.

require_mfa

boolean

Flag indicating if the storage_gateway requires multi- factor authentication. Only usable on high assurance storage gateways.

DATA_TYPE

string storage_gateway#1.1.0

Type of this document

{
  "id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "display_name": "Posix Storage Gateway",
  "connector_id": "145812c8-decc-41f1-83cf-bb2a85a2a70b",
  "high_assurance": true,
  "require_high_assurance": true,
  "authentication_timeout_mins": 30,
  "authentication_assurance_timeout": 30,
  "allowed_domains": [
    "example.com"
  ],
  "identity_mappings": [
    {
      "DATA_TYPE": "external_identity_mapping#1.0.0",
      "command": [
        "/opt/globus/bin/python",
        "/opt/globus/map-globus-identity-data"
      ]
    }
  ],
  "users_allow": [
    "user1"
  ],
  "users_deny": [
    "user2"
  ],
  "restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "process_user": "gcsweb",
  "load_dsi_module": "google_drive",
  "policies": {
    "DATA_TYPE": "azure_blob_storage_policies#1.0.0",
    "client_id": "string",
    "secret": "string",
    "tenant": "string",
    "auth_type": "string",
    "account": "string",
    "adls": true,
    "auth_callback": "https://example.globus.org/api/v1/authcallback"
  },
  "require_mfa": true,
  "DATA_TYPE": "storage_gateway#1.1.0"
}

StorageGateway Document

A storage gateway provides the access policies for the endpoint’s connected storage systems. It is a named interface by which authorized users can create and manage collections on the connected storage system. A single storage system may be associated with multiple storage gateways, each with its own policies.

Storage gateway policies describe what type connector the storage gateway uses, the paths it allows access to, the login requirements are for the storage gateway, and the algorithm to map Globus identities to the user namespace of the storage gateway (e.g. local accounts).

Name

Type

Description

StorageGateway

StorageGateway One of { StorageGateway 1.0.0 , StorageGateway 1.1.0 ​ }

A storage gateway provides the access policies for the endpoint’s connected storage systems. It is a named interface by which authorized users can create and manage collections on the connected storage system. A single storage system may be associated with multiple storage gateways, each with its own policies.

Storage gateway policies describe what type connector the storage gateway uses, the paths it allows access to, the login requirements are for the storage gateway, and the algorithm to map Globus identities to the user namespace of the storage gateway (e.g. local accounts).

{
  "id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "display_name": "Posix Storage Gateway",
  "connector_id": "145812c8-decc-41f1-83cf-bb2a85a2a70b",
  "high_assurance": true,
  "require_high_assurance": true,
  "authentication_timeout_mins": 30,
  "authentication_assurance_timeout": 30,
  "allowed_domains": [
    "example.com"
  ],
  "identity_mappings": [
    {
      "DATA_TYPE": "external_identity_mapping#1.0.0",
      "command": [
        "/opt/globus/bin/python",
        "/opt/globus/map-globus-identity-data"
      ]
    }
  ],
  "users_allow": [
    "user1"
  ],
  "users_deny": [
    "user2"
  ],
  "restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "process_user": "gcsweb",
  "load_dsi_module": "google_drive",
  "policies": {
    "DATA_TYPE": "azure_blob_storage_policies#1.0.0",
    "client_id": "string",
    "secret": "string",
    "tenant": "string",
    "auth_type": "string",
    "account": "string",
    "adls": true,
    "auth_callback": "https://example.globus.org/api/v1/authcallback"
  },
  "DATA_TYPE": "storage_gateway#1.0.0"
}

UserCredential Document

Credential information for an identity on a particular Storage Gateway and its related collections.

Name

Type

Description

DATA_TYPE

string user_credential#1.0.0

Type of this document

id

string <uuid>

Unique id string for this User Credential

identity_id

string <uuid>

Globus Auth identity id that this credential is associated with.

connector_id

string <uuid>

Connector that this credential is used with.

username

string

Connector-specific username that this credential is associated with. If the connector supports identity mapping, this matches the result of the mapping applied to identity_id.

display_name

string

Display name of the credential.

storage_gateway_id

string

Storage Gateway this credential is associated with.

home_directory

string

The home directory of this account associated with this credential.[Private]

invalid

boolean

Flag indicating that this credential is no longer valid.

provisioned

boolean

Flag indicating that this credential has been fully provisioned. If this is false and the invalid property is true, then the credential was created during login and patching it to add the missing data should be presented to the user as initializing the credential.

policies

One of { object AzureBlobUserCredentialPolicies , BlackPearlUserCredentialPolicies , object BoxUserCredentialPolicies , object CephUserCredentialPolicies , object GoogleDriveUserCredentialPolicies , GoogleCloudStorageUserCredentialPolicies , object HpssUserCredentialPolicies , IrodsUserCredentialPolicies , object OneDriveUserCredentialPolicies , PosixUserCredentialPolicies , PosixStagingUserCredentialPolicies , object S3UserCredential , object ​ }

Connector-specific user credential policies.

{
  "DATA_TYPE": "user_credential#1.0.0",
  "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "connector_id": "145812c8-decc-41f1-83cf-bb2a85a2a70b",
  "username": "testuser",
  "display_name": "Test User",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "home_directory": "/home/user",
  "invalid": true,
  "provisioned": true,
  "policies": {
    "DATA_TYPE": "azure_blob_user_credential_policies#1.0.0",
    "sub": "string",
    "email": "user@example.com",
    "access_token": "string",
    "refresh_token": "string",
    "scopes": [
      "openid",
      "email",
      "profile",
      "offline_access",
      "user_impersonation"
    ],
    "token_expiry": "2020-02-04T21:44:12Z"
  }
}

Account Document

User account information for a particular Storage Gateway.

Name

Type

Description

DATA_TYPE

string account#1.0.0

Type of this document.

username

string

Connector-specific local username.

storage_gateway_id

string <uuid>

Storage Gateway for which this account is valid.

identity_id

string <uuid>

Globus Auth identity which maps to this account.

{
  "DATA_TYPE": "account#1.0.0",
  "username": "testuser",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c"
}

Owner Document

Owner document.

Name

Type

Description

DATA_TYPE

string endpoint_owner#1.0.0

Type of this document

identity_id

string <uuid>

Auth identity ID of the endpoint owner

{
  "DATA_TYPE": "endpoint_owner#1.0.0",
  "identity_id": "011a42b9-62d7-49eb-8328-c2e454af88a1"
}

Owner string Document

Owner string document.

Name

Type

Description

DATA_TYPE

string owner_string#1.0.0

Type of this document

identity_id

string <uuid>

Auth identity username

{
  "DATA_TYPE": "owner_string#1.0.0",
  "identity_id": "2574c430-0c01-4695-92fa-4bad3c21f6ab"
}

EndpointSubscription Document

Endpoint subscription request document

Name

Type

Description

DATA_TYPE

string endpoint_subscription#1.0.0

Type of this document

subscription_id

One of { string <uuid>, string DEFAULT​ }

Either the UUID of a Globus subscription or the special value "DEFAULT" if the caller has only one subscription associated with their identity set.

{
  "DATA_TYPE": "endpoint_subscription#1.0.0",
  "subscription_id": "2d99530d-3b20-44cb-94d3-61d8f85cd896"
}

Collection (v1.0.0) Properties Document

Common data for both mapped and guest collection documents.

Name

Type

Description

id

string <uuid>

Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.

manager_url

string <uri>

URL of the GCS Manager API service for the endpoint hosting this collection.

domain_name

string <hostname>

DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with m- or g-.

high_assurance

boolean

Flag indicating if this collection is created on a high assurance Storage Gateway.

https_url

string <uri>

HTTPS URL for the data on this collection.

tlsftp_url

string <uri>

TLSFTP URL for the data on this collection.

collection_type

string

Type of collection. A mapped collection requires an account on the system to access the administrator-defined collection. A guest collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.

display_name

string

Friendly name for the collection. Unicode string, max 128 characters, no new lines (\r or \n).

connector_id

string <uuid>

Id of the connector type that is used by this collection.

identity_id

string <uuid>

Globus Auth identity to who acts as the owner of this collection. This identity is an administrator on the collection.

storage_gateway_id

string <uuid>

Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.

root_path

string ^\\/.*

Absolute root path of the collection. All data access is done relative to this path.[Private]

collection_base_path

string ^\\/.*

Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the root_path attribute on the mapped collection with the same Id as the mapped_collection_id property. This may not be changed once the collection is created.[Private]

default_directory

string ^(/.*)|​($HOME(/.*))

Default directory when accessing the collection. This may include the special string $USER which is evaluated at access time to be the connector-specific username accessing the data.

If the collection is mapped collection with a collection_base_path value of /, this value can also begin with the values /~/ and $HOME, which are replaced by the user’s home directory, or / if the connector does not support the concept of a home directory.[Private]

public

boolean

Flag indicating whether this collection is visible to other Globus users.

force_encryption

boolean

Flag indicating whether all data transfers to and from this collection are always encrypted.

New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

disable_verify

boolean

Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.

organization

string

Organization that maintains the collection.

department

string

Department within organization that runs the server(s).

keywords

array (string)

List of search keywords for the collection.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the collection.

contact_info

string

Other non-email contact information for the collection, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

policies

object

Connector-specific collection policies.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "string",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {}
}

Collection (v1.1.0) Properties Document

Added in API v1.1.0, this adds support for user_message, user_message_link, and conditionally disabling the HTTPS service for managed endpoints.

Name

Type

Description

enable_https

boolean

Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)

user_message

string

A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

user_message_link

string <uri>

Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

{
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/"
}

Collection (v1.4.0) Properties Document

Added in API v1.7.0, this adds support for require_mfa.

Name

Type

Description

require_mfa

boolean

Flag indicating if the storage_gateway requires multi- factor authentication. Only applies to high assurance storage gateways.

force_verify

boolean

Flag indicating that this endpoint requires computing checksums, needed for the verify_checksum option of transfer.

{
  "require_mfa": true,
  "force_verify": false
}

Collection 1.5.0 Properties Document

Added in API v1.8.0, this adds support for disabling anonymous write acls.

Name

Type

Description

disable_anonymous_writes

boolean

Flag indicating if guest collections on this mapped collection will allow anonymous write ACLs. This defaults to true for high assurance collections and false for non high assurance collections. This flag can only be set on non high assurance mapped collections and is read-only on all other collection types. (Added in API 1.8.0)

{
  "disable_anonymous_writes": false
}

BaseCollection 1.0.0 Document

Name

Type

Description

id

string <uuid>

Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.

manager_url

string <uri>

URL of the GCS Manager API service for the endpoint hosting this collection.

domain_name

string <hostname>

DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with m- or g-.

high_assurance

boolean

Flag indicating if this collection is created on a high assurance Storage Gateway.

https_url

string <uri>

HTTPS URL for the data on this collection.

tlsftp_url

string <uri>

TLSFTP URL for the data on this collection.

collection_type

string

Type of collection. A mapped collection requires an account on the system to access the administrator-defined collection. A guest collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.

display_name

string

Friendly name for the collection. Unicode string, max 128 characters, no new lines (\r or \n).

connector_id

string <uuid>

Id of the connector type that is used by this collection.

identity_id

string <uuid>

Globus Auth identity to who acts as the owner of this collection. This identity is an administrator on the collection.

storage_gateway_id

string <uuid>

Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.

root_path

string ^\\/.*

Absolute root path of the collection. All data access is done relative to this path.[Private]

collection_base_path

string ^\\/.*

Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the root_path attribute on the mapped collection with the same Id as the mapped_collection_id property. This may not be changed once the collection is created.[Private]

default_directory

string ^(/.*)|​($HOME(/.*))

Default directory when accessing the collection. This may include the special string $USER which is evaluated at access time to be the connector-specific username accessing the data.

If the collection is mapped collection with a collection_base_path value of /, this value can also begin with the values /~/ and $HOME, which are replaced by the user’s home directory, or / if the connector does not support the concept of a home directory.[Private]

public

boolean

Flag indicating whether this collection is visible to other Globus users.

force_encryption

boolean

Flag indicating whether all data transfers to and from this collection are always encrypted.

New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

disable_verify

boolean

Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.

organization

string

Organization that maintains the collection.

department

string

Department within organization that runs the server(s).

keywords

array (string)

List of search keywords for the collection.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the collection.

contact_info

string

Other non-email contact information for the collection, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

policies

object

Connector-specific collection policies.

DATA_TYPE

string collection#1.0.0

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "string",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "DATA_TYPE": "collection#1.0.0"
}

BaseCollection 1.1.0 Document

Name

Type

Description

id

string <uuid>

Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.

manager_url

string <uri>

URL of the GCS Manager API service for the endpoint hosting this collection.

domain_name

string <hostname>

DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with m- or g-.

high_assurance

boolean

Flag indicating if this collection is created on a high assurance Storage Gateway.

https_url

string <uri>

HTTPS URL for the data on this collection.

tlsftp_url

string <uri>

TLSFTP URL for the data on this collection.

collection_type

string

Type of collection. A mapped collection requires an account on the system to access the administrator-defined collection. A guest collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.

display_name

string

Friendly name for the collection. Unicode string, max 128 characters, no new lines (\r or \n).

connector_id

string <uuid>

Id of the connector type that is used by this collection.

identity_id

string <uuid>

Globus Auth identity to who acts as the owner of this collection. This identity is an administrator on the collection.

storage_gateway_id

string <uuid>

Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.

root_path

string ^\\/.*

Absolute root path of the collection. All data access is done relative to this path.[Private]

collection_base_path

string ^\\/.*

Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the root_path attribute on the mapped collection with the same Id as the mapped_collection_id property. This may not be changed once the collection is created.[Private]

default_directory

string ^(/.*)|​($HOME(/.*))

Default directory when accessing the collection. This may include the special string $USER which is evaluated at access time to be the connector-specific username accessing the data.

If the collection is mapped collection with a collection_base_path value of /, this value can also begin with the values /~/ and $HOME, which are replaced by the user’s home directory, or / if the connector does not support the concept of a home directory.[Private]

public

boolean

Flag indicating whether this collection is visible to other Globus users.

force_encryption

boolean

Flag indicating whether all data transfers to and from this collection are always encrypted.

