Globus Connect Server v5 Quickstart Guide

Last Updated: January 19, 2021

1. Introduction

This is a condensed version of the Globus Connect Server v5.4 installation and data access guides intended for users who want to do a basic setup of Globus Connect Server on a single node providing access to a Posix filesystem. The other documents provide more details and information about the available features and policies available for configuring Globus Connect Server on your system.

This document assumes you have a root access to a machine to use for Globus Connect Server, running a recent Debian, Ubuntu, Fedora, or RHEL-compatible operating system. This machine must allow network access to TCP ports 443 and the range 50000-51000 and have a synchronized system clock. Read the prerequisites section of the install doc for an explanation of these.

Important

In this document, we will show some example invocations of the Globus Connect Server management commands. If you plan to follow along on your own system, you’ll need to change the commands to reflect your organization and login policies. Anywhere you see something highlighted like this you’ll need to replace the text with something that matches the desired policies for your own endpoint.

1.1. Install Globus Connect Server version 5 software

Skip to the appropriate section for your Linux distribution and follow the instructions to install Globus Connect Server version 5 on your system.

sudo yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
sudo yum install https://downloads.globus.org/globus-connect-server/stable/installers/repo/rpm/globus-repo-latest.noarch.rpm

Install Globus Connect Server:

sudo yum install globus-connect-server54
sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
sudo dnf install https://downloads.globus.org/globus-connect-server/stable/installers/repo/rpm/globus-repo-latest.noarch.rpm

Install Globus Connect Server:

sudo dnf install globus-connect-server54
sudo dnf install https://downloads.globus.org/globus-connect-server/stable/installers/repo/rpm/globus-repo-latest.noarch.rpm

install Globus Connect Server:

sudo dnf install globus-connect-server54
curl -LOs https://downloads.globus.org/globus-connect-server/stable/installers/repo/deb/globus-repo_latest_all.deb
sudo dpkg -i globus-repo_latest_all.deb
sudo apt-key add /usr/share/globus-repo/RPM-GPG-KEY-Globus
sudo apt update
sudo apt install globus-connect-server54
curl -LOs https://downloads.globus.org/globus-connect-server/stable/installers/repo/deb/globus-repo_latest_all.deb
sudo dpkg -i globus-repo_latest_all.deb
sudo apt-key add /usr/share/globus-repo/RPM-GPG-KEY-Globus
sudo apt update
sudo apt install globus-connect-server54

1.2. Create the endpoint

1.2.1. Create service credentials

The first step in creating your endpoint is to register it with Globus and obtain credentials for the endpoint. These credentials allow the endpoint to securely identify itself to, and interact with Globus services.

  1. Log into the Globus Developers Console, developers.globus.org. You can use any linked identity, however the client you are creating must exist for the lifetime of the GCSv5 endpoint so consider carefully which account to use.

  2. Click Register a new Globus Connect Server v5.

  3. Click Add another project and fill out the form. This project will be used to track your Globus Connect Server registrations. Keep it separate from any other projects you might have.

  4. Use the Add…​ menu to add other appropriate users in your organization as administrators of the project. Adding other administrators helps your organization avoid losing administrative control should any one administrator leave your organization.

  5. From the Add…​ menu for the project click Add a new Globus Connect Server and fill out the form. The display name will be used to identify this endpoint to users when they access it for the first time. Use the same name here that you plan to use in later steps so your users will have a consistent experience.

  6. Click Generate a New Client Secret and fill out the form.

  7. Save the Client ID and Client Secret values. You will use them soon when creating your Globus Connect Server version 5 endpoint.

Important
Each endpoint requires a new Globus Connect Server version 5 registration with its own Client ID and Client Secret. These registrations may be within the same project. It is important that the Client ID created in this step only be used to set up a single endpoint, and that it is not reused to set up additional endpoints. Save the Client ID and Client Secret, they will be used for the initial endpoint setup and when adding nodes to the endpoint. Do not delete these values from the Globus Developer Console, they must exist for the lifetime of the endpoint.

1.2.2. Setup the endpoint

To finish creating the endpoint, run the globus-connect-server endpoint setup command.

