Globus Connect Server CLI Command summary

-d, --deployment-key DEPLOYMENT_KEY_PATH

Path for deployment key configuration

-c, --client-id TEXT

The --client-id option has been removed, see the 'endpoint key convert' command to update your deployment key

--export-node NODE_INFO_JSON

File to write node configuration to for

--agree-to-delete-previous-secret

Do not prompt for confirmation to delete a node-specific secret

-d, --deployment-key DEPLOYMENT_KEY_PATH

Path for deployment key configuration

-c, --client-id TEXT

The --client-id option has been removed, see the 'endpoint key convert' command to update your deployment key

--incoming-port-range LOW_PORT HIGH_PORT

Allowed port range for incoming TCP data connections [default: 50000, 51000]

--outgoing-port-range LOW_PORT HIGH_PORT

Port range used as the source for outgoing TCP data connections

-i, --ip-address IP_ADDRESS

IP address of the GCS Node. Use this option multiple times to set multiple IPs

--data-interface IP_ADDRESS

IP interface of the GCS Node used for Globus data transfers

--import-node NODE_INFO_JSON

File to read node configuration from (created by --export-node)

--export-node NODE_INFO_JSON

File to write node configuration to for restoring later

--new-secret

Create a unique auth credential for this node

--enable / --disable

Set the node state to 'active' or 'inactive'

-i, --ip-address TEXT

IP address of the GCS Node. Use this option multiple times to set multiple IPs

--data-interface TEXT

IPv4 interface of the GCS Node used for Globus data transfers

--incoming-port-range LOW_PORT HIGH_PORT

Allowed port range for incoming TCP data connections. Set to "" "" to remove this setting

--outgoing-port-range LOW_PORT HIGH_PORT

Port range used as the source for outgoing TCP data connections. Set to "" "" to remove this setting

--high-assurance

Flag indicating that High Assurance features are required on this storage gateway

--mfa/--no-mfa

Determine whether MFA authenticated session is required to access Collections [MFA supported on HA storage gateways only]

--domain

Identity Domain which Mapped Collection access is restricted to

--authentication-timeout-mins

Re-authentication threshold

--restrict-paths

Used to define which paths are accessible via Collections based on the storage gateway

--identity-mapping

Used to define a custom identity mapping policy

--network-use

Used to define NetworkUse at the storage gateway layer

--preferred-parallelism

Used in conjunction with the 'Custom' NetworkUse setting to set the preferred parallelism setting per storage gateway

--max-parallelism

Used in conjunction with the 'Custom' NetworkUse setting to set the max parallelism setting per storage gateway

--preferred-concurrency

Used in conjunction with the 'Custom' NetworkUse setting to set the preferred concurrency setting per storage gateway

--max-concurrency

Used in conjunction with the 'Custom' NetworkUse setting to set the max concurrency setting per storage gateway

--user-allow/--user-deny

Used to allow, or deny, Collection access per connector specific username

--posix-group-allow/--posix-group-deny

Used to allow, or deny, Collection access per POSIX group

--s3-user-credential/--s3-unauthenticated

Determines whether Collections based on the storage gateway will require user credentials

--admin-managed-credentials/--no-admin-managed-credentials

Determines whether Endpoint Admins can create/update user credentials

--bucket

Specify which buckets are accessible via the storage gateway

--s3-endpoint

Region-specific URI of the ActiveScale S3 API

--azure-adls / --azure-no-adls

Indicate whether Azure Data Lake Gen2 is enabled for the Azure storage account

--azure-storage-account

Azure storage account to associate the Storage Gateway with

--azure-credential-type

Set the type of credential used for authentication to Azure

--ms-allow-any-account

Allow users to access any Azure Blob Storage account

--ms-tenant

Microsoft Tenant Id. Required when application is configured in single-tenant mode

--ms-client-secret

Secret created by Microsoft to access Azure Blob Storage as the given --ms-client-id

--ms-client-id

Application Client Id registered with Microsoft to access Azure Blob Storage

--blackpearl-access-id-file

Path to the BlackPearl user mapping file

--s3-endpoint

Region-specific URI of the BlackPearl API

--box-settings

The Box App Settings JSON data, as a string or a file. This is used when Box is configured as an enterprise application