New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

disable_verify

boolean

Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.

organization

string

Organization that maintains the collection.

department

string

Department within organization that runs the server(s).

keywords

array (string)

List of search keywords for the collection.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the collection.

contact_info

string

Other non-email contact information for the collection, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

policies

object

Connector-specific collection policies.

enable_https

boolean

Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)

user_message

string

A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

user_message_link

string <uri>

Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

DATA_TYPE

string collection#1.1.0

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "string",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "DATA_TYPE": "collection#1.1.0"
}

BaseCollection 1.2.0 Document

Name

Type

Description

id

string <uuid>

Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.

manager_url

string <uri>

URL of the GCS Manager API service for the endpoint hosting this collection.

domain_name

string <hostname>

DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with m- or g-.

high_assurance

boolean

Flag indicating if this collection is created on a high assurance Storage Gateway.

https_url

string <uri>

HTTPS URL for the data on this collection.

tlsftp_url

string <uri>

TLSFTP URL for the data on this collection.

collection_type

string

Type of collection. A mapped collection requires an account on the system to access the administrator-defined collection. A guest collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.

display_name

string

Friendly name for the collection. Unicode string, max 128 characters, no new lines (\r or \n).

connector_id

string <uuid>

Id of the connector type that is used by this collection.

identity_id

string <uuid>

Globus Auth identity to who acts as the owner of this collection. This identity is an administrator on the collection.

storage_gateway_id

string <uuid>

Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.

root_path

string ^\\/.*

Absolute root path of the collection. All data access is done relative to this path.[Private]

collection_base_path

string ^\\/.*

Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the root_path attribute on the mapped collection with the same Id as the mapped_collection_id property. This may not be changed once the collection is created.[Private]

default_directory

string ^(/.*)|​($HOME(/.*))

Default directory when accessing the collection. This may include the special string $USER which is evaluated at access time to be the connector-specific username accessing the data.

If the collection is mapped collection with a collection_base_path value of /, this value can also begin with the values /~/ and $HOME, which are replaced by the user’s home directory, or / if the connector does not support the concept of a home directory.[Private]

public

boolean

Flag indicating whether this collection is visible to other Globus users.

force_encryption

boolean

Flag indicating whether all data transfers to and from this collection are always encrypted.

New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

disable_verify

boolean

Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.

organization

string

Organization that maintains the collection.

department

string

Department within organization that runs the server(s).

keywords

array (string)

List of search keywords for the collection.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the collection.

contact_info

string

Other non-email contact information for the collection, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

policies

object

Connector-specific collection policies.

enable_https

boolean

Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)

user_message

string

A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

user_message_link

string <uri>

Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

DATA_TYPE

string collection#1.2.0

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "string",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "DATA_TYPE": "collection#1.2.0"
}

BaseCollection 1.4.0 Document

Name

Type

Description

id

string <uuid>

Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.

manager_url

string <uri>

URL of the GCS Manager API service for the endpoint hosting this collection.

domain_name

string <hostname>

DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with m- or g-.

high_assurance

boolean

Flag indicating if this collection is created on a high assurance Storage Gateway.

https_url

string <uri>

HTTPS URL for the data on this collection.

tlsftp_url

string <uri>

TLSFTP URL for the data on this collection.

collection_type

string

Type of collection. A mapped collection requires an account on the system to access the administrator-defined collection. A guest collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.

display_name

string

Friendly name for the collection. Unicode string, max 128 characters, no new lines (\r or \n).

connector_id

string <uuid>

Id of the connector type that is used by this collection.

identity_id

string <uuid>

Globus Auth identity to who acts as the owner of this collection. This identity is an administrator on the collection.

storage_gateway_id

string <uuid>

Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.

root_path

string ^\\/.*

Absolute root path of the collection. All data access is done relative to this path.[Private]

collection_base_path

string ^\\/.*

Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the root_path attribute on the mapped collection with the same Id as the mapped_collection_id property. This may not be changed once the collection is created.[Private]

default_directory

string ^(/.*)|​($HOME(/.*))

Default directory when accessing the collection. This may include the special string $USER which is evaluated at access time to be the connector-specific username accessing the data.

If the collection is mapped collection with a collection_base_path value of /, this value can also begin with the values /~/ and $HOME, which are replaced by the user’s home directory, or / if the connector does not support the concept of a home directory.[Private]

public

boolean

Flag indicating whether this collection is visible to other Globus users.

force_encryption

boolean

Flag indicating whether all data transfers to and from this collection are always encrypted.

New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

disable_verify

boolean

Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.

organization

string

Organization that maintains the collection.

department

string

Department within organization that runs the server(s).

keywords

array (string)

List of search keywords for the collection.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the collection.

contact_info

string

Other non-email contact information for the collection, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

policies

object

Connector-specific collection policies.

enable_https

boolean

Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)

user_message

string

A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

user_message_link

string <uri>

Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

require_mfa

boolean

Flag indicating if the storage_gateway requires multi- factor authentication. Only applies to high assurance storage gateways.

force_verify

boolean

Flag indicating that this endpoint requires computing checksums, needed for the verify_checksum option of transfer.

DATA_TYPE

string collection#1.4.0

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "string",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "require_mfa": true,
  "force_verify": false,
  "DATA_TYPE": "collection#1.4.0"
}

BaseCollection 1.5.0 Document

Name

Type

Description

id

string <uuid>

Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.

manager_url

string <uri>

URL of the GCS Manager API service for the endpoint hosting this collection.

domain_name

string <hostname>

DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with m- or g-.

high_assurance

boolean

Flag indicating if this collection is created on a high assurance Storage Gateway.

https_url

string <uri>

HTTPS URL for the data on this collection.

tlsftp_url

string <uri>

TLSFTP URL for the data on this collection.

collection_type

string

Type of collection. A mapped collection requires an account on the system to access the administrator-defined collection. A guest collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.

display_name

string

Friendly name for the collection. Unicode string, max 128 characters, no new lines (\r or \n).

connector_id

string <uuid>

Id of the connector type that is used by this collection.

identity_id

string <uuid>

Globus Auth identity to who acts as the owner of this collection. This identity is an administrator on the collection.

storage_gateway_id

string <uuid>

Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.

root_path

string ^\\/.*

Absolute root path of the collection. All data access is done relative to this path.[Private]

collection_base_path

string ^\\/.*

Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the root_path attribute on the mapped collection with the same Id as the mapped_collection_id property. This may not be changed once the collection is created.[Private]

default_directory

string ^(/.*)|​($HOME(/.*))

Default directory when accessing the collection. This may include the special string $USER which is evaluated at access time to be the connector-specific username accessing the data.

If the collection is mapped collection with a collection_base_path value of /, this value can also begin with the values /~/ and $HOME, which are replaced by the user’s home directory, or / if the connector does not support the concept of a home directory.[Private]

public

boolean

Flag indicating whether this collection is visible to other Globus users.

force_encryption

boolean

Flag indicating whether all data transfers to and from this collection are always encrypted.

New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

disable_verify

boolean

Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.

organization

string

Organization that maintains the collection.

department

string

Department within organization that runs the server(s).

keywords

array (string)

List of search keywords for the collection.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the collection.

contact_info

string

Other non-email contact information for the collection, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

policies

object

Connector-specific collection policies.

enable_https

boolean

Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)

user_message

string

A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

user_message_link

string <uri>

Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

require_mfa

boolean

Flag indicating if the storage_gateway requires multi- factor authentication. Only applies to high assurance storage gateways.

force_verify

boolean

Flag indicating that this endpoint requires computing checksums, needed for the verify_checksum option of transfer.

disable_anonymous_writes

boolean

Flag indicating if guest collections on this mapped collection will allow anonymous write ACLs. This defaults to true for high assurance collections and false for non high assurance collections. This flag can only be set on non high assurance mapped collections and is read-only on all other collection types. (Added in API 1.8.0)

DATA_TYPE

string collection#1.5.0

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "string",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "require_mfa": true,
  "force_verify": false,
  "disable_anonymous_writes": false,
  "DATA_TYPE": "collection#1.5.0"
}

Mapped Collection Properties Document

Name

Type

Description

collection_type

mapped

allow_guest_collections

boolean

Flag indicating if this Collection allows users to create guest collections on it. This is always false if this is a guest collection. If this is changed to false on a mapped collection with associated guest collections, those collections will no longer be accessible.

sharing_restrict_paths

One of { object PathRestrictions ​ }

Restrictions on which paths may be shared in guest collections related to this mapped collection. On the mapped collection, these paths are relative to the root_path property of the mapped collection. On a guest collection, they are absolute paths from the storage root.[Private]

{
  "collection_type": "mapped",
  "allow_guest_collections": true,
  "sharing_restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  }
}

Mapped Collection 1.2.0 Properties Document

Added in API v1.2.0, this adds support for sharing_users_allow and sharing_users_deny.

Name

Type

Description

sharing_users_allow

array (string)

List of connector-specific usernames allowed to create new guest collections on this mapped collection. (Added in API 1.2.0)[Private]

sharing_users_deny

array (string)

List of connector-specific usernames denied access to create new guest collections on this mapped collection. (Added in API 1.2.0)[Private]

{
  "sharing_users_allow": [
    "user1"
  ],
  "sharing_users_deny": [
    "user2"
  ]
}

Mapped Collection 1.0.0 Document

Name

Type

Description

id

string <uuid>

Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.

manager_url

string <uri>

URL of the GCS Manager API service for the endpoint hosting this collection.

domain_name

string <hostname>

DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with m- or g-.

high_assurance

boolean

Flag indicating if this collection is created on a high assurance Storage Gateway.

https_url

string <uri>

HTTPS URL for the data on this collection.

tlsftp_url

string <uri>

TLSFTP URL for the data on this collection.

collection_type

string mapped

Type of collection. A mapped collection requires an account on the system to access the administrator-defined collection. A guest collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.

display_name

string

Friendly name for the collection. Unicode string, max 128 characters, no new lines (\r or \n).

connector_id

string <uuid>

Id of the connector type that is used by this collection.

identity_id

string <uuid>

Globus Auth identity to who acts as the owner of this collection. This identity is an administrator on the collection.

storage_gateway_id

string <uuid>

Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.

root_path

string ^\\/.*

Absolute root path of the collection. All data access is done relative to this path.[Private]

collection_base_path

string ^\\/.*

Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the root_path attribute on the mapped collection with the same Id as the mapped_collection_id property. This may not be changed once the collection is created.[Private]

default_directory

string ^(/.*)|​($HOME(/.*))

Default directory when accessing the collection. This may include the special string $USER which is evaluated at access time to be the connector-specific username accessing the data.

If the collection is mapped collection with a collection_base_path value of /, this value can also begin with the values /~/ and $HOME, which are replaced by the user’s home directory, or / if the connector does not support the concept of a home directory.[Private]

public

boolean

Flag indicating whether this collection is visible to other Globus users.

force_encryption

boolean

Flag indicating whether all data transfers to and from this collection are always encrypted.

New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

disable_verify

boolean

Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.

organization

string

Organization that maintains the collection.

department

string

Department within organization that runs the server(s).

keywords

array (string)

List of search keywords for the collection.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the collection.

contact_info

string

Other non-email contact information for the collection, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

policies

object

Connector-specific collection policies.

DATA_TYPE

string collection#1.0.0

allow_guest_collections

boolean

Flag indicating if this Collection allows users to create guest collections on it. This is always false if this is a guest collection. If this is changed to false on a mapped collection with associated guest collections, those collections will no longer be accessible.

sharing_restrict_paths

One of { object PathRestrictions ​ }

Restrictions on which paths may be shared in guest collections related to this mapped collection. On the mapped collection, these paths are relative to the root_path property of the mapped collection. On a guest collection, they are absolute paths from the storage root.[Private]

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "mapped",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "DATA_TYPE": "collection#1.0.0",
  "allow_guest_collections": true,
  "sharing_restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  }
}

Mapped Collection 1.1.0 Document

Name

Type

Description

id

string <uuid>

Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.

manager_url

string <uri>

URL of the GCS Manager API service for the endpoint hosting this collection.

domain_name

string <hostname>

DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with m- or g-.

high_assurance

boolean

Flag indicating if this collection is created on a high assurance Storage Gateway.

https_url

string <uri>

HTTPS URL for the data on this collection.

tlsftp_url

string <uri>

TLSFTP URL for the data on this collection.

collection_type

string mapped

Type of collection. A mapped collection requires an account on the system to access the administrator-defined collection. A guest collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.

display_name

string

Friendly name for the collection. Unicode string, max 128 characters, no new lines (\r or \n).

connector_id

string <uuid>

Id of the connector type that is used by this collection.

identity_id

string <uuid>

Globus Auth identity to who acts as the owner of this collection. This identity is an administrator on the collection.

storage_gateway_id

string <uuid>

Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.

root_path

string ^\\/.*

Absolute root path of the collection. All data access is done relative to this path.[Private]

collection_base_path

string ^\\/.*

Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the root_path attribute on the mapped collection with the same Id as the mapped_collection_id property. This may not be changed once the collection is created.[Private]

default_directory

string ^(/.*)|​($HOME(/.*))

Default directory when accessing the collection. This may include the special string $USER which is evaluated at access time to be the connector-specific username accessing the data.

If the collection is mapped collection with a collection_base_path value of /, this value can also begin with the values /~/ and $HOME, which are replaced by the user’s home directory, or / if the connector does not support the concept of a home directory.[Private]

public

boolean

Flag indicating whether this collection is visible to other Globus users.

force_encryption

boolean

Flag indicating whether all data transfers to and from this collection are always encrypted.

New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

disable_verify

boolean

Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.

organization

string

Organization that maintains the collection.

department

string

Department within organization that runs the server(s).

keywords

array (string)

List of search keywords for the collection.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the collection.

contact_info

string

Other non-email contact information for the collection, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

policies

object

Connector-specific collection policies.

enable_https

boolean

Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)

user_message

string

A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

user_message_link

string <uri>

Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

DATA_TYPE

string collection#1.1.0

allow_guest_collections

boolean

Flag indicating if this Collection allows users to create guest collections on it. This is always false if this is a guest collection. If this is changed to false on a mapped collection with associated guest collections, those collections will no longer be accessible.

sharing_restrict_paths

One of { object PathRestrictions ​ }

Restrictions on which paths may be shared in guest collections related to this mapped collection. On the mapped collection, these paths are relative to the root_path property of the mapped collection. On a guest collection, they are absolute paths from the storage root.[Private]

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "mapped",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "DATA_TYPE": "collection#1.1.0",
  "allow_guest_collections": true,
  "sharing_restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  }
}

Mapped Collection 1.2.0 Document

Name

Type

Description

id

string <uuid>

Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.

manager_url

string <uri>

URL of the GCS Manager API service for the endpoint hosting this collection.

domain_name

string <hostname>

DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with m- or g-.

high_assurance

boolean

Flag indicating if this collection is created on a high assurance Storage Gateway.

https_url

string <uri>

HTTPS URL for the data on this collection.

tlsftp_url

string <uri>

TLSFTP URL for the data on this collection.

collection_type

string mapped

Type of collection. A mapped collection requires an account on the system to access the administrator-defined collection. A guest collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.

display_name

string

Friendly name for the collection. Unicode string, max 128 characters, no new lines (\r or \n).

connector_id

string <uuid>

Id of the connector type that is used by this collection.

identity_id

string <uuid>

Globus Auth identity to who acts as the owner of this collection. This identity is an administrator on the collection.

storage_gateway_id

string <uuid>

Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.

root_path

string ^\\/.*

Absolute root path of the collection. All data access is done relative to this path.[Private]

collection_base_path

string ^\\/.*

Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the root_path attribute on the mapped collection with the same Id as the mapped_collection_id property. This may not be changed once the collection is created.[Private]

default_directory

string ^(/.*)|​($HOME(/.*))

Default directory when accessing the collection. This may include the special string $USER which is evaluated at access time to be the connector-specific username accessing the data.

If the collection is mapped collection with a collection_base_path value of /, this value can also begin with the values /~/ and $HOME, which are replaced by the user’s home directory, or / if the connector does not support the concept of a home directory.[Private]

public

boolean

Flag indicating whether this collection is visible to other Globus users.

force_encryption

boolean

Flag indicating whether all data transfers to and from this collection are always encrypted.

New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

disable_verify

boolean

Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.

organization

string

Organization that maintains the collection.

department

string

Department within organization that runs the server(s).

keywords

array (string)

List of search keywords for the collection.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the collection.

contact_info

string

Other non-email contact information for the collection, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

policies

object

Connector-specific collection policies.

enable_https

boolean

Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)

user_message

string

A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

user_message_link

string <uri>

Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

DATA_TYPE

string collection#1.2.0

allow_guest_collections

boolean

Flag indicating if this Collection allows users to create guest collections on it. This is always false if this is a guest collection. If this is changed to false on a mapped collection with associated guest collections, those collections will no longer be accessible.

sharing_restrict_paths

One of { object PathRestrictions ​ }

Restrictions on which paths may be shared in guest collections related to this mapped collection. On the mapped collection, these paths are relative to the root_path property of the mapped collection. On a guest collection, they are absolute paths from the storage root.[Private]

sharing_users_allow

array (string)

List of connector-specific usernames allowed to create new guest collections on this mapped collection. (Added in API 1.2.0)[Private]

sharing_users_deny

array (string)

List of connector-specific usernames denied access to create new guest collections on this mapped collection. (Added in API 1.2.0)[Private]

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "mapped",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "DATA_TYPE": "collection#1.2.0",
  "allow_guest_collections": true,
  "sharing_restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "sharing_users_allow": [
    "user1"
  ],
  "sharing_users_deny": [
    "user2"
  ]
}

Mapped Collection 1.4.0 Document

Name

Type

Description

id

string <uuid>

Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.

manager_url

string <uri>

URL of the GCS Manager API service for the endpoint hosting this collection.

domain_name

string <hostname>

DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with m- or g-.

high_assurance

boolean

Flag indicating if this collection is created on a high assurance Storage Gateway.

https_url

string <uri>

HTTPS URL for the data on this collection.

tlsftp_url

string <uri>

TLSFTP URL for the data on this collection.

collection_type

string mapped

Type of collection. A mapped collection requires an account on the system to access the administrator-defined collection. A guest collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.

display_name

string

Friendly name for the collection. Unicode string, max 128 characters, no new lines (\r or \n).

connector_id

string <uuid>

Id of the connector type that is used by this collection.

identity_id

string <uuid>

Globus Auth identity to who acts as the owner of this collection. This identity is an administrator on the collection.

storage_gateway_id

string <uuid>

Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.

root_path

string ^\\/.*

Absolute root path of the collection. All data access is done relative to this path.[Private]

collection_base_path

string ^\\/.*

Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the root_path attribute on the mapped collection with the same Id as the mapped_collection_id property. This may not be changed once the collection is created.[Private]

default_directory

string ^(/.*)|​($HOME(/.*))

Default directory when accessing the collection. This may include the special string $USER which is evaluated at access time to be the connector-specific username accessing the data.

If the collection is mapped collection with a collection_base_path value of /, this value can also begin with the values /~/ and $HOME, which are replaced by the user’s home directory, or / if the connector does not support the concept of a home directory.[Private]

public

boolean

Flag indicating whether this collection is visible to other Globus users.

force_encryption

boolean

Flag indicating whether all data transfers to and from this collection are always encrypted.

New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

disable_verify

boolean

Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.

organization

string

Organization that maintains the collection.

department

string

Department within organization that runs the server(s).

keywords

array (string)

List of search keywords for the collection.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the collection.

contact_info

string

Other non-email contact information for the collection, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

policies

object

Connector-specific collection policies.

enable_https

boolean

Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)

user_message

string

A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

user_message_link

string <uri>

Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

require_mfa

boolean

Flag indicating if the storage_gateway requires multi- factor authentication. Only applies to high assurance storage gateways.

force_verify

boolean

Flag indicating that this endpoint requires computing checksums, needed for the verify_checksum option of transfer.

DATA_TYPE

string collection#1.4.0

allow_guest_collections

boolean

Flag indicating if this Collection allows users to create guest collections on it. This is always false if this is a guest collection. If this is changed to false on a mapped collection with associated guest collections, those collections will no longer be accessible.

sharing_restrict_paths

One of { object PathRestrictions ​ }

Restrictions on which paths may be shared in guest collections related to this mapped collection. On the mapped collection, these paths are relative to the root_path property of the mapped collection. On a guest collection, they are absolute paths from the storage root.[Private]

sharing_users_allow

array (string)

List of connector-specific usernames allowed to create new guest collections on this mapped collection. (Added in API 1.2.0)[Private]

sharing_users_deny

array (string)

List of connector-specific usernames denied access to create new guest collections on this mapped collection. (Added in API 1.2.0)[Private]

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "mapped",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "require_mfa": true,
  "force_verify": false,
  "DATA_TYPE": "collection#1.4.0",
  "allow_guest_collections": true,
  "sharing_restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "sharing_users_allow": [
    "user1"
  ],
  "sharing_users_deny": [
    "user2"
  ]
}

Mapped Collection 1.5.0 Document

Name

Type

Description

id

string <uuid>

Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.

manager_url

string <uri>

URL of the GCS Manager API service for the endpoint hosting this collection.

domain_name

string <hostname>

DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with m- or g-.

high_assurance

boolean

Flag indicating if this collection is created on a high assurance Storage Gateway.

https_url

string <uri>

HTTPS URL for the data on this collection.

tlsftp_url

string <uri>

TLSFTP URL for the data on this collection.

collection_type

string mapped

Type of collection. A mapped collection requires an account on the system to access the administrator-defined collection. A guest collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.

display_name

string

Friendly name for the collection. Unicode string, max 128 characters, no new lines (\r or \n).

connector_id

string <uuid>

Id of the connector type that is used by this collection.

identity_id

string <uuid>

Globus Auth identity to who acts as the owner of this collection. This identity is an administrator on the collection.

storage_gateway_id

string <uuid>

Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.

root_path

string ^\\/.*

Absolute root path of the collection. All data access is done relative to this path.[Private]

collection_base_path

string ^\\/.*

Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the root_path attribute on the mapped collection with the same Id as the mapped_collection_id property. This may not be changed once the collection is created.[Private]

default_directory

string ^(/.*)|​($HOME(/.*))

Default directory when accessing the collection. This may include the special string $USER which is evaluated at access time to be the connector-specific username accessing the data.

If the collection is mapped collection with a collection_base_path value of /, this value can also begin with the values /~/ and $HOME, which are replaced by the user’s home directory, or / if the connector does not support the concept of a home directory.[Private]

public

boolean

Flag indicating whether this collection is visible to other Globus users.

force_encryption

boolean

Flag indicating whether all data transfers to and from this collection are always encrypted.

New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

disable_verify

boolean

Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.

organization

string

Organization that maintains the collection.

department

string

Department within organization that runs the server(s).

keywords

array (string)

List of search keywords for the collection.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the collection.

contact_info

string

Other non-email contact information for the collection, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

policies

object

Connector-specific collection policies.

enable_https

boolean

Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)

user_message

string

A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

user_message_link

string <uri>

Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

require_mfa

boolean

Flag indicating if the storage_gateway requires multi- factor authentication. Only applies to high assurance storage gateways.

force_verify

boolean

Flag indicating that this endpoint requires computing checksums, needed for the verify_checksum option of transfer.

disable_anonymous_writes

boolean

Flag indicating if guest collections on this mapped collection will allow anonymous write ACLs. This defaults to true for high assurance collections and false for non high assurance collections. This flag can only be set on non high assurance mapped collections and is read-only on all other collection types. (Added in API 1.8.0)

DATA_TYPE

string collection#1.5.0

allow_guest_collections

boolean

Flag indicating if this Collection allows users to create guest collections on it. This is always false if this is a guest collection. If this is changed to false on a mapped collection with associated guest collections, those collections will no longer be accessible.

sharing_restrict_paths

One of { object PathRestrictions ​ }

Restrictions on which paths may be shared in guest collections related to this mapped collection. On the mapped collection, these paths are relative to the root_path property of the mapped collection. On a guest collection, they are absolute paths from the storage root.[Private]

sharing_users_allow

array (string)

List of connector-specific usernames allowed to create new guest collections on this mapped collection. (Added in API 1.2.0)[Private]

sharing_users_deny

array (string)

List of connector-specific usernames denied access to create new guest collections on this mapped collection. (Added in API 1.2.0)[Private]

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "mapped",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "require_mfa": true,
  "force_verify": false,
  "disable_anonymous_writes": false,
  "DATA_TYPE": "collection#1.5.0",
  "allow_guest_collections": true,
  "sharing_restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "sharing_users_allow": [
    "user1"
  ],
  "sharing_users_deny": [
    "user2"
  ]
}

Mapped Collection Document

A mapped collection allows access to data for users who have accounts in the storage gateway’s user space (or local account). The collection uses the identity mapping method configured on the storage gateway to map the Globus account of the user accessing the collection to an account in the Storage Gateway’s user space. All accesses to the data on the collection are performed using the local account and (if needed for the storage gateway) the account’s credentials.

Mapped collections can only be created by those with an administrator or owner role on the Endpoint, and can be created against any storage gateway that exists on the endpoint.

In addition, a mapped collection has optional properties to allow users to share data. The properties allow_guest_collections and sharing_restrict_paths configure the sharing option. These options are only allowed on endpoints covered under a subscription.

Globus Connect Server v5.4.18 introduces APIs to manage user-specific sharing path restrictions.

Name

Type

Description

MappedCollection

Mapped Collection One of { Mapped Collection 1.0.0 , Mapped Collection 1.1.0 , Mapped Collection 1.2.0 , Mapped Collection 1.4.0 , Mapped Collection 1.5.0 ​ }

A mapped collection allows access to data for users who have accounts in the storage gateway’s user space (or local account). The collection uses the identity mapping method configured on the storage gateway to map the Globus account of the user accessing the collection to an account in the Storage Gateway’s user space. All accesses to the data on the collection are performed using the local account and (if needed for the storage gateway) the account’s credentials.

Mapped collections can only be created by those with an administrator or owner role on the Endpoint, and can be created against any storage gateway that exists on the endpoint.

In addition, a mapped collection has optional properties to allow users to share data. The properties allow_guest_collections and sharing_restrict_paths configure the sharing option. These options are only allowed on endpoints covered under a subscription.

Globus Connect Server v5.4.18 introduces APIs to manage user-specific sharing path restrictions.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "mapped",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {
    "DATA_TYPE": "azure_blob_collection_policies#1.0.0"
  },
  "DATA_TYPE": "collection#1.0.0",
  "allow_guest_collections": true,
  "sharing_restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  }
}

Guest Collection Properties Document

Name

Type

Description

collection_type

guest

user_credential_id

string <uuid>

The ID of the User Credential which is used to access data on this collection. This credential must be owned by the collection’s identity_id.

mapped_collection_id

string <uuid>

Unique ID of the Mapped Collection which this guest collection is associated with. This is set on creation and may not be changed. For a Guest Collection, this must be set, and policies related sharing (allow_guest_collections, sharing_restrict_paths) will always reflect the values in the Mapped Collection definition and may not be changed on this Guest Collection.

policies

One of { BlackPearlCollectionPolicies , object BoxCollectionPolicies , object CephCollectionPolicies , object GoogleDriveCollectionPolicies , object GoogleCloudStorageCollectionPolicies , object HpssCollectionPolicies , IrodsCollectionPolicies , PosixGuestCollectionPolicies , PosixStagingGuestCollectionPolicies , object S3CollectionPolicies , object ​ }

{
  "collection_type": "guest",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164",
  "mapped_collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185",
  "policies": {
    "DATA_TYPE": "blackpearl_collection_policies#1.0.0"
  }
}

Guest Collection 1.0.0 Document

Name

Type

Description

id

string <uuid>

Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.

manager_url

string <uri>

URL of the GCS Manager API service for the endpoint hosting this collection.

domain_name

string <hostname>

DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with m- or g-.

high_assurance

boolean

Flag indicating if this collection is created on a high assurance Storage Gateway.

https_url

string <uri>

HTTPS URL for the data on this collection.

tlsftp_url

string <uri>

TLSFTP URL for the data on this collection.

collection_type

string guest

Type of collection. A mapped collection requires an account on the system to access the administrator-defined collection. A guest collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.

display_name

string

Friendly name for the collection. Unicode string, max 128 characters, no new lines (\r or \n).

connector_id

string <uuid>

Id of the connector type that is used by this collection.

identity_id

string <uuid>

Globus Auth identity to who acts as the owner of this collection. This identity is an administrator on the collection.

storage_gateway_id

string <uuid>

Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.

root_path

string ^\\/.*

Absolute root path of the collection. All data access is done relative to this path.[Private]

collection_base_path

string ^\\/.*

Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the root_path attribute on the mapped collection with the same Id as the mapped_collection_id property. This may not be changed once the collection is created.[Private]

default_directory

string ^(/.*)|​($HOME(/.*))

Default directory when accessing the collection. This may include the special string $USER which is evaluated at access time to be the connector-specific username accessing the data.

If the collection is mapped collection with a collection_base_path value of /, this value can also begin with the values /~/ and $HOME, which are replaced by the user’s home directory, or / if the connector does not support the concept of a home directory.[Private]

public

boolean

Flag indicating whether this collection is visible to other Globus users.

force_encryption

boolean

Flag indicating whether all data transfers to and from this collection are always encrypted.

New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

disable_verify

boolean

Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.

organization

string

Organization that maintains the collection.

department

string

Department within organization that runs the server(s).

keywords

array (string)

List of search keywords for the collection.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the collection.

contact_info

string

Other non-email contact information for the collection, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

policies

object

Connector-specific collection policies.

DATA_TYPE

string collection#1.0.0

user_credential_id

string <uuid>

The ID of the User Credential which is used to access data on this collection. This credential must be owned by the collection’s identity_id.

mapped_collection_id

string <uuid>

Unique ID of the Mapped Collection which this guest collection is associated with. This is set on creation and may not be changed. For a Guest Collection, this must be set, and policies related sharing (allow_guest_collections, sharing_restrict_paths) will always reflect the values in the Mapped Collection definition and may not be changed on this Guest Collection.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "guest",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "DATA_TYPE": "collection#1.0.0",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164",
  "mapped_collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185"
}

Guest Collection 1.1.0 Document

Name

Type

Description

id

string <uuid>

Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.

manager_url

string <uri>

URL of the GCS Manager API service for the endpoint hosting this collection.

domain_name

string <hostname>

DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with m- or g-.

high_assurance

boolean

Flag indicating if this collection is created on a high assurance Storage Gateway.

https_url

string <uri>

HTTPS URL for the data on this collection.

tlsftp_url

string <uri>

TLSFTP URL for the data on this collection.

collection_type

string guest

Type of collection. A mapped collection requires an account on the system to access the administrator-defined collection. A guest collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.

display_name

string

Friendly name for the collection. Unicode string, max 128 characters, no new lines (\r or \n).

connector_id

string <uuid>

Id of the connector type that is used by this collection.

identity_id

string <uuid>

Globus Auth identity to who acts as the owner of this collection. This identity is an administrator on the collection.

storage_gateway_id

string <uuid>

Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.

root_path

string ^\\/.*

Absolute root path of the collection. All data access is done relative to this path.[Private]

collection_base_path

string ^\\/.*

Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the root_path attribute on the mapped collection with the same Id as the mapped_collection_id property. This may not be changed once the collection is created.[Private]

default_directory

string ^(/.*)|​($HOME(/.*))

Default directory when accessing the collection. This may include the special string $USER which is evaluated at access time to be the connector-specific username accessing the data.

If the collection is mapped collection with a collection_base_path value of /, this value can also begin with the values /~/ and $HOME, which are replaced by the user’s home directory, or / if the connector does not support the concept of a home directory.[Private]

public

boolean

Flag indicating whether this collection is visible to other Globus users.

force_encryption

boolean

Flag indicating whether all data transfers to and from this collection are always encrypted.

New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

disable_verify

boolean

Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.

organization

string

Organization that maintains the collection.

department

string

Department within organization that runs the server(s).

keywords

array (string)

List of search keywords for the collection.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the collection.

contact_info

string

Other non-email contact information for the collection, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

policies

object

Connector-specific collection policies.

enable_https

boolean

Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)

user_message

string

A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

user_message_link

string <uri>

Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

DATA_TYPE

string collection#1.1.0

user_credential_id

string <uuid>

The ID of the User Credential which is used to access data on this collection. This credential must be owned by the collection’s identity_id.

mapped_collection_id

string <uuid>

Unique ID of the Mapped Collection which this guest collection is associated with. This is set on creation and may not be changed. For a Guest Collection, this must be set, and policies related sharing (allow_guest_collections, sharing_restrict_paths) will always reflect the values in the Mapped Collection definition and may not be changed on this Guest Collection.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "guest",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "DATA_TYPE": "collection#1.1.0",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164",
  "mapped_collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185"
}

Guest Collection 1.2.0 Document

Name

Type

Description

id

string <uuid>

Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.

manager_url

string <uri>

URL of the GCS Manager API service for the endpoint hosting this collection.

domain_name

string <hostname>

DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with m- or g-.

high_assurance

boolean

Flag indicating if this collection is created on a high assurance Storage Gateway.

https_url

string <uri>

HTTPS URL for the data on this collection.

tlsftp_url

string <uri>

TLSFTP URL for the data on this collection.

collection_type

string guest

Type of collection. A mapped collection requires an account on the system to access the administrator-defined collection. A guest collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.

display_name

string

Friendly name for the collection. Unicode string, max 128 characters, no new lines (\r or \n).

connector_id

string <uuid>

Id of the connector type that is used by this collection.

identity_id

string <uuid>

Globus Auth identity to who acts as the owner of this collection. This identity is an administrator on the collection.

storage_gateway_id

string <uuid>

Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.

root_path

string ^\\/.*

Absolute root path of the collection. All data access is done relative to this path.[Private]

collection_base_path

string ^\\/.*

Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the root_path attribute on the mapped collection with the same Id as the mapped_collection_id property. This may not be changed once the collection is created.[Private]

default_directory

string ^(/.*)|​($HOME(/.*))

Default directory when accessing the collection. This may include the special string $USER which is evaluated at access time to be the connector-specific username accessing the data.

If the collection is mapped collection with a collection_base_path value of /, this value can also begin with the values /~/ and $HOME, which are replaced by the user’s home directory, or / if the connector does not support the concept of a home directory.[Private]

public

boolean

Flag indicating whether this collection is visible to other Globus users.

force_encryption

boolean

Flag indicating whether all data transfers to and from this collection are always encrypted.

New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

disable_verify

boolean

Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.

organization

string

Organization that maintains the collection.

department

string

Department within organization that runs the server(s).

keywords

array (string)

List of search keywords for the collection.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the collection.

contact_info

string

Other non-email contact information for the collection, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

policies

object

Connector-specific collection policies.

enable_https

boolean

Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)

user_message

string

A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

user_message_link

string <uri>

Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

DATA_TYPE

string collection#1.2.0

user_credential_id

string <uuid>

The ID of the User Credential which is used to access data on this collection. This credential must be owned by the collection’s identity_id.

mapped_collection_id

string <uuid>

Unique ID of the Mapped Collection which this guest collection is associated with. This is set on creation and may not be changed. For a Guest Collection, this must be set, and policies related sharing (allow_guest_collections, sharing_restrict_paths) will always reflect the values in the Mapped Collection definition and may not be changed on this Guest Collection.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "guest",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "DATA_TYPE": "collection#1.2.0",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164",
  "mapped_collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185"
}

Guest Collection 1.4.0 Document

Name

Type

Description

id

string <uuid>

Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.

manager_url

string <uri>

URL of the GCS Manager API service for the endpoint hosting this collection.

domain_name

string <hostname>

DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with m- or g-.

high_assurance

boolean

Flag indicating if this collection is created on a high assurance Storage Gateway.

https_url

string <uri>

HTTPS URL for the data on this collection.

tlsftp_url

string <uri>

TLSFTP URL for the data on this collection.

collection_type

string guest

Type of collection. A mapped collection requires an account on the system to access the administrator-defined collection. A guest collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.

display_name

string

Friendly name for the collection. Unicode string, max 128 characters, no new lines (\r or \n).

connector_id

string <uuid>

Id of the connector type that is used by this collection.

identity_id

string <uuid>

Globus Auth identity to who acts as the owner of this collection. This identity is an administrator on the collection.

storage_gateway_id

string <uuid>

Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.

root_path

string ^\\/.*

Absolute root path of the collection. All data access is done relative to this path.[Private]

collection_base_path

string ^\\/.*

Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the root_path attribute on the mapped collection with the same Id as the mapped_collection_id property. This may not be changed once the collection is created.[Private]

default_directory

string ^(/.*)|​($HOME(/.*))

Default directory when accessing the collection. This may include the special string $USER which is evaluated at access time to be the connector-specific username accessing the data.

If the collection is mapped collection with a collection_base_path value of /, this value can also begin with the values /~/ and $HOME, which are replaced by the user’s home directory, or / if the connector does not support the concept of a home directory.[Private]

public

boolean

Flag indicating whether this collection is visible to other Globus users.

force_encryption

boolean

Flag indicating whether all data transfers to and from this collection are always encrypted.

New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

disable_verify

boolean

Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.

organization

string

Organization that maintains the collection.

department

string

Department within organization that runs the server(s).

keywords

array (string)

List of search keywords for the collection.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the collection.

contact_info

string

Other non-email contact information for the collection, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

policies

object

Connector-specific collection policies.

enable_https

boolean

Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)

user_message

string

A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

user_message_link

string <uri>

Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

require_mfa

boolean

Flag indicating if the storage_gateway requires multi- factor authentication. Only applies to high assurance storage gateways.

force_verify

boolean

Flag indicating that this endpoint requires computing checksums, needed for the verify_checksum option of transfer.

DATA_TYPE

string collection#1.4.0

user_credential_id

string <uuid>

The ID of the User Credential which is used to access data on this collection. This credential must be owned by the collection’s identity_id.

mapped_collection_id

string <uuid>

Unique ID of the Mapped Collection which this guest collection is associated with. This is set on creation and may not be changed. For a Guest Collection, this must be set, and policies related sharing (allow_guest_collections, sharing_restrict_paths) will always reflect the values in the Mapped Collection definition and may not be changed on this Guest Collection.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "guest",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "require_mfa": true,
  "force_verify": false,
  "DATA_TYPE": "collection#1.4.0",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164",
  "mapped_collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185"
}

Guest Collection 1.5.0 Document

Name

Type

Description

id

string <uuid>

Unique identifier for this collection. This is assigned by the GCS manager when creating a collection.

manager_url

string <uri>

URL of the GCS Manager API service for the endpoint hosting this collection.

domain_name

string <hostname>

DNS name of the virtual host serving this collection. For mapped collections with do not have a custom domain, this may be specified as part of the input document to create the collection, otherwise this is a read-only property. When included in the input, the name is restricted to be a subdomain of the endpoint, and the input name label may not start with m- or g-.

high_assurance

boolean

Flag indicating if this collection is created on a high assurance Storage Gateway.

https_url

string <uri>

HTTPS URL for the data on this collection.

tlsftp_url

string <uri>

TLSFTP URL for the data on this collection.

collection_type

string guest

Type of collection. A mapped collection requires an account on the system to access the administrator-defined collection. A guest collection allows users to share access to their data on a Storage Gateway by registering a credential with the GCS Manager.

display_name

string

Friendly name for the collection. Unicode string, max 128 characters, no new lines (\r or \n).

connector_id

string <uuid>

Id of the connector type that is used by this collection.

identity_id

string <uuid>

Globus Auth identity to who acts as the owner of this collection. This identity is an administrator on the collection.

storage_gateway_id

string <uuid>

Unique ID of the Storage Gateway which this collection provides access to. This value can not change after the collection is created.

root_path

string ^\\/.*

Absolute root path of the collection. All data access is done relative to this path.[Private]

collection_base_path

string ^\\/.*

Path to be interpreted as the base path when creating a new collection. It is interpreted differently depending on the collection type being created. For a mapped collection, this is an absolute path on the storage system named by the storage_gateway_id. For a guest collection, this is a relative path relative to the value of the root_path attribute on the mapped collection with the same Id as the mapped_collection_id property. This may not be changed once the collection is created.[Private]

default_directory

string ^(/.*)|​($HOME(/.*))

Default directory when accessing the collection. This may include the special string $USER which is evaluated at access time to be the connector-specific username accessing the data.

If the collection is mapped collection with a collection_base_path value of /, this value can also begin with the values /~/ and $HOME, which are replaced by the user’s home directory, or / if the connector does not support the concept of a home directory.[Private]

public

boolean

Flag indicating whether this collection is visible to other Globus users.

force_encryption

boolean

Flag indicating whether all data transfers to and from this collection are always encrypted.

New in v5.4.17: If a mapped collection forces encryption, all of its guest collections must as well. If this option is used on a mapped collection, the value is propagated to its guest collections.

disable_verify

boolean

Flag indicating that this endpoint does not support computing checksums, needed for the verify_checksum option of transfer.

organization

string

Organization that maintains the collection.

department

string

Department within organization that runs the server(s).

keywords

array (string)

List of search keywords for the collection.

description

string

A description of the endpoint.

contact_email

string <email>

Email address of the support contact for the collection.

contact_info

string

Other non-email contact information for the collection, e.g. phone and mailing address.

info_link

string <uri>

Link to a web page with more information about the endpoint.

authentication_timeout_mins

integer

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.

policies

object

Connector-specific collection policies.

enable_https

boolean

Boolean flag indicating whether this collection should support HTTPS. This value can be set on mapped collections or guest collections. However, it may not be set to True on a guest collection if the value on the related mapped collection is False. (Added in API 1.1.0)

user_message

string

A message for clients to display to users when interacting with this collection, max length 64 characters. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

user_message_link

string <uri>

Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an HTTP or HTTPS URL. For guest collections, this property is read-only and is the same as the value of its related mapped collection. (Added in API 1.1.0)

require_mfa

boolean

Flag indicating if the storage_gateway requires multi- factor authentication. Only applies to high assurance storage gateways.

force_verify

boolean

Flag indicating that this endpoint requires computing checksums, needed for the verify_checksum option of transfer.

disable_anonymous_writes

boolean

Flag indicating if guest collections on this mapped collection will allow anonymous write ACLs. This defaults to true for high assurance collections and false for non high assurance collections. This flag can only be set on non high assurance mapped collections and is read-only on all other collection types. (Added in API 1.8.0)

DATA_TYPE

string collection#1.5.0

user_credential_id

string <uuid>

The ID of the User Credential which is used to access data on this collection. This credential must be owned by the collection’s identity_id.

mapped_collection_id

string <uuid>

Unique ID of the Mapped Collection which this guest collection is associated with. This is set on creation and may not be changed. For a Guest Collection, this must be set, and policies related sharing (allow_guest_collections, sharing_restrict_paths) will always reflect the values in the Mapped Collection definition and may not be changed on this Guest Collection.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "guest",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {},
  "enable_https": true,
  "user_message": "System maintenance scheduled 10pm-11pm CDT Friday",
  "user_message_link": "https://example.org/maintenance-schedule/",
  "require_mfa": true,
  "force_verify": false,
  "disable_anonymous_writes": false,
  "DATA_TYPE": "collection#1.5.0",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164",
  "mapped_collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185"
}

Guest Collection Document

A guest collection is a collection that uses an existing mapped collection and adds the ability of a user to share access to their data on that collection. All access to the data is performed using the account of the user who created the guest collection. That user can also add entries to an access control list to allow others to access some parts of the guest collection owner’s data.

A guest collection document has additional properties mapped_collection_id and user_credential_id to describe the relationship between the collection and a mapped collection where it was created and the credential used for data access.

Name

Type

Description

GuestCollection

Guest Collection One of { Guest Collection 1.0.0 , Guest Collection 1.1.0 , Guest Collection 1.2.0 , Guest Collection 1.4.0 , Guest Collection 1.5.0 ​ }

A guest collection is a collection that uses an existing mapped collection and adds the ability of a user to share access to their data on that collection. All access to the data is performed using the account of the user who created the guest collection. That user can also add entries to an access control list to allow others to access some parts of the guest collection owner’s data.

A guest collection document has additional properties mapped_collection_id and user_credential_id to describe the relationship between the collection and a mapped collection where it was created and the credential used for data access.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "guest",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {
    "DATA_TYPE": "blackpearl_collection_policies#1.0.0"
  },
  "DATA_TYPE": "collection#1.0.0",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164",
  "mapped_collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185"
}

Collection Document

Collections are discoverable access points that allow data to be transferred through GridFTP or HTTPS.

A collection consists of metadata about the collection, a DNS domain for accessing data on the collection, and configuration on the Data Transfer Nodes to access the collection data. Globus Connect Server version 5 supports two types of collections: mapped and guest.

Name

Type

Description

Collection

anyOf {

Guest Collection , Mapped Collection }

Collections are discoverable access points that allow data to be transferred through GridFTP or HTTPS.

A collection consists of metadata about the collection, a DNS domain for accessing data on the collection, and configuration on the Data Transfer Nodes to access the collection data. Globus Connect Server version 5 supports two types of collections: mapped and guest.

{
  "id": "18d367d5-45cf-4724-a53e-5a685e45c942",
  "manager_url": "https://gcs.data.globus.org/",
  "domain_name": "i-f3c83.123.globus.org",
  "high_assurance": true,
  "https_url": "https://i-f3c83.123.globus.org",
  "tlsftp_url": "tlsftp://i-f3c83.123.globus.org",
  "collection_type": "guest",
  "display_name": "Project Foo Research Data",
  "connector_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c",
  "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "root_path": "/",
  "collection_base_path": "/",
  "default_directory": "/projects",
  "public": true,
  "force_encryption": false,
  "disable_verify": false,
  "organization": "University of Example",
  "department": "Data Science",
  "keywords": [
    "Project Foo",
    "Data Intensive Science"
  ],
  "description": "Information related to the \"Foo\" project.",
  "contact_email": "project-foo@example.edu",
  "contact_info": "+1 (555) 555-1234",
  "info_link": "https://project-foo.example.edu/info",
  "authentication_timeout_mins": 30,
  "policies": {
    "DATA_TYPE": "blackpearl_collection_policies#1.0.0"
  },
  "DATA_TYPE": "collection#1.0.0",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164",
  "mapped_collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185"
}

ExternalIdentityMapping Document

The ExternalIdentityMapping defines the path and arguments of an external program to map an identity to a storage-gateway specific user account name. The specified command will be called to map Globus Auth identity data to a connector-specific list of account names.

Name

Type

Description

DATA_TYPE

string external_identity_mapping#1.0.0

Type of this document

command

array (string)

The mapping command and its command-line arguments. In addition to these arguments, the following will also be passed to the program.

-c CONNECTOR_ID

The ID of the connector that the mapping is being done in the context of.

-s STORAGE_GATEWAY_ID

The ID of the storage gateway that the mapping is being done in the context of.

-a

This option is a flag that indicates that the GCS Manager wants to receive output containing all mappings for the given identity set. If not present, the program will receive exactly one object in the identities array and may only return a single mapping for that identity.

{
  "DATA_TYPE": "external_identity_mapping#1.0.0",
  "command": [
    "/opt/globus/bin/python",
    "/opt/globus/map-globus-identity-data"
  ]
}

ExpressionIdentityMapping Document

The ExpressionIdentityMapping defines a set of identity mapping expressions to map Globus Auth identity data to a connector-specific list of account names.

Name

Type

Description

DATA_TYPE

string expression_identity_mapping#1.0.0

Type of this document

mappings

array (object) ( MappingExpression )

Array of expression-based identity mapping values.

{
  "DATA_TYPE": "expression_identity_mapping#1.0.0",
  "mappings": [
    {
      "source": "{username}",
      "match": "(.*)@globus\\.org",
      "output": "{0}",
      "ignore_case": false,
      "literal": false
    }
  ]
}

MappingExpression Document

The MappingExpression document type contains information about a mapping expression, including the input, match, output, and flags used to process this expression.

Name

Type

Description

source

string

A string comprised of text plus identity set data field names surrounded by curly brackets {} which are interpolated into the text.

match

string <regex>

An expression which is applied to the output performing interpolation on source for determining if this mapping applies. This requires a full string match on the source.

output

string

A string representing the result of the mapping if the match succeeded. References to the original identity_set data can be interpolated as in the source property. References to match groups from the match property can be interpolated with numbers (indices starting with 0) surrounded by curly brackets {}.

ignore_case

boolean

Flag indicating the match should be executed as a case insensitive comparison. If not present, this defaults to false.

literal

boolean

Flag indicating the match expression should be done as a literal match, ignoring any special regular characters. If not present, this defaults to false.

{
  "source": "{username}",
  "match": "(.*)@globus\\.org",
  "output": "{0}",
  "ignore_case": false,
  "literal": false
}

IdentityMapping Document

Globus Connect Server provides two ways for you to implement a custom Globus identity to account mapping: expression-based and external program

With expression-based mapping you can write rules that extract data from fields in the Globus identity document to form storage gateway-specific usernames. If there is a regular relationship between most of your users' Identity information to their account names, this is probably the most direct way to accomplish the mapping.

With external program mappings you can use any mechanism you like (static mapping, ldap, database, etc) to look up account information and return the mapped account user name. If you have an account system that has usernames without a simple relationship to your users' Globus identities, or that requires interfacing with an accounting system, this may be necessary.

Name

Type

Description

IdentityMapping

IdentityMapping One of { object ExternalIdentityMapping , object ExpressionIdentityMapping , object ​ }

Globus Connect Server provides two ways for you to implement a custom Globus identity to account mapping: expression-based and external program

With expression-based mapping you can write rules that extract data from fields in the Globus identity document to form storage gateway-specific usernames. If there is a regular relationship between most of your users' Identity information to their account names, this is probably the most direct way to accomplish the mapping.

With external program mappings you can use any mechanism you like (static mapping, ldap, database, etc) to look up account information and return the mapped account user name. If you have an account system that has usernames without a simple relationship to your users' Globus identities, or that requires interfacing with an accounting system, this may be necessary.

{
  "DATA_TYPE": "external_identity_mapping#1.0.0",
  "command": [
    "/opt/globus/bin/python",
    "/opt/globus/map-globus-identity-data"
  ]
}

AuthenticationTimeout (v1.0.0) Properties Document

Name

Type

Description

identities

array (string)

List of identities that would have otherwise been authorized except that the authentication has timed out.

high_assurance

boolean

Boolean flag indicating whether the new authentication must be done within the same auth session as the application making the request.

{
  "identities": [
    "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c"
  ],
  "high_assurance": true
}

AuthenticationTimeout (v1.1.0) Properties Document

Name

Type

Description

require_mfa

boolean

Flag indicating that multi-factor authentication is required. Only occurs on high assurance storage gateways.

{
  "require_mfa": true
}

AuthenticationTimeout 1.0.0 Document

Name

Type

Description

identities

array (string)

List of identities that would have otherwise been authorized except that the authentication has timed out.

high_assurance

boolean

Boolean flag indicating whether the new authentication must be done within the same auth session as the application making the request.

DATA_TYPE

string authentication_timeout#1.0.0

Type of this document

{
  "identities": [
    "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c"
  ],
  "high_assurance": true,
  "DATA_TYPE": "authentication_timeout#1.0.0"
}

AuthenticationTimeout 1.1.0 Document

Name

Type

Description

identities

array (string)

List of identities that would have otherwise been authorized except that the authentication has timed out.

high_assurance

boolean

Boolean flag indicating whether the new authentication must be done within the same auth session as the application making the request.

require_mfa

boolean

Flag indicating that multi-factor authentication is required. Only occurs on high assurance storage gateways.

DATA_TYPE

string authentication_timeout#1.1.0

Type of this document

{
  "identities": [
    "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c"
  ],
  "high_assurance": true,
  "require_mfa": true,
  "DATA_TYPE": "authentication_timeout#1.1.0"
}

AuthenticationTimeout Document

Error details when a user must reauthenticate an identity in order to perform this operation.

Name

Type

Description

AuthenticationTimeout

AuthenticationTimeout One of { AuthenticationTimeout 1.0.0 , AuthenticationTimeout 1.1.0 ​ }

Error details when a user must reauthenticate an identity in order to perform this operation.

{
  "identities": [
    "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c"
  ],
  "high_assurance": true,
  "DATA_TYPE": "authentication_timeout#1.0.0"
}

ResourceConflict Document

Error details when the caller has attempted to update an object that results in a conflict with some other object.

Name

Type

Description

DATA_TYPE

string resource_conflict#1.0.0

Type of this document

resources

array (string)

List of other resources which conflict with this proposed change.

{
  "DATA_TYPE": "resource_conflict#1.0.0",
  "resources": [
    "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c"
  ]
}

CredentialNotFound Document

Error details when a user has attempted to use a credential when creating a collection or logging in, but there are multiple mapped identities and none of them have a valid credential.

Name

Type

Description

DATA_TYPE

string credential_not_found#1.0.0

Type of this document

accounts

array ( Account )

List of available accounts that do not have credentials registered.

{
  "DATA_TYPE": "credential_not_found#1.0.0",
  "accounts": [
    {
      "DATA_TYPE": "account#1.0.0",
      "username": "testuser",
      "storage_gateway_id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
      "identity_id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c"
    }
  ]
}

IdNotInIdentitySet Document

Error details when a user has authenticated but has requested to act as an identity not in the current identity set.

Name

Type

Description

DATA_TYPE

string id_not_in_identity_set#1.0.0

Type of this document

id

string

Requested identity ID.

{
  "DATA_TYPE": "id_not_in_identity_set#1.0.0",
  "id": "c8b7ab5c-595c-43c9-8e43-9e8a3debfe4c"
}

LimitExceeded Document

Error details when a user would be authorized, but the endpoint has reached a hard resource limit on the type of object being created.

Name

Type

Description

DATA_TYPE

string limit_exceeded#1.0.0

Type of this document

{
  "DATA_TYPE": "limit_exceeded#1.0.0"
}

MissingRequiredRole Document

Error details when a user has authenticated but lacks a role to be able to perform the requested operation.

Name

Type

Description

DATA_TYPE

string missing_required_role#1.0.0

Type of this document

roles

array (object)

{
  "DATA_TYPE": "missing_required_role#1.0.0",
  "roles": [
    {
      "role": "administrator",
      "collection": "18d367d5-45cf-4724-a53e-5a685e45c942"
    }
  ]
}

MissingRequiredScopes Document

Error details when a user has authenticated but lacks an OAuth scope to be able to perform the requested operation.

Name

Type

Description

DATA_TYPE

string missing_required_scopes#1.0.0

Type of this document

required_scopes

array (string)

{
  "DATA_TYPE": "missing_required_scopes#1.0.0",
  "required_scopes": [
    "https://auth.globus.org/scopes/7f862724-3cb1-4006-8744-d71bc8acf518/data_access"
  ]
}

NotFromAllowedDomain Document

Error details when a user has authenticated but does not have an identity from the required domain to perform the requested action.

Name

Type

Description

DATA_TYPE

string not_from_allowed_domain#1.0.0

Type of this document

allowed_domains

array (string)

{
  "DATA_TYPE": "not_from_allowed_domain#1.0.0",
  "allowed_domains": [
    "example.edu",
    "example.org"
  ]
}

NotResourceOwner Document

Error details when a user has authenticated but is not the owner of the resource being acted upon.

Name

Type

Description

DATA_TYPE

string not_resource_owner#1.0.0

Type of this document

id

string <uuid>

Identity ID of the owner of the resource.

{
  "DATA_TYPE": "not_resource_owner#1.0.0",
  "id": "d65768d9-f00a-4921-93be-a16c8f20200d"
}

InvalidInput Document

Error details when the caller has sent an invalid input document.

Name

Type

Description

DATA_TYPE

string invalid_input#1.0.0

Type of this document

errors

array (object)

Optional list of input schema violations, such as missing or unknown properties, or properties with invalid values.

{
  "DATA_TYPE": "invalid_input#1.0.0",
  "errors": [
    {
      "message": "Missing data for required field.",
      "property": "authentication_timeout_mins"
    }
  ]
}

InvalidCredential Document

Error details when the caller’s identity maps to an account with a user credential that is in an invalid state.

Name

Type

Description

DATA_TYPE

string invalid_credential#1.0.0

Type of this document

user_credential_id

string <uuid>

The ID of the User Credential which needs to be fixed before this resource can be accessed.

{
  "DATA_TYPE": "invalid_credential#1.0.0",
  "user_credential_id": "1ce95432-73c7-4060-8fb2-5d61d627f164"
}

InvalidUser Document

Error details when the caller’s identity does not map to valid local account.

Name

Type

Description

DATA_TYPE

string invalid_user#1.0.0

Type of this document

usernames

array (string)

{
  "DATA_TYPE": "invalid_user#1.0.0",
  "usernames": [
    "username@example.edu"
  ]
}

SubscriptionRequired Document

Error details when the caller has attempted to access a feature not supported by the endpoint’s subscription.

Name

Type

Description

DATA_TYPE

string subscription_required#1.0.0

Type of this document

subscription_level

string

Level of subscription required for this feature.

add_ons

array (string)

Subscription add-ons required for this feature.

{
  "DATA_TYPE": "subscription_required#1.0.0",
  "subscription_level": "standard",
  "add_ons": [
    "Google Drive"
  ]
}

Domain Properties Document

Base Domain

Name

Type

Description

DATA_TYPE

string

Type of this document

domain_name

string

DNS Domain name.

wildcard

boolean

Flag indicating whether this is a wildcard domain or not.

When setting a custom domain for an endpoint a wildcard domain must be used.

When setting a custom domain for a mapped collection, the domain may optionally be a wildcard domain. If it is a wildcard domain, the guest collections will be created as subdomains of the mapped collection domain; if not, guest collections will be created as subdomains of the endpoint domain.

{
  "DATA_TYPE": "string",
  "domain_name": "custom.domain.org",
  "wildcard": true
}

Managed Domain 1.0.0 Properties Document

Name

Type

Description

certificate

string ^(.*\\n)?-----BEGIN CERTIFICATE-----.*

PEM-Encoded X.509 certificate for this domain.

certificate_chain

string ^(.*\\n)?-----BEGIN CERTIFICATE-----.*

PEM-Encoded X.509 certificate chain for this domain. Only needed if there are intermediate certificates that must also be sent to clients to allow them to verify the certificate.

private_key

string ^(.*\\n)?-----BEGIN PRIVATE KEY-----.*

PEM-Encoded private key for the certificate.

{
  "certificate": "string",
  "certificate_chain": "string",
  "private_key": "string"
}

Unmanaged Domain 1.0.0 Properties Document

Name

Type

Description

certificate_path

string ^/.*

Path to a file containing the X.509 certificate for this domain. This file path must contain a valid certificate and be present on each data transfer node.

certificate_chain_path

string ^/.*

Path to a file containing the X.509 certificate chain for this domain. This file path must contain a sequence of valid certificate and be present on each data transfer node.

private_key_path

string ^/.*

Path to a file containing the private key for this domain. This file path must contain a valid key and be present on each data transfer node.

{
  "certificate_path": "string",
  "certificate_chain_path": "string",
  "private_key_path": "string"
}

Managed domain 1.0.0 Document

Custom managed domain

Name

Type

Description

DATA_TYPE

domain#1.0.0

domain_name

string

DNS Domain name.

wildcard

boolean

Flag indicating whether this is a wildcard domain or not.

When setting a custom domain for an endpoint a wildcard domain must be used.

When setting a custom domain for a mapped collection, the domain may optionally be a wildcard domain. If it is a wildcard domain, the guest collections will be created as subdomains of the mapped collection domain; if not, guest collections will be created as subdomains of the endpoint domain.

certificate

string ^(.*\\n)?-----BEGIN CERTIFICATE-----.*

PEM-Encoded X.509 certificate for this domain.

certificate_chain

string ^(.*\\n)?-----BEGIN CERTIFICATE-----.*

PEM-Encoded X.509 certificate chain for this domain. Only needed if there are intermediate certificates that must also be sent to clients to allow them to verify the certificate.

private_key

string ^(.*\\n)?-----BEGIN PRIVATE KEY-----.*

PEM-Encoded private key for the certificate.

{
  "DATA_TYPE": "domain#1.0.0",
  "domain_name": "custom.domain.org",
  "wildcard": true,
  "certificate": "string",
  "certificate_chain": "string",
  "private_key": "string"
}

Unmanaged domain 1.0.0 Document

Custom unmanaged domain

Name

Type

Description

DATA_TYPE

domain#1.0.0

domain_name

string

DNS Domain name.

wildcard

boolean

Flag indicating whether this is a wildcard domain or not.

When setting a custom domain for an endpoint a wildcard domain must be used.

When setting a custom domain for a mapped collection, the domain may optionally be a wildcard domain. If it is a wildcard domain, the guest collections will be created as subdomains of the mapped collection domain; if not, guest collections will be created as subdomains of the endpoint domain.

certificate_path

string ^/.*

Path to a file containing the X.509 certificate for this domain. This file path must contain a valid certificate and be present on each data transfer node.

certificate_chain_path

string ^/.*

Path to a file containing the X.509 certificate chain for this domain. This file path must contain a sequence of valid certificate and be present on each data transfer node.

private_key_path

string ^/.*

Path to a file containing the private key for this domain. This file path must contain a valid key and be present on each data transfer node.

{
  "DATA_TYPE": "domain#1.0.0",
  "domain_name": "custom.domain.org",
  "wildcard": true,
  "certificate_path": "string",
  "certificate_chain_path": "string",
  "private_key_path": "string"
}

Domain 1.0.0 Document

Custom domain definition.

Name

Type

Description

Domain_1_0_0

Domain 1.0.0 One of { object Managed domain 1.0.0 , object Unmanaged domain 1.0.0 ​ }

Custom domain definition.

{
  "DATA_TYPE": "string",
  "domain_name": "custom.domain.org",
  "wildcard": true,
  "certificate": "string",
  "certificate_chain": "string",
  "private_key": "string"
}

Domain Document

Custom domain definition.

Name

Type

Description

Domain

Domain One of { object Domain 1.0.0 ​ }

Custom domain definition.

{
  "DATA_TYPE": "domain#1.0.0",
  "domain_name": "custom.domain.org",
  "wildcard": true,
  "certificate_path": "/etc/grid-security/endpoint_cert.pem",
  "private_key_path": "/etc/grid-security/endpoint_key.pem"
}

AzureBlobStoragePolicies Document

This type describes the public and private policies for a Azure Blob Storage Gateway.

Name

Type

Description

DATA_TYPE

string azure_blob_storage_policies#1.0.0

Type of this document

client_id

string

Client ID registered with the Azure console to access Azure Blob.[Private]

secret

string

Secret created in the Azure console to access Azure Blob with the client_id in this policy.[Private]

tenant

string

Tenant ID of the Microsoft organization.[Private]

auth_type

string

The method of authentication to Azure. 'user' prompts the user to log in to their Microsoft account via an oauth2 flow. 'service_principal' uses the configured client_id and client_secret values to authenticate as an Azure service principal.

account

string

Azure Storage account to access with this storage gateway.[Private]

adls

boolean

Flag indicating the Azure storage account has enabled Azure Data Lake Gen2 hierarchical namespace support.[Private]

auth_callback

string <uri>

URL of the auth callback that must be registered on the Azure console for the application client_id in order to process Microsoft credentials.

{
  "DATA_TYPE": "azure_blob_storage_policies#1.0.0",
  "client_id": "string",
  "secret": "string",
  "tenant": "string",
  "auth_type": "string",
  "account": "string",
  "adls": true,
  "auth_callback": "https://example.globus.org/api/v1/authcallback"
}

AzureBlobCollectionPolicies Document

The AzureBlobCollectionPolicies document describes Azure Blob-specific configuration policies. Currently this document type contains no connector-specific policy information.

Name

Type

Description

DATA_TYPE

string azure_blob_collection_policies#1.0.0

Type of this document

{
  "DATA_TYPE": "azure_blob_collection_policies#1.0.0"
}

AzureBlobUserCredentialPolicies Document

The AzureBlobUserCredentialPolicies document describes the Azure Blob-specific policy information included in a UserCredential. This document contains read-only data about the user’s credentials.

Name

Type

Description

DATA_TYPE

string azure_blob_user_credential_policies#1.0.0

Type of this document

sub

string

OAuth subject identifier claim.

email

string <email>

OAuth email claim.

access_token

string

OAuth access token.

refresh_token

string

OAuth refresh token.

scopes

array (string)

OAuth scopes associated with this access token.

token_expiry

string <date-time>

OAuth access token expiration time.

{
  "DATA_TYPE": "azure_blob_user_credential_policies#1.0.0",
  "sub": "string",
  "email": "user@example.com",
  "access_token": "string",
  "refresh_token": "string",
  "scopes": [
    "openid",
    "email",
    "profile",
    "offline_access",
    "user_impersonation"
  ],
  "token_expiry": "2020-02-04T21:44:12Z"
}

BlackPearlStoragePolicies Document

The BlackPearlStoragePolicies document describes Black Pearl-specific policies. This document contains policies to locate the Black Pearl S3 endpoint and map account names to API keys.

Name

Type

Description

DATA_TYPE

string blackpearl_storage_policies#1.0.0

Type of this document

s3_endpoint

string <uri>

The URL of the S3 endpoint of the BlackPearl appliance to use to access collections on this Storage Gateway.

bp_access_id_file

string

Path to the file which provides mappings from usernames within the configured identity domain to the ID and secret associated with the user’s BlackPearl account

{
  "DATA_TYPE": "blackpearl_storage_policies#1.0.0",
  "s3_endpoint": "http://blackpearl.example.org:8080",
  "bp_access_id_file": "/etc/blackpearl/access-id-file"
}

BlackPearlCollectionPolicies Document

The BlackPearlCollectionPolicies document describes Black Pearl-specific policies. Currently this document contains no connector-specific policy information.

Name

Type

Description

DATA_TYPE

string blackpearl_collection_policies#1.0.0

{
  "DATA_TYPE": "blackpearl_collection_policies#1.0.0"
}

BlackPearlUserCredentialPolicies Document

The BlackPearlUserCredentialPolicies document describes Black Pearl-specific policies. Currently this document contains read-only information about the access_id and key associated with an account.

Name

Type

Description

DATA_TYPE

string blackpearl_user_credential_policies#1.0.0

access_id

string

BlackPearl access ID

secret_key

string

BlackPearl secret key[Private]

{
  "DATA_TYPE": "blackpearl_user_credential_policies#1.0.0",
  "access_id": "amFzb25hbHQ=",
  "secret_key": "K9YxrEaj"
}

BoxStoragePolicies Document

The BoxStoragePolicies document describes box-specific configuration policies. These contain data needed to interact with the Box service via its API.

Name

Type

Description

DATA_TYPE

string box_storage_policies#1.0.0

Type of this document

enterpriseID

string

Identifies which Box Enterprise this Storage Gateway is authorized access to.[Private]

boxAppSettings

object

Values that the Storage Gateway uses to identify and authenticate the with the Box API.[Private]

{
  "DATA_TYPE": "box_storage_policies#1.0.0",
  "enterpriseID": "123456",
  "boxAppSettings": {
    "clientID": "pahZae7RaiX8thooOu2ooquo",
    "clientSecret": "ahNgik3uveiW4uiZYuquee3IFune6goo",
    "appAuth": {
      "publicKeyID": "xa6Ecas0",
      "privateKey": "-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQItFqhI7c+9m0CAggA\nMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBBollBX+MTwIorhEBGMAGUYBIIE\n0PyvnRMb3diA+wB1GIJqLzBk4KqyKcWbP4NukwxWYvr8ZmC5MuaZQKsC0YqjZNMw\niTYaOUmjoA6HQYJr+Yt7wuU9g07N2isl+RnlZEUSrTUYVMu1NLb7A4zkCKFlV/dC\nTSb3IED//ne+i3+oaQImrO86ppGcNoaYmx4kCf9o9Etre040a7lLNQs9SB5ukHMZ\nfXGb1X5n0jXCqfJ4SYcSefK3fOVawbIg0ocMg99TZaBWvWb0C3w/+cn8MqT5FmOW\ncqMZSHtqq8/DdfNpfA7CLd6e5st2yKEnbYma2m7HR+SsCAhhOYligiMlwGCKw/JT\nYmKIB2wRu54dJOdvZVF/7kJkw5igooGxrBKXmlxVO+2TDs8fjx7F42W00XoOLTIy\nGGabLkAPQXOO5XOJsMaX/A3u9YUezoG7BZKsuPHlIxsJjylJqM0uA1nUObRxI77W\nyWEz1aHvDnEEvF/rBrNGV8ARiTNo02AKtvMLiW8H4d+G+8tlwCUB8CAkgOXwQpP5\nnqeibn4Y88GqE1z2EF7YGTjrTre/qvPJOIvYDYVONmc9DblitOMLerQdodgNC+3q\nrTDxPET9xGJ2Gg+TYWXYiEkQJMotpWR+zDB0uJVsBqfAVFvn6WFa8hp1m4Il2vNK\nCSFi8yUegK3vJiw1ZFUx42v9m8nyTiVJ/LvZYVkr2SxjI4mk2jCEP7YctTpT2Fpd\nYCXe6LGxzIh1QcEsz6ETaBtcQ2ZGoZYqURIoH3OoJ+Bqp2tsK8E/JJ5A5rSWRfeb\nssIG62iy/nDseq9sp1J5LfdOE45k5AQ0+48Box+b/j1Gdn30ckT+ffjO2HwGwAbG\nNpwgC/yJ8xyrgHGlRRULeu2zRndCcSsrRr0l9hYPiD4+JYPvaVPNf1O/Ry/OIFQZ\n+0VeWEHOziS4sheMTp6rof68zdND9NabhrUL/bjMnu6jZxFfLjj8ecVIq4TNoPRL\nHfnIEYb8z2bfMzv3raOa49Z6hgbkrQwmt/aAwp2tk9gx7FmIWghS4EktgXKYaYiG\ndPJWWnFSXOSYveF5otryISbwqZU4EDsPk8S/Yd9VTF9t/YxWpMGfsP/UKWILR3Lq\nF86JpuKgSB8eMrKDX4zTxgOqpPFaoxQYcQcM1X8BaYlfnHTtOS9gDYXyfVbxmnu9\nXTOjPdwI+enqWYADZ0HDsEghujxFOQKtefBq0isgzvMNmIB/II/09eCSPqk38oKO\nDIVPVrYqB1FtGMINDzyljCI5q9Z1Duw+9M0IYCv4k1v0fVsowNHfTGc1PcMHGZXs\nudejICJ02UZjvhW9GCE0Gswk1Td64f8afqDYvXviCI3545HZy3UZqMGNNT7nx2zY\n9Vih8pl0027MXj1IScCuC90YZr0TyhpfZadfQJB27Bh8bBaS+Jal3+vfgXTNwXLm\nTGN9EdRKaSZS7CFAmgwDEQ1wkO5v0yvOBWVgw9QcFigu9y7hPAGu91bDb8t5EEMR\nsIklo0H7U2yx2eiEB5aFbb6ufKC4+WShDvYkSEhpalqUL7wplV7lR4ZyuwLa4PG/\nShgYXEgibyksa7ggI7wJwe85laWkycrOn5/lvRUNrvSvDoQJlMsQD5h/Bscvw1K8\nNWXaierPdI1GtR0zWujxbVi29fafqwJSP6V3dTSLLbAI\n-----END ENCRYPTED PRIVATE KEY-----",
      "passphrase": "Aip4eengaeQuoib2Eme3thei"
    }
  }
}

BoxCollectionPolicies Document

The BoxCollectionPolicies document describes box-specific configuration policies. Currently this document type contains no connector-specific policy information.

Name

Type

Description

DATA_TYPE

string box_collection_policies#1.0.0

Type of this document

{
  "DATA_TYPE": "box_collection_policies#1.0.0"
}

BoxUserCredentialPolicies Document

The BoxUserCredentialPolicies document describes box-specific configuration policies. Currently this document type contains no connector-specific policy information.

Name

Type

Description

DATA_TYPE

string box_user_credential_policies#1.0.0

{
  "DATA_TYPE": "box_user_credential_policies#1.0.0"
}

CephStoragePolicies Document

The CephStoragePolicies document describes ceph-specific configuration policies. These policies contain information about how to contact the Ceph storage API and also restrictions on which Ceph buckets are available for access via this storage gateway.

Name

Type

Description

DATA_TYPE

string ceph_storage_policies#1.0.0

Type of this document

s3_endpoint

string <uri>

URL of the S3 API endpoint

s3_buckets

array (string)

List of buckets not owned by the collection owner that will be shown in the root of collections created at the base of this Storage Gateway.

ceph_admin_key_id

string

Administrator key id used to authenticate with the ceph admin service to obtain user credentials.[Private]

ceph_admin_secret_key

string

Administrator secret key used to authenticate with the ceph admin service to obtain user credentials.[Private]

{
  "DATA_TYPE": "ceph_storage_policies#1.0.0",
  "s3_endpoint": "https://s3.amazonaws.com",
  "s3_buckets": [
    "publicbucket1"
  ],
  "ceph_admin_key_id": "string",
  "ceph_admin_secret_key": "string"
}

CephCollectionPolicies Document

The CephCollectionPolicies document describes ceph-specific configuration policies. Currently this document type contains no connector-specific policy information.

Name

Type

Description

DATA_TYPE

string ceph_collection_policies#1.0.0

Type of this document

{
  "DATA_TYPE": "ceph_collection_policies#1.0.0"
}

CephUserCredentialPolicies Document

The CephCollectionPolicies document describes ceph-specific configuration policies. Currently this document type contains no connector-specific policy information.

Name

Type

Description

DATA_TYPE

string ceph_user_credential_policies#1.0.0

Type of this document

{
  "DATA_TYPE": "ceph_user_credential_policies#1.0.0"
}

GoogleCloudStorageProject Document

A Google Cloud Platform project resource.

Name

Type

Description

projectId

string

Google-issued id of a Google Cloud Platform project.

name

string

The name of the project.

{
  "projectId": "strawberry-delta-129193",
  "name": "Globus Data Project"
}

GoogleCloudStoragePolicies Document

This type describes the public and private policies for a Google Cloud Storage Gateway.

Name

Type

Description

DATA_TYPE

string google_cloud_storage_policies#1.0.0

Type of this document

client_id

string

Client ID registered with the Google Application console to access Google Cloud Storage.[Private]

secret

string

Secret created to access access Google Cloud Storage with the client_id in this policy.[Private]

service_account_key

object

Service account key to use when authenticating all storage access.[Private]

buckets

array (string)

The list of Google Cloud Storage buckets which the Storage Gateway is allowed to access, as well as the list of buckets that will be shown in root level directory listings. If this list is unset, bucket access is unrestricted and all non public credential accessible buckets will be shown in root level directory listings. The value is a list of bucket names.

auth_callback

string <uri>

URL of the auth callback that must be registered on the Google API console for the application client_id in order to process Google credentials.

projects

array (string)

The list of Google Cloud Storage project ids which the Storage Gateway is allowed to access. If this list is unset, project access is unrestricted. The value is a list of project id strings.

{
  "DATA_TYPE": "google_cloud_storage_policies#1.0.0",
  "client_id": "string",
  "secret": "string",
  "service_account_key": {},
  "buckets": [
    "string"
  ],
  "auth_callback": "https://example.globus.org/api/v1/authcallback_google",
  "projects": [
    "strawberry-delta-129193"
  ]
}

GoogleCloudStorageCollectionPolicies Document

The GoogleCloudStorageCollectionPolicies document describes google-specific policies for a collection.

Name

Type

Description

DATA_TYPE

string google_cloud_storage_collection_policies#1.0.0

Type of this document

project

string

Google Cloud Platform project ID value that is associated with this collection.

{
  "DATA_TYPE": "google_cloud_storage_collection_policies#1.0.0",
  "project": "strawberry-delta-129193"
}

GoogleCloudStorageUserCredentialPolicies Document

Name

Type

Description

DATA_TYPE

string google_cloud_storage_user_credential_policies#1.0.0

Type of this document

sub

string

OpenID Connect subject property of this credential. [read-only]

email

string <email>

OpenID Connect email property of this credential. [read-only]

access_token

string

Access token to interact with the Google Cloud Storage API. [read-only][Private]

refresh_token

string

Refresh token to generate new access tokens to use with the Google Cloud Storage API. [read-only][Private]

scopes

array (string)

List of OAuth 2 scopes associated with the tokens in this credential. [read-only]

projects

array ( GoogleCloudStorageProject )

List of Google Cloud Platform projects available for use with this credential. [read-only]

token_expiry

string <date-time>

Time when he access token expires. [read-only]

{
  "DATA_TYPE": "google_cloud_storage_user_credential_policies#1.0.0",
  "sub": "string",
  "email": "user@example.com",
  "access_token": "string",
  "refresh_token": "string",
  "scopes": [
    "string"
  ],
  "projects": [
    {
      "projectId": "strawberry-delta-129193",
      "name": "Globus Data Project"
    }
  ],
  "token_expiry": "2020-02-04T21:44:12Z"
}

GoogleDriveStoragePolicies Document

This type describes the public and private policies for a Google Drive Storage Gateway.

Name

Type

Description

DATA_TYPE

string google_drive_storage_policies#1.0.0

Type of this document

client_id

string

Client ID registered with the Google Application console to access Google Drive.[Private]

secret

string

Secret created to access access Google Drive with the client_id in this policy.[Private]

user_api_rate_quota

integer

User API Rate quota associated with this client ID.[Private]

auth_callback

string <uri>

URL of the auth callback that must be registered on the Google API console for the application client_id in order to process Google credentials.

{
  "DATA_TYPE": "google_drive_storage_policies#1.0.0",
  "client_id": "string",
  "secret": "string",
  "user_api_rate_quota": 1000,
  "auth_callback": "https://example.globus.org/api/v1/authcallback_google"
}

GoogleDriveCollectionPolicies Document

The GoogleDriveCollectionPolicies document describes Google drive -specific configuration policies. Currently this document type contains no connector-specific policy information.

Name

Type

Description

DATA_TYPE

string google_drive_collection_policies#1.0.0

Type of this document

{
  "DATA_TYPE": "google_drive_collection_policies#1.0.0"
}

GoogleDriveUserCredentialPolicies Document

The GoogleDriveUserCredentialPolicies document describes the google-specific policy information included in a UserCredential. This document contains read-only data about the user’s Google OAuth tokens.

Name

Type

Description

DATA_TYPE

string google_drive_user_credential_policies#1.0.0

Type of this document

sub

string

OAuth subject identifier claim.

email

string <email>

OAuth email claim.

access_token

string

OAuth access token.

refresh_token

string

OAuth refresh token.

scopes

array (string)

OAuth scopes associated with this access token.

token_expiry

string <date-time>

OAuth access token expiration time.

{
  "DATA_TYPE": "google_drive_user_credential_policies#1.0.0",
  "sub": "string",
  "email": "user@example.com",
  "access_token": "string",
  "refresh_token": "string",
  "scopes": [
    "email",
    "profile",
    "https://www.googleapis.com/auth/drive",
    "https://www.googleapis.com/auth/drive.appfolder"
  ],
  "token_expiry": "2020-02-04T21:44:12Z"
}

HpssStoragePolicies Document

This type describes the public and private policies for a HPSS Storage Gateway.

Name

Type

Description

DATA_TYPE

string hpss_storage_policies#1.0.0

Type of this document

authentication_mech

string unix, krb5

Defines the type of authentication the connector will perform when logging into HPSS.

authenticator

string ^(auth_keyfile|​auth_keytab):/.*$

Authenticator used with --authentication-mech to perform authentication to HPSS. Format is: "<auth_type>:<auth_file>" where <auth_type> is one of "auth_keytab" or "auth_keyfile". For example, "auth_keytab:/var/hpss/etc/gridftp.keytab".[Private]

uda_checksum

boolean

Flag that indicates if checksums should be stored within UDAs so that sync-by-checksum transfers can verify the file without staging the file from tape.

{
  "DATA_TYPE": "hpss_storage_policies#1.0.0",
  "authentication_mech": "unix",
  "authenticator": "string",
  "uda_checksum": true
}

HpssCollectionPolicies Document

The HpssCollectionPolicies document describes HPSS-specific configuration policies. Currently this document type contains no connector-specific policy information.

Name

Type

Description

DATA_TYPE

string hpss_collection_policies#1.0.0

Type of this document

{
  "DATA_TYPE": "hpss_collection_policies#1.0.0"
}

HpssUserCredentialPolicies Document

The HpssUserCredentialPolicies document describes the HPSS-specific policy information included in a UserCredential. This document contains read-only data about the user’s credentials.

Name

Type

Description

DATA_TYPE

string hpss_user_credential_policies#1.0.0

Type of this document

{
  "DATA_TYPE": "hpss_user_credential_policies#1.0.0"
}

IrodsStoragePolicies Document

This document contains one of the versioned iRODS specific storage gateway policies.

Name

Type

Description

IrodsStoragePolicies

IrodsStoragePolicies One of { IrodsStoragePolicies 1.0.0 ​ }

This document contains one of the versioned iRODS specific storage gateway policies.

{
  "irods_environment_file": "/var/irods/irods_environment.json",
  "irods_authentication_file": "/var/irods/.irodsA",
  "environment": [
    {
      "name": "VOLUME",
      "value": "/vol/0"
    }
  ],
  "DATA_TYPE": "irods_storage_policies#1.0.0"
}

IrodsStoragePolicies 1.0.0 Document

This document contains version 1.0.0 of the iRODS storage gateway policies with an explicit DATA_TYPE value.

Name

Type

Description

irods_environment_file

string

Path to the irods environment file.[Private]

irods_authentication_file

string

Path to the irods authentication file.[Private]

environment

array (object)

Variables to set in the iRODS client environment.[Private]

DATA_TYPE

string irods_storage_policies#1.0.0

Type of this document

{
  "irods_environment_file": "/var/irods/irods_environment.json",
  "irods_authentication_file": "/var/irods/.irodsA",
  "environment": [
    {
      "name": "VOLUME",
      "value": "/vol/0"
    }
  ],
  "DATA_TYPE": "irods_storage_policies#1.0.0"
}

IrodsStoragePolicies_1_0_0_Properties Document

The IrodsStoragePolicies document describes the extensions to support the iRODS connector’s configuration policies.

Name

Type

Description

irods_environment_file

string

Path to the irods environment file.[Private]

irods_authentication_file

string

Path to the irods authentication file.[Private]

environment

array (object)

Variables to set in the iRODS client environment.[Private]

{
  "irods_environment_file": "/var/irods/irods_environment.json",
  "irods_authentication_file": "/var/irods/.irodsA",
  "environment": [
    {
      "name": "VOLUME",
      "value": "/vol/0"
    }
  ]
}

IrodsUserCredentialPolicies Document

This document contains one of the versioned iRODS-specific user credential policies.

Name

Type

Description

IrodsUserCredentialPolicies

IrodsUserCredentialPolicies One of { object IrodsUserCredential 1.0.0 Policies ​ }

This document contains one of the versioned iRODS-specific user credential policies.

{
  "DATA_TYPE": "irods_user_credential_policies#1.0.0"
}

IrodsUserCredential 1.0.0 Policies Document

This document contains version 1.0.0 of the iRODS user credential policies with an explicit DATA_TYPE value.

Name

Type

Description

DATA_TYPE

string irods_user_credential_policies#1.0.0

{
  "DATA_TYPE": "irods_user_credential_policies#1.0.0"
}

IrodsCollectionPolicies 1.0.0 Document

This document contains version 1.0.0 of the iRODS collection policies with an explicit DATA_TYPE value.

Name

Type

Description

DATA_TYPE

string irods_collection_policies#1.0.0

Type of this document

{
  "DATA_TYPE": "irods_collection_policies#1.0.0"
}

IrodsCollectionPolicies Document

This document contains one of the versioned iRODS-specific collection policies.

Name

Type

Description

IrodsCollectionPolicies

IrodsCollectionPolicies One of { IrodsCollectionPolicies 1.0.0 ​ }

This document contains one of the versioned iRODS-specific collection policies.

{
  "DATA_TYPE": "irods_collection_policies#1.0.0"
}

OneDriveStoragePolicies Document

This type describes the public and private policies for a OneDrive Storage Gateway.

Name

Type

Description

DATA_TYPE

string onedrive_storage_policies#1.0.0

Type of this document

client_id

string

Client ID registered with the Azure console to access OneDrive.[Private]

secret

string

Secret created in the Azure console to access OneDrive with the client_id in this policy.[Private]

tenant

string

Tenant ID of the Microsoft organization. Required when Supported Account Types of the Azure application is set to Single tenant.[Private]

user_api_rate_limit

integer

User API Rate Limit associated with this client ID in operations per second per user.[Private]

auth_callback

string <uri>

URL of the auth callback that must be registered on the Azure console for the application client_id in order to process Microsoft credentials.

{
  "DATA_TYPE": "onedrive_storage_policies#1.0.0",
  "client_id": "string",
  "secret": "string",
  "tenant": "string",
  "user_api_rate_limit": 1000,
  "auth_callback": "https://example.globus.org/api/v1/authcallback"
}

OneDriveUserCredentialPolicies Document

The OneDriveUserCredentialPolicies document describes the OneDrive-specific policy information included in a UserCredential. This document contains read-only data about the user’s credentials.

Name

Type

Description

DATA_TYPE

string onedrive_user_credential_policies#1.0.0

Type of this document

sub

string

OAuth subject identifier claim.

email

string <email>

OAuth email claim.

access_token

string

OAuth access token.

refresh_token

string

OAuth refresh token.

scopes

array (string)

OAuth scopes associated with this access token.

token_expiry

string <date-time>

OAuth access token expiration time.

{
  "DATA_TYPE": "onedrive_user_credential_policies#1.0.0",
  "sub": "string",
  "email": "user@example.com",
  "access_token": "string",
  "refresh_token": "string",
  "scopes": [
    "openid",
    "email",
    "profile",
    "offline_access",
    "files.readwrite.all"
  ],
  "token_expiry": "2020-02-04T21:44:12Z"
}

OneDriveCollectionPolicies Document

The OneDriveCollectionPolicies document describes OneDrive-specific configuration policies. Currently this document type contains no connector-specific policy information.

Name

Type

Description

DATA_TYPE

string onedrive_collection_policies#1.0.0

Type of this document

{
  "DATA_TYPE": "onedrive_collection_policies#1.0.0"
}

PosixStoragePolicies Document

This document contains one of the versioned POSIX-specific storage gateway policies. This document includes settings for access restrictions for based on POSIX group membership.

Name

Type

Description

PosixStoragePolicies

PosixStoragePolicies One of { PosixStoragePolicies_1_0_0 ​ }

This document contains one of the versioned POSIX-specific storage gateway policies. This document includes settings for access restrictions for based on POSIX group membership.

{
  "DATA_TYPE": "posix_storage_policies#1.0.0",
  "groups_allow": [
    "globus"
  ],
  "groups_deny": [
    "nonglobus"
  ]
}

PosixStoragePolicies_1_0_0 Document

This document contains version 1.0.0 of the POSIX storage gateway policies with an explicit DATA_TYPE value.

Name

Type

Description

DATA_TYPE

string posix_storage_policies#1.0.0

Type of this document

groups_allow

array (string)

List of POSIX group IDs allowed to access this Storage Gateway.[Private]

groups_deny

array (string)

List of POSIX group IDs denied access this Storage Gateway.[Private]

{
  "DATA_TYPE": "posix_storage_policies#1.0.0",
  "groups_allow": [
    "globus"
  ],
  "groups_deny": [
    "nonglobus"
  ]
}

PosixStoragePolicies 1.0.0 Properties Document

This document contains the properties for version 1.0.0 of the POSIX storage gateway policy document.

Name

Type

Description

DATA_TYPE

string

Type of this document

groups_allow

array (string)

List of POSIX group IDs allowed to access this Storage Gateway.[Private]

groups_deny

array (string)

List of POSIX group IDs denied access this Storage Gateway.[Private]

{
  "DATA_TYPE": "string",
  "groups_allow": [
    "globus"
  ],
  "groups_deny": [
    "nonglobus"
  ]
}

PosixUserCredentialPolicies Document

This document contains one of the versioned POSIX-specific user credential policies.

Name

Type

Description

PosixUserCredentialPolicies

PosixUserCredentialPolicies One of { object PosixUserCredential 1.0.0 Policies ​ }

This document contains one of the versioned POSIX-specific user credential policies.

{
  "DATA_TYPE": "posix_user_credential_policies#1.0.0"
}

PosixUserCredential 1.0.0 Policies Document

This document contains version 1.0.0 of the POSIX storage gateway policies with an explicit DATA_TYPE value.

Name

Type

Description

DATA_TYPE

string posix_user_credential_policies#1.0.0

{
  "DATA_TYPE": "posix_user_credential_policies#1.0.0"
}

PosixGuestCollectionPolicies Document

This document contains one of the versioned POSIX-specific guest collection policies.

Name

Type

Description

PosixGuestCollectionPolicies

PosixGuestCollectionPolicies One of { object PosixCollectionPolicies 1.0.0 , PosixGuestCollectionPolicies 1.1.0 ​ }

This document contains one of the versioned POSIX-specific guest collection policies.

{
  "DATA_TYPE": "posix_collection_policies#1.0.0"
}

PosixMappedCollectionPolicies Document

This document contains one of the versioned POSIX-specific guest collection policies.

Name

Type

Description

PosixMappedCollectionPolicies

PosixMappedCollectionPolicies One of { object PosixCollectionPolicies 1.0.0 , PosixMappedCollectionPolicies 1.1.0 ​ }

This document contains one of the versioned POSIX-specific guest collection policies.

{
  "DATA_TYPE": "posix_collection_policies#1.0.0"
}

PosixCollectionPolicies 1.0.0 Document

This document contains version 1.0.0 of the POSIX collection policies with an explicit DATA_TYPE value. There are no differences between policies supported by mapped and guest collections.

Name

Type

Description

DATA_TYPE

string posix_collection_policies#1.0.0

Type of this document

{
  "DATA_TYPE": "posix_collection_policies#1.0.0"
}

PosixGuestCollectionPolicies 1.1.0 Document

This document contains version 1.1.0 of the POSIX collection policies with an explicit DATA_TYPE value.

Name

Type

Description

DATA_TYPE

string posix_collection_policies#1.1.0

Type of this document

{
  "DATA_TYPE": "posix_collection_policies#1.1.0"
}

PosixMappedCollectionPolicies 1.1.0 Document

This document contains version 1.1.0 of the POSIX collection policies with an explicit DATA_TYPE value. This document type contains policies to perform group-level sharing restrictions.

Name

Type

Description

sharing_groups_allow

array (string)

List of POSIX group IDs allowed to create shares on this collection.[Private]

sharing_groups_deny

array (string)

List of POSIX group IDs denied access to create shares on this collection.[Private]

DATA_TYPE

string posix_collection_policies#1.1.0

Type of this document

{
  "sharing_groups_allow": [
    "globus"
  ],
  "sharing_groups_deny": [
    "nonglobus"
  ],
  "DATA_TYPE": "posix_collection_policies#1.1.0"
}

PosixMappedCollectionPolicies 1.1.0 Properties Document

This document contains the POSIX-specific properties for version 1.1.0 of the POSIX mapped collection policies document. This document type contains policies to perform group-level sharing restrictions.

Name

Type

Description

sharing_groups_allow

array (string)

List of POSIX group IDs allowed to create shares on this collection.[Private]

sharing_groups_deny

array (string)

List of POSIX group IDs denied access to create shares on this collection.[Private]

{
  "sharing_groups_allow": [
    "globus"
  ],
  "sharing_groups_deny": [
    "nonglobus"
  ]
}

PosixStagingStoragePolicies Document

This document contains one of the versioned POSIX staging specific storage gateway policies.

Name

Type

Description

PosixStagingStoragePolicies

PosixStagingStoragePolicies One of { PosixStagingStoragePolicies 1.0.0 ​ }

This document contains one of the versioned POSIX staging specific storage gateway policies.

{
  "DATA_TYPE": "posix_staging_storage_policies#1.0.0",
  "groups_allow": [
    "globus"
  ],
  "groups_deny": [
    "nonglobus"
  ],
  "stage_app": "/usr/local/bin/globus-stage-data",
  "environment": [
    {
      "name": "VOLUME",
      "value": "/vol/0"
    }
  ]
}

PosixStagingStoragePolicies 1.0.0 Document

This document contains version 1.0.0 of the POSIX staging storage gateway policies with an explicit DATA_TYPE value.

Name

Type

Description

DATA_TYPE

string posix_staging_storage_policies#1.0.0

Type of this document

groups_allow

array (string)

List of POSIX group IDs allowed to access this Storage Gateway.[Private]

groups_deny

array (string)

List of POSIX group IDs denied access this Storage Gateway.[Private]

stage_app

string

Path to the stage app.[Private]

environment

array (object)

Variables to set in the environment when executing the stage_app.[Private]

{
  "DATA_TYPE": "posix_staging_storage_policies#1.0.0",
  "groups_allow": [
    "globus"
  ],
  "groups_deny": [
    "nonglobus"
  ],
  "stage_app": "/usr/local/bin/globus-stage-data",
  "environment": [
    {
      "name": "VOLUME",
      "value": "/vol/0"
    }
  ]
}

PosixStagingStoragePolicies_1_0_0_Properties Document

The PosixStagingStoragePolicies document describes the extensions to support the posix staging connector’s configuration policies.

Name

Type

Description

stage_app

string

Path to the stage app.[Private]

environment

array (object)

Variables to set in the environment when executing the stage_app.[Private]

{
  "stage_app": "/usr/local/bin/globus-stage-data",
  "environment": [
    {
      "name": "VOLUME",
      "value": "/vol/0"
    }
  ]
}

PosixStagingUserCredentialPolicies Document

This document contains one of the versioned POSIX staging-specific user credential policies.

Name

Type

Description

PosixStagingUserCredentialPolicies

PosixStagingUserCredentialPolicies One of { object PosixStagingUserCredential 1.0.0 Policies ​ }

This document contains one of the versioned POSIX staging-specific user credential policies.

{
  "DATA_TYPE": "posix_staging_user_credential_policies#1.0.0"
}

PosixStagingUserCredential 1.0.0 Policies Document

This document contains version 1.0.0 of the POSIX staging user credential policies with an explicit DATA_TYPE value.

Name

Type

Description

DATA_TYPE

string posix_staging_user_credential_policies#1.0.0

{
  "DATA_TYPE": "posix_staging_user_credential_policies#1.0.0"
}

PosixStagingMappedCollectionPolicies 1.0.0 Document

This document contains version 1.0.0 of the POSIX staging mapped collection policies with an explicit DATA_TYPE value.

Name

Type

Description

sharing_groups_allow

array (string)

List of POSIX group IDs allowed to create shares on this collection.[Private]

sharing_groups_deny

array (string)

List of POSIX group IDs denied access to create shares on this collection.[Private]

DATA_TYPE

string posix_staging_collection_policies#1.0.0

Type of this document

{
  "sharing_groups_allow": [
    "globus"
  ],
  "sharing_groups_deny": [
    "nonglobus"
  ],
  "DATA_TYPE": "posix_staging_collection_policies#1.0.0"
}

PosixStagingGuestCollectionPolicies 1.0.0 Document

This document contains version 1.0.0 of the POSIX staging mapped collection policies with an explicit DATA_TYPE value.

Name

Type

Description

DATA_TYPE

string posix_staging_collection_policies#1.0.0

Type of this document

{
  "DATA_TYPE": "posix_staging_collection_policies#1.0.0"
}

PosixStagingGuestCollectionPolicies Document

This document contains one of the versioned POSIX staging-specific guest collection policies.

Name

Type

Description

PosixStagingGuestCollectionPolicies

PosixStagingGuestCollectionPolicies One of { PosixStagingGuestCollectionPolicies 1.0.0 ​ }

This document contains one of the versioned POSIX staging-specific guest collection policies.

{
  "DATA_TYPE": "posix_staging_collection_policies#1.0.0"
}

PosixStagingMappedCollectionPolicies Document

This document contains one of the versioned POSIX staging-specific guest collection policies.

Name

Type

Description

PosixStagingMappedCollectionPolicies

PosixStagingMappedCollectionPolicies One of { PosixStagingMappedCollectionPolicies 1.0.0 ​ }

This document contains one of the versioned POSIX staging-specific guest collection policies.

{
  "sharing_groups_allow": [
    "globus"
  ],
  "sharing_groups_deny": [
    "nonglobus"
  ],
  "DATA_TYPE": "posix_staging_collection_policies#1.0.0"
}

S3StoragePolicies Document

The S3StoragePolicies document describes S3-specific configuration policies. These policies contain information about how to contact the S3 API and also restrictions on which S3 buckets are available for access via this storage gateway.

Name

Type

Description

DATA_TYPE

string s3_storage_policies#1.0.0

Type of this document

s3_endpoint

string <uri>

URL of the S3 API endpoint

s3_buckets

array (string)

List of buckets not owned by the collection owner that will be shown in the root of collections created at the base of this Storage Gateway.

s3_user_credential_required

boolean

Flag indicating if a Globus User must register a user credential in order to create a Guest Collection on this Storage Gateway.

{
  "DATA_TYPE": "s3_storage_policies#1.0.0",
  "s3_endpoint": "https://s3.amazonaws.com",
  "s3_buckets": [
    "awsexamplebucket1"
  ],
  "s3_user_credential_required": true
}

S3CollectionPolicies Document

The S3CollectionPolicies document describes s3-specific configuration policies. Currently this document type contains no connector-specific policy information.

Name

Type

Description

DATA_TYPE

string s3_collection_policies#1.0.0

Type of this document

{
  "DATA_TYPE": "s3_collection_policies#1.0.0"
}

S3UserCredential Document

The S3UserCredential document describes s3-specific configuration policies. Currently this contains the key information needed to contact the S3 API for this account.

Name

Type

Description

DATA_TYPE

string s3_user_credential_policies#1.0.0

Type of this document

s3_key_id

string

Access Key ID to use with the S3 API to access your buckets and objects.

s3_secret_key

string

Secret Key to use with the S3 API to access your buckets and objects.

{
  "DATA_TYPE": "s3_user_credential_policies#1.0.0",
  "s3_key_id": "AKIAIOSFODNN7EXAMPLE",
  "s3_secret_key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
}

Sharing Policies Document

Sharing policies for a mapped collection. This document type allows endpoint and collection administrators to optionally constrain sharing path policies for particular users. The sharing_restrict_paths property has a similar meaning to that of the sharing_restrict_paths in the collection document; however, it is in effect only for specific users.

If the users property is null, then the restriction applies to all users. If it is non-null, then this restriction applies only to accounts which have been mapped to the enumerated storage gateway user accounts.

Multiple sharing policies can be defined for a mapped collection. When a guest collection is created or accessed, only the policies relevant to the user which created the account are enforced.

Name

Type

Description

DATA_TYPE

string sharing_policy#1.0.0

Type of this document

id

string <uuid>

ID for this sharing policy

collection_id

string <uuid>

ID of the mapped collection which this policy is associated with.

sharing_restrict_paths

One of { object PathRestrictions ​ }

Restrictions on which paths may be shared in guest collections related to this mapped collection. These paths are relative to the root_path property of the mapped collection.

users

array (string)

List of local user accounts that this policy applies to. If omitted or null, this restriction applies to all local user accounts.

{
  "DATA_TYPE": "sharing_policy#1.0.0",
  "id": "97d6ec0b-a3c2-4723-a1a0-285b2b8f015a",
  "collection_id": "14326300-5a33-4387-9bb0-7f85c3dc3185",
  "sharing_restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
      "/public"
    ],
    "read_write": [
      "/home",
      "/projects"
    ],
    "none": [
      "/private"
    ]
  },
  "users": [
    "username"
  ]
}
  • Quickstart Guide
  • Installation Guide
  • Data Access Admin Guide
  • Domain Guide
  • HTTPS Access to Collections
  • Identity Mapping Admin Guide
  • Globus OIDC Installation Guide
  • v5.3 Migration Guide
  • Troubleshooting Guide
  • Command-Line Reference
    • Audit
      • Load
      • Query
      • Dump
    • Endpoint
      • Setup
      • Show
      • Update
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription ID
      • Migrate53
      • Cleanup
      • Domain
      • Role
      • Upgrade
    • OIDC
      • Create
      • Delete
      • Register
      • Show
      • Update
    • Node
      • Create
      • Setup
      • List
      • Show
      • Update
      • Cleanup
      • Update Vhost
      • Delete
    • Login
    • Session
      • Consent
      • Show
      • Update
    • Whoami
    • Logout
    • Storage Gateway
      • Create
      • List
      • Show
      • Update
      • Delete
    • Collection
      • Create
      • List
      • Show
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Update
      • Delete
      • Domain
      • Role
    • Sharing Policy
      • Create
      • List
      • Show
      • Delete
    • Self Diagnostic
  • Globus Connect Server Manager API
    • Responses
    • Schemas
    • Authorization
    • Versioning
    • Endpoint
    • Roles
    • Nodes
    • Storage Gateways
    • Collections
    • User Credentials
    • Domains
    • Sharing Policies
    • ActiveScale
    • Azure Blob
      • Azure Blob
    • BlackPearl
    • Box
    • Ceph
    • Google Cloud Storage
    • Google Drive
    • HPSS
    • iRODS Connector
    • OAuth Credential API
    • OneDrive
    • POSIX Connector
    • POSIX Staging Connector
    • S3
  • API Access for Portals
  • Application Migration Guide
  • Change Log
© 2010- The University of Chicago Legal Privacy Accessibility