Example
globus-connect-server endpoint setup "My GCSv5.4 Endpoint" \
    --organization "Example Organization" \
    --client-id "3113dd2a-6199-4c3e-b08f-a4ac4b5ae5c3" \
    --owner admin@example.edu \
    --contact-email support@example.edu

The command returns information about the endpoint that may be useful for additional configuration later, including the domain name of the endpoint, a link to send to subscription managers to set the endpoint as managed, and the redirect URI needed if Google Drive or Cloud connectors will be used with this endpoint.

1.3. Set up the services on the Data Transfer Node

Run the globus-connect-server node setup command to configure and start the Globus services on the Data Transfer Node. This command must be done as the root user, as it enables and starts systemd services. The deployment-key.json file from the previous step will be used by this command.

Example
sudo globus-connect-server node setup \
    --client-id "3113dd2a-6199-4c3e-b08f-a4ac4b5ae5c3"

1.4. Log into the endpoint

Login Command Example
globus-connect-server login localhost

This creates local authentication tokens that can be used by the Globus Connect Server command-line interface to interact with the endpoint. Log in with the identity you chose as the endpoint owner in Setup the endpoint.

1.5. Set the endpoint as managed

Endpoints that require premium functionality—​such as guest collections for data sharing and premium connectors—​must be managed under a Globus subscription. If your organization has a subscription, and your Globus account has the subscription manager role, you may set the endpoint as managed using the globus-connect-server command as follows.

Set the Endpoint as Managed
globus-connect-server endpoint set-subscription-id DEFAULT

1.6. Create OIDC Server (optional)

If your site does not have a identity provider available for logging in to Globus, you can use a Globus provided OIDC provider that uses PAM to authenticate users with local accounts. This is documented in the Globus OIDC Installation Guide. For this quickstart, we’ll use the --quickstart-server-name option to register the identity provider using the identity subdomain of the endpoint’s domain. The guide contains information about how to use a site-specific DNS name and certificate for this service.

sudo globus-connect-server oidc create \
    --display-name "OIDC Server for example.edu" \
    --support-contact "Joe Admin"\
    --support-email "support@example.edu" \
    --quickstart-server-name identity

sudo globus-connect-server oidc setup

This script will print out a line indicating the domain that is being used for the OIDC server. Use this in place of example.edu when creating the storage gateway in the next step to use this service for authentication.

1.7. Create the Storage Gateway 

globus-connect-server storage-gateway create posix \
     "Example Gateway" \
    --domain example.edu

This creates a Storage Gateway named Posix Gateway that restricts access to identities that have an example.edu domain. Copy the Storage Gateway ID in the output to use in the next step in place of STORAGE_GATEWAY_ID.

For more information on other policies that can be set on a Storage Gateway see The Storage Gateway section of the Data Access Guide. For instructions on creating Storage Gateways for Connectors other that POSIX see GCSv5 Premium Connectors

1.8. Create a Mapped Collection 

globus-connect-server collection create \
    STORAGE_GATEWAY_ID \
    /home/ \
    "Example Collection"

This creates a Mapped Collection named Example Collection rooted on the path /home/ using the Storage Gateway created in Create the Storage Gateway. This Collection will be visible to users through the Globus webapp, who will be able to access data in /home/ if they have an account from example.edu. The Globus accounts USER@example.edu will be granted access if there is a corresponding local account for USER.

2. Additional Reading

Globus Connect Server v5.4 Installation Guide

This guide contains information about the features of Globus Connect Server v5.4, complete steps for endpoint configuration, as well as links to reference material about the Globus Connect Server command line tool. Using this document, you can learn how to set up multiple Data Transfer Nodes to provide service for a single endpoint.

Globus Connect Server v5.4 Data Access Guide

This guide contains describes how to configure data access policies for your endpoint and its collections.

Globus Connect Server v5.4 Identity Mapping Guide

This guide contains details about how to configure a Globus Connect Server endpoint to support Globus users from different identity providers.

Premium Storage Connectors

This section of the website contains information about how to configure a Globus Connect Server endpoint to use a premium storage connector.