--box-user-api-rate-limit

Box API rate limit. Limiting the number of requests per second per user

--box-allow-any-account

Allow users to access any Box account

--box-client-id

Application Client Id registered with Box

--box-client-secret

Secret associated with the given --box-client-id Box application

--ceph-admin-secret-key

Secret key corresponding to --ceph-admin-key-id

--ceph-admin-key-id

Key ID of an admin key used to resolve Ceph usernames to credentials

--bucket

Specify which buckets are accessible via the storage gateway

--s3-endpoint

Region-specific URI of the Ceph API

--dropbox-user-api-rate-limit

Dropbox API rate limit. Number of requests per second per user

--dropbox-allow-any-account

Allow users to access any Dropbox account

--dropbox-client-secret

Secret associated with the --dropbox-client-id Dropbox application

--dropbox-client-id

Application client id (App Key) registered with the Dropbox App Console

--google-service-account-key

The Google service account key file used when leveraging a Google Service Account for access

--google-cloud-storage-project

Project this Storage Gateway is allowed to access

--google-allow-any-account

Allow users to access any Google Cloud storage account

--google-client-secret

Secret created by Google to access Google as the given --google-client-id

--bucket

Bucket to include in the root of the Storage Gateway

--google-drive-user-api-rate-quota

Negotiated rate quota for Queries per 100 per user

--google-allow-any-account

Allow users to access any Google Drive account

--google-client-secret

Secret created by Google to access Google as the given --google-client-id

--login-name

Name of the HPSS user in the keytab file that the GridFTP server will use to authenticate to HPSS

--authentication-mech

Defines the type of authentication the connector will perform when logging into HPSS

--authenticator

Authenticator used with --authentication-mech to perform authentication to HPSS

--uda-checksum/--no-uda-checksum

Flag that indicates if checksums should be stored within UDAs so that sync-by-checksum transfers can verify the file without staging the file from tape

--irods-authentication-file

Path to iRODS authentication file on the endpoint

--irods-environment-file

Path to iRODS environment file on the endpoint

--ms-user-api-rate-limit

OneDrive API rate limit. Number of requests per second per user

--ms-allow-any-account

Allow users to access any OneDrive account

--ms-tenant

Microsoft Tenant Id. Required when application is configured in single-tenant mode

--ms-client-secret

Secret created by Microsoft to access OneDrive as the given --ms-client-id

--ms-client-id

Application Client Id registered with Microsoft to access OneDrive

--environment

Variables to set in the environment when executing the stage_app

--stage-app

Path to the file staging app to use for this storage gateway

--s3-user-credential/--s3-unauthenticated

Determines whether Collections based on the storage gateway will require user credentials

--admin-managed-credentials/--no-admin-managed-credentials

Determines whether Endpoint Admins can create/update user credentials

--bucket

Specify which buckets are accessible via the storage gateway

--s3-endpoint

Region-specific URI of the ActiveScale S3 API

--globus-identity [UUID,USERNAME]

Globus identity id or username id to associate the credential with [required]

--mapped-user TEXT

GCSv5 mapped identity username. If not provided, defaults to the Globus identity username

--s3-access-key-id TEXT

S3 Access Key ID. If not provided, this command will prompt for it

--s3-secret-key TEXT

S3 secret key. If not provided, this command will prompt for it

--replace-existing

Replace a user credential that already exists. If not provided, existing credentials will not be updated

--globus-identity [UUID,USERNAME]

Globus identity id or username id to associate the credential with [required]

--mapped-user TEXT

GCSv5 mapped identity username. If not provided, defaults to the Globus identity username

--globus-identity [UUID,USERNAME]

Globus identity id or username id to associate the credential with [required]

--mapped-user TEXT

GCSv5 mapped identity username. If not provided, defaults to the Globus identity username

--s3-access-key-id TEXT

S3 Access Key ID. If not provided, this command will prompt for it

--s3-secret-key TEXT

S3 secret key. If not provided, this command will prompt for it

--s3-requester-pays / --no-s3-requester-pays

Allow using this credential to access S3 Requester Pays buckets. The account owning these credentials will be charged for S3 operations.

--replace-existing

Replace a user credential that already exists. If not provided, existing credentials will not be updated

--s3-secret-key TEXT

S3 secret key. If not provided, this command will prompt for it

--prefix TEXT

The path prefix of all S3 bucket/object path to use with this key. This command is additive and can be run multiple times.

--s3-secret-key TEXT

S3 secret key.

--prefix TEXT

A prefix to be associated with this key pair. Many are allowed.

--mapped-collection-id

Filter results to Guest Collections on a specific Mapped Collection. This is the ID of the Mapped Collection

--filter

Filter results to one of the specified categories of collections. Can be applied multiple times

--storage-gateway-id

Filter results to Collections on a specific Storage Gateway. This is the ID of the Storage Gateway

--acl-expiration-mins [INT|null]

Length of time that guest collection permissions are valid. Settable on HA guest collections and HA mapped collections and used by the guest collections attached to the mapped collection. When set on both the HA mapped collection and one of its HA guest collections, the lessor value will be in effect. Pass '--acl-expiration-mins ""' to drop any previous setting

--allow-guest-collections / --no-allow-guest-collections

Allow Guest Collections to be created on this Collection. This option is only usable on Mapped Collections. If this option is disabled on a Mapped Collection which already has associated Guest Collections, those collections will no longer be accessible

--activity-notifications _COMMA_SEPARATED_LIST

[UPDATE Only] Configure activity notifications for guest collections. The value is a comma-separated list of one or more of the following values: succeeded, failed, source, destination. Use the value "all" to enable all activity notifications. Use the value "" to disable all activity notifications. Only settable on guest collections. Defaults to no activity notifications

--auto-delete-timeout INTEGER

Number of days before unused guest collections will be automatically deleted. Only settable on mapped collections. Values must be an integer greater than 0. Defaults to disabled

--contact-email TEXT

Email address of the support contact for this Collection. This is visible to end users so that they may contact your organization for support

--contact-info TEXT

Non-email contact information for the Collection, e.g. phone and mailing address. This is visible to end users for support

--default-directory TEXT

Default directory when browsing the collection

--delete-protected

If --delete-protected, then this collection can not be deleted until --no-delete- protected is used with the collection update command. This option is enabled by default as of GCS v5.4.69.

--department TEXT

Department which operates the Collection

--description TEXT

Description for the Collection

--disable-anonymous-writes / --enable-anonymous-writes

Allow anonymous write ACLs on Guest Collections attached to this Mapped Collection. This option is only usable on non high assurance Mapped Collections and the setting is inherited by the hosted Guest Collections. Anonymous write ACLs are enabled by default (requires an endpoint with API v1.8.0)

--disable-https

Explicitly disable HTTPS support (requires a managed endpoint with API v1.1.0)

--display-name TEXT

[UPDATE Only] New name for the Collection

--domain-name TEXT

DNS host name for the collection (mapped collections only). This may be either a host name or a fully-qualified domain name, but if it is the latter it must be a subdomain of the endpoint’s domain

--enable-https

Explicitly enable HTTPS support (requires a managed endpoint with API v1.1.0)

--flow-transfer-destination [UUID|null]

Restrict transfers using the collection as the destination to only transfers invoked by the given Globus flow. The value is the ID of the Globus flow. Specify null to remove the collection’s association with the flow. When this is enabled, storing files via the collection HTTPS interface is disabled

--flow-transfer-source [UUID|null]

Restrict transfers using the collection as the source to only transfers invoked by the given Globus flow. The value is the ID of the Globus flow. Specify null to remove the collection’s association with the flow. When this is enabled, retrieving files via the collection HTTPS interface is disabled

--force-encryption / --no-force-encryption

When set, all transfers to and from this collection are always encrypted

--google-project-id TEXT

For Google Cloud Storage backed Collections only. The Google Cloud Platform project ID which is used by this Collection

--guest-auth-policy-id [UUID|null]

Set the auth policy on a mapped collection which is inherited by all guest collections attached to the mapped collection. Pass '-- guest-auth-policy-id null' to remove the auth policy from the collection. This option is only usable on mapped collections

--identity-id TEXT

Globus Auth identity to who acts as the owner of this Collection. This identity is an administrator on the Endpoint. This ID must be in your current identity set

--info-link TEXT

Link for info about the Collection

--keywords TEXT,TEXT,…​

Comma separated list of keywords to help searches for the Collection

--organization TEXT

Organization for the Collection

--posix-sharing-group-allow NAME | file:PATH | ""

POSIX group allowed access to create guest collections. The parameter value may be either a group name or a filename prefixed by 'file:'. In the latter case, the contents of that file are read as one or more lines of whitespace delimited group names. This option can be used multiple times. Set a value of "" to clear this

--posix-sharing-group-deny NAME | file:PATH | ""

POSIX group denied permission to create guest collections. The parameter value may be either a group name or a filename prefixed by 'file:'. In the latter case, the contents of that file are read as one or more lines of whitespace delimited group names. This option can be used multiple times. Set a value of "" to clear this

--posix-staging-sharing-group-allow NAME | file:PATH | ""

POSIX Staging group allowed access to create guest collections. The parameter value may be either a group name or a filename prefixed by 'file:'. In the latter case, the contents of that file are read as one or more lines of whitespace delimited group names. This option can be used multiple times. Set a value of "" to clear this

--posix-staging-sharing-group-deny NAME | file:PATH | ""

POSIX Staging group denied permission to create guest collections. The parameter value may be either a group name or a filename prefixed by 'file:'. In the latter case, the contents of that file are read as one or more lines of whitespace delimited group names. This option can be used multiple times. Set a value of "" to clear this

--public / --private

Set the Collection to be public or private (defaults to public)

--restrict-transfers-to-high-assurance [inbound|outbound|all|null]

Restrict inbound, outbound, or all transfers between high assurance collections. Only settable on high assurance mapped collections and inherited by all attached guest collections. Setting this feature will disable HTTPS access on the mapped collection and its attached guest collections. Setting to the value null removes this restriction

--sharing-restrict-paths [JSON|file:JSON_FILE]

Path restrictions for sharing data on guest collections based on this collection. This option is only usable on Mapped Collections

--sharing-user-allow NAME | file:PATH | ""

Connector-specific username allowed to create guest collections.collections. The parameter value may be either a user name or a filename prefixed by 'file:'. In the latter case, the contents of that file are read as one or more lines of whitespace delimited user names. This option can be used multiple times. Set a value of "" to clear this

--sharing-user-deny NAME | file:PATH | ""

Connector-specific username denied permission to create guest collections. The parameter value may be either a user name or a filename prefixed by 'file:'. In the latter case, the contents of that file are read as one or more lines of whitespace delimited user names. This option can be used multiple times. Set a value of "" to clear this

--skip-auto-delete / --no-skip-auto-delete

[UPDATE Only] Option indicating whether the guest collection is subject to automatic deletion if --auto-delete-timeout is set on its mapped collection. Only settable on guest collections. Defaults to false

--user-message-link TEXT

Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an http or https URL with this collection

--user-message TEXT

A message for clients to display to users when interacting with this collection

--verify [force|disable|default]

Set the policy for this collection for file integrity verification after transfer. 'force' requires all transfers to perform verification. 'disable' disables all verification checks. 'default' allows the user to decide on verification at Transfer task submit time. When set on mapped collections, this policy is inherited by any guest collections

-d, --db-path PATH

Path to the audit database [default:~/.globus/audit-logs.db]

-p, --path PATH

Query by storage path accesses. To query a partial path, add % on either or both ends. Only results related to accessing this path will be returned.

-i, --identity ID

Query by identity. Accepts a Globus identity uuid. Only results that were initiated by this identity will be returned.

-u, --user USERNAME

Query by storage or local username. Only operations initiated by this user will be returned.

-c, --collection UUID

Filter by collection id. Can be passed multiple times.

-t, --task-id [UUID,none]

Filter by task id. Can be passed multiple times.

-o, --op OP

Filter by operation type. Can be passed multiple times. Possible values are STOR, RETR, STAT, CKSM, DELE, REN, MKD, RMD, RDEL.

-S, --start-date DATE

Ending date for queries, formatted year-month-day (e.g. 2020-05-29). Only results that occur on or after this day will be returned. -E, --end-date DATE Ending date for queries, formatted year-month-day (e.g. 2020-05-29). Only results that occur on or before this day will be returned.

-f, --field FIELD

Select the fields returned with each result. Can be passed multiple times. Possible values are start_ts, end_ts, op, path, peer_addr, length, result, count, client_addr, auth_type, process_user, storage_user, root_path, task_id, collection_id, identity_id.

-F, --format [json,csv]

Output in a structured format instead of the default text. json or csv.

-d, --db-path PATH

Path to the audit database [default: ~/.globus/audit-logs.db]

-p, --path PATH

Query by storage path accesses. To query a partial path, add % on either or both ends. Only results related to accessing this path will be returned.

-i, --identity ID

Query by identity. Accepts a Globus identity uuid. Only results that were initiated by this identity will be returned.

-u, --user USERNAME

Query by storage or local username. Only operations initiated by this user will be returned.

-c, --collection UUID

Filter by collection id. Can be passed multiple times.

-t, --task-id [UUID,none]

Filter by task id. Can be passed multiple times.

-o, --op OP

Filter by operation type. Can be passed multiple times. Possible values are STOR, RETR, STAT, CKSM, DELE, REN, MKD, RMD, RDEL.

-S, --start-date DATE

Ending date for queries, formatted year-month-day (e.g. 2020-05-29). Only results that occur on or after this day will be returned. -E, --end-date DATE Ending date for queries, formatted year-month-day (e.g. 2020-05-29). Only results that occur on or before this day will be returned.

-f, --field FIELD

Select the fields returned with each result. Can be passed multiple times. Possible values are start_ts, end_ts, op, path, peer_addr, length, result, count, client_addr, auth_type, process_user, storage_user, root_path, task_id, collection_id, identity_id.

-F, --format [json,csv]

Output in a structured format instead of the default text. json or csv.

-d, --db-path PATH

Path to the audit database [default: ~/.globus/audit-logs.db]

--high-assurance

Flag indicating if authentication policy will be used on high assurance collections. This setting is immutable [Create only]

--authentication-assurance-timeout

INTEGER Number of seconds within which someone must have authenticated to satisfy the policy

--description DESCRIPTION

Description for the authentication policy [Update only]

--display-name DISPLAY_NAME

Display name for the authentication policy [Update only]

--include DOMAIN

Domain which can be used a user’s linked identities to satisfy the authentication policy. This option can be given multiple times. The domain may use wildcards for a portion of the string. Specify a value of "" to include all domains

--exclude DOMAIN

Domain which cannot be used a user’s linked identities to satisfy the authentication policy. This option can be given multiple times. The domain may use wildcards for a portion of the string. Specify a value of "" to exclude no domains

--project-id PROJECT_ID

Auth project ID where the authentication policy will be stored

--display-name TEXT

Display name for the OIDC server [required]

--support-contact TEXT

Support contact name for the OIDC server [required]

--support-email TEXT

Support contact email address for the OIDC server [required]

-p, --pam-service TEXT

Specify the PAM service module to use for authentication. Default is 'login'

--server-name DOMAIN_NAME

Fully-qualified domain name for the OIDC service

--certificate-path PATH

Path to the certificate for the virtual host for the OIDC service

--certificate-chain-path PATH

Path to the certificate chain for the virtual host for the OIDC service

--private-key-path PATH

Path to the private key for the virtual host for the OIDC service

--manage-certificate-and-key

Encrypt and synchronize the certificate and key between data transfer nodes; if not passed, you are responsible for ensuring that the certificate, chain, and key files are present on each data transfer node

--quickstart-server-name TEXT

DNS label to use for configuring the OIDC server to use a subdomain of the endpoint’s domain.

--display-name TEXT

Display name for the OIDC server [required]

--discovery-url URL

The OpenID Connect discovery URL for the server. The domain of the url will be the main domain of the IdP and must be asserted by the OIDC server. [required]

--domain DOMAIN

An alternate domain asserted by the OIDC server. It is not necessary to pass the domain from the 'discovery-url'. May be passed multiple times.

--client-id CLIENT-ID

You must configure Globus Auth as a client on your OIDC Server. This is the Client ID of that that client configuration, which Globus will use to authenticate with your OIDC server. This is not the Globus client-id of your endpoint. [required]

--client-secret SECRET

You must configure Globus Auth as a client on your OIDC Server. This is the Client secret for the Client ID that Globus will use to authenticate with your OIDC server. This is not the Globus client- secret of your endpoint. [required]

--username-claim TEXT

Identity provider claim that maps to the user name. In most cases this should be 'preferred_username'. [required]

--id-claim TEXT

Identity provider claim that maps to the immutable ID. In most cases this should be 'sub'. [required]

--support-contact TEXT

Support contact name for the OIDC server [required]

--support-email TEXT

Support contact email address for the OIDC server [required]

-u, --user USER

Restrict this policy to the given user. This may be passed multiple times to apply the policy to multiple users [required]

--read PATH

Restrict sharing to be read only for the given path. This may be passed multiple times to allow multiple read path restrictions

--read-write PATH

Restrict sharing to be read/write for the given path. This may be passed multiple times to allow multiple read/write path restrictions

--none PATH

Restrict sharing to be disallowed for the given path. This may be passed multiple times to allow multiple restrictions