Globus Connect Server Administration Guides
  • Quickstart Guide
  • Installation Guide
  • Data Access Admin Guide
  • Domain Guide
  • HTTPS Access to Collections
  • Identity Mapping Admin Guide
  • Globus OIDC Installation Guide
  • Troubleshooting Guide
  • Command-Line Reference
    • Command summary
    • Audit
      • Load
      • Query
      • Dump
    • Endpoint
      • Setup
      • Show
      • Update
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription ID
      • Cleanup
      • Key Convert
      • Domain
      • Role
      • Upgrade
    • OIDC
      • Create
      • Delete
      • Register
      • Show
      • Update
    • Node
      • Create
      • Disable
      • Enable
      • New Secret
      • Setup
      • List
      • Show
      • Update
      • Cleanup
      • Delete
    • Login
    • Session
      • Consent
      • Show
      • Update
    • Whoami
    • Logout
    • Storage Gateway
      • Create
      • List
      • Show
      • Update
      • Delete
    • Collection
      • Create
      • List
      • Show
      • Batch Delete
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription Admin Verified Collection Property
      • Update
      • Delete
      • Domain
      • Check
      • Role
    • Auth Policy
      • Create
      • List
      • Show
      • Update
      • Delete
    • Sharing Policy
      • Create
      • List
      • Show
      • Delete
    • User Credentials
      • Activescale Create
      • OAuth Create
      • Delete
      • List
      • S3 Create
      • S3 Keys Add
      • S3 Keys Delete
      • S3 Keys Update
    • Self Diagnostic
  • Globus Connect Server Manager API
    • Authorization
    • Versioning
    • Endpoint
    • Roles
    • Nodes
    • Storage Gateways
    • Collections
    • User Credentials
    • Domains
    • Sharing Policies
  • API Access for Portals
  • Automated Endpoint Deployment
  • Data Access Application Guide
  • Application Migration Guide
  • Change Log
Skip to main content
Globus Docs
  • APIs
    Auth Flows Groups Search Timers Transfer Globus Connect Server Compute Helper Pages
  • Applications
    Globus Connect Personal Globus Connect Server Premium Storage Connectors Compute Command Line Interface Python SDK JavaScript SDK
  • Guides
  • Support
    FAQs Mailing Lists Contact Us Check Support Tickets
  1. Home
  2. Globus Connect Server
  3. v5.4
  4. Command-Line Reference
  5. Command summary

Globus Connect Server CLI Command summary

Overview

Common Globus Connect Server CLI commands used to configure Endpoints, Storage Gateways, Collections and associated policies.

While not all commands/options are listed below, each section includes a link to the command-specific documentation page.

Command agnostic options

$ globus-connect-server collection list --show-stack-trace --use-explicit-host localhost

Option Description

--use-explicit-host

Used to specify the node to direct GCS CLI commands to

--show-stack-trace

Used to produce more verbose error output

Endpoint Configuration

$ globus-connect-server endpoint

Note

Documentation on the GCS CLI endpoint commands and all available options is available here.
Command Description

cleanup

Permanently delete an Endpoint definition

domain [delete,show]

Show or Delete Endpoint domain

domain update

Update Endpoint Custom Domain

Option Description

--domain

DNS name to use for this endpoint

--wildcard

Flag indicating that this is a wildcard domain; if true, all collections on this endpoint which don’t have custom domains will be subdomains of this domain

--managed/--unmanaged

If --managed, automatically synchronize domain certificates and keys using Globus services

--private-key-path

Path to a file containing the private key to use for this domain

--certificate-chain-path

Path to a file containing the x.509 certificate chain to use for this domain

--certificate-path

Path to a file containing the x.509 certificate to use for this domain

key

Manage Endpoint Deployment Key [deployment-key.json]

reset-owner-string

Reset the advertised Endpoint owner string to the Endpoints ClientID

role

Manage Endpoint roles

set-owner

Update the Endpoint owner role assignment

set-owner-string

Update the advertised Endpoint owner string

set-subscription-id

Update an Endpoints Globus Subscription assignment

setup

Create an Endpoint

Option Description

--always-create-project

Create a new Globus Auth project for this endpoint

--project-admin

Globus username of the admin of the Auth project where the new endpoint client will be registered. Only required if the project admin identity is different from the endpoint owner

--project-name

Name of the Globus Auth project where the new endpoint client will be registered

--dont-set-advertised-owner

Skip the interactive step to set the endpoint advertised owner

--public/--private

Determines whether an Endpoint is visible to identities without an Endpoint role assignment

--agree-to-letsencrypt-tos

Agree to LetsEncrypt TOS

Node Configuration

$ globus-connect-server node

Note

Documentation on the GCS CLI node commands and all available options is available here.
Command Description

cleanup

Clean up a Globus Connect Server node [sudo - elevated perms required]

create

Create a Globus Connect Server node configuration

Option Description

-d, --deployment-key DEPLOYMENT_KEY_PATH

Path for deployment key configuration

-c, --client-id TEXT

The --client-id option has been removed, see the 'endpoint key convert' command to update your deployment key

--export-node NODE_INFO_JSON

File to write node configuration to for

delete

Delete a Node by ID

disable

Set the local node status to 'inactive,' as the root user on the server [no GCS CLI session required]

enable

Set the local node status to 'active,' as the root user on the server [no GCS CLI session required]

list

List all Nodes on the Endpoint

new-secret

Create a new secret for this node

Option Description

--agree-to-delete-previous-secret

Do not prompt for confirmation to delete a node-specific secret

setup

Set up a Globus Connect Server node [sudo - elevated perms required]

Option Description

-d, --deployment-key DEPLOYMENT_KEY_PATH

Path for deployment key configuration

-c, --client-id TEXT

The --client-id option has been removed, see the 'endpoint key convert' command to update your deployment key

--incoming-port-range LOW_PORT HIGH_PORT

Allowed port range for incoming TCP data connections [default: 50000, 51000]

--outgoing-port-range LOW_PORT HIGH_PORT

Port range used as the source for outgoing TCP data connections

-i, --ip-address IP_ADDRESS

IP address of the GCS Node. Use this option multiple times to set multiple IPs

--data-interface IP_ADDRESS

IP interface of the GCS Node used for Globus data transfers

--import-node NODE_INFO_JSON

File to read node configuration from (created by --export-node)

--export-node NODE_INFO_JSON

File to write node configuration to for restoring later

--new-secret

Create a unique auth credential for this node

show

Display the state of a Node

update

Update a Node’s config

Option Description

--enable / --disable

Set the node state to 'active' or 'inactive'

-i, --ip-address TEXT

IP address of the GCS Node. Use this option multiple times to set multiple IPs

--data-interface TEXT

IPv4 interface of the GCS Node used for Globus data transfers

--incoming-port-range LOW_PORT HIGH_PORT

Allowed port range for incoming TCP data connections. Set to "" "" to remove this setting

--outgoing-port-range LOW_PORT HIGH_PORT

Port range used as the source for outgoing TCP data connections. Set to "" "" to remove this setting

Connector agnostic Storage Gateway Configuration

$ globus-connect-server storage-gateway

Note

Documentation on the GCS CLI storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--high-assurance

Flag indicating that High Assurance features are required on this storage gateway

--mfa/--no-mfa

Determine whether MFA authenticated session is required to access Collections [MFA supported on HA storage gateways only]

--domain

Identity Domain which Mapped Collection access is restricted to

--authentication-timeout-mins

Re-authentication threshold

--restrict-paths

Used to define which paths are accessible via Collections based on the storage gateway

--identity-mapping

Used to define a custom identity mapping policy

--network-use

Used to define NetworkUse at the storage gateway layer

--preferred-parallelism

Used in conjunction with the 'Custom' NetworkUse setting to set the preferred parallelism setting per storage gateway

--max-parallelism

Used in conjunction with the 'Custom' NetworkUse setting to set the max parallelism setting per storage gateway

--preferred-concurrency

Used in conjunction with the 'Custom' NetworkUse setting to set the preferred concurrency setting per storage gateway

--max-concurrency

Used in conjunction with the 'Custom' NetworkUse setting to set the max concurrency setting per storage gateway

--user-allow/--user-deny

Used to allow, or deny, Collection access per connector specific username

delete

Delete an existing storage gateway

list

List storage gateways

show

Show a storage gateway definition

POSIX specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] posix

Note

Documentation on the GCS CLI storage-gateway create posix options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--posix-group-allow/--posix-group-deny

Used to allow, or deny, Collection access per POSIX group

ActiveScale specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] activescale

Note

Documentation on the GCS CLI ActiveScale specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--s3-user-credential/--s3-unauthenticated

Determines whether Collections based on the storage gateway will require user credentials

--admin-managed-credentials/--no-admin-managed-credentials

Determines whether Endpoint Admins can create/update user credentials

--bucket

Specify which buckets are accessible via the storage gateway

--s3-endpoint

Region-specific URI of the ActiveScale S3 API

Azure-Blob specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] azure-blob

Note

Documentation on the GCS CLI Azure Blob specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--azure-adls / --azure-no-adls

Indicate whether Azure Data Lake Gen2 is enabled for the Azure storage account

--azure-storage-account

Azure storage account to associate the Storage Gateway with

--azure-credential-type

Set the type of credential used for authentication to Azure

--ms-allow-any-account

Allow users to access any Azure Blob Storage account

--ms-tenant

Microsoft Tenant Id. Required when application is configured in single-tenant mode

--ms-client-secret

Secret created by Microsoft to access Azure Blob Storage as the given --ms-client-id

--ms-client-id

Application Client Id registered with Microsoft to access Azure Blob Storage

BlackPearl specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] blackpearl

Note

Documentation on the GCS CLI BlackPearl specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--blackpearl-access-id-file

Path to the BlackPearl user mapping file

--s3-endpoint

Region-specific URI of the BlackPearl API

Box specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] box

Note

Documentation on the GCS CLI Box specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--box-settings

The Box App Settings JSON data, as a string or a file. This is used when Box is configured as an enterprise application

--box-user-api-rate-limit

Box API rate limit. Limiting the number of requests per second per user

--box-allow-any-account

Allow users to access any Box account

--box-client-id

Application Client Id registered with Box

--box-client-secret

Secret associated with the given --box-client-id Box application

Ceph specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] ceph

Note

Documentation on the GCS CLI Ceph specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--ceph-admin-secret-key

Secret key corresponding to --ceph-admin-key-id

--ceph-admin-key-id

Key ID of an admin key used to resolve Ceph usernames to credentials

--bucket

Specify which buckets are accessible via the storage gateway

--s3-endpoint

Region-specific URI of the Ceph API

DropBox specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] dropbox

Note

Documentation on the GCS CLI DropBox specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--dropbox-user-api-rate-limit

Dropbox API rate limit. Number of requests per second per user

--dropbox-allow-any-account

Allow users to access any Dropbox account

--dropbox-client-secret

Secret associated with the --dropbox-client-id Dropbox application

--dropbox-client-id

Application client id (App Key) registered with the Dropbox App Console

Google Cloud specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] google-cloud

Note

Documentation on the GCS CLI Google Cloud specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--google-service-account-key

The Google service account key file used when leveraging a Google Service Account for access

--google-cloud-storage-project

Project this Storage Gateway is allowed to access

--google-allow-any-account

Allow users to access any Google Cloud storage account

--google-client-secret

Secret created by Google to access Google as the given --google-client-id

--bucket

Bucket to include in the root of the Storage Gateway

Google Drive specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] google-drive

Note

Documentation on the GCS CLI Google Drive specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--google-drive-user-api-rate-quota

Negotiated rate quota for Queries per 100 per user

--google-allow-any-account

Allow users to access any Google Drive account

--google-client-secret

Secret created by Google to access Google as the given --google-client-id

HPSS Drive specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] hpss

Note

Documentation on the GCS CLI HPSS specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--login-name

Name of the HPSS user in the keytab file that the GridFTP server will use to authenticate to HPSS

--authentication-mech

Defines the type of authentication the connector will perform when logging into HPSS

--authenticator

Authenticator used with --authentication-mech to perform authentication to HPSS

--uda-checksum/--no-uda-checksum

Flag that indicates if checksums should be stored within UDAs so that sync-by-checksum transfers can verify the file without staging the file from tape

iRODS Drive specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] irods

Note

Documentation on the GCS CLI iRODS specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--irods-authentication-file

Path to iRODS authentication file on the endpoint

--irods-environment-file

Path to iRODS environment file on the endpoint

OneDrive Drive specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] onedrive

Note

Documentation on the GCS CLI OneDrive specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--ms-user-api-rate-limit

OneDrive API rate limit. Number of requests per second per user

--ms-allow-any-account

Allow users to access any OneDrive account

--ms-tenant

Microsoft Tenant Id. Required when application is configured in single-tenant mode

--ms-client-secret

Secret created by Microsoft to access OneDrive as the given --ms-client-id

--ms-client-id

Application Client Id registered with Microsoft to access OneDrive

POSIX Staging Drive specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] posix-staging

Note

Documentation on the GCS CLI POSIX Staging specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--environment

Variables to set in the environment when executing the stage_app

--stage-app

Path to the file staging app to use for this storage gateway

S3 specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] s3

Note

Documentation on the GCS CLI S3 specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--s3-user-credential/--s3-unauthenticated

Determines whether Collections based on the storage gateway will require user credentials

--admin-managed-credentials/--no-admin-managed-credentials

Determines whether Endpoint Admins can create/update user credentials

--bucket

Specify which buckets are accessible via the storage gateway

--s3-endpoint

Region-specific URI of the ActiveScale S3 API

User Credentials Commands

$ globus-connect-server user-credentials

Note

The User Credentials commands are executed against the Storage-Gateway supporting a Mapped Collection requiring user/identity credential updates. Documentation on the GCS CLI user-credentials commands and all available options is available here.
Command Description

activescale-create

Create an Active Scale User Credential

Option Description

--globus-identity [UUID,USERNAME]

Globus identity id or username id to associate the credential with [required]

--mapped-user TEXT

GCSv5 mapped identity username. If not provided, defaults to the Globus identity username

--s3-access-key-id TEXT

S3 Access Key ID. If not provided, this command will prompt for it

--s3-secret-key TEXT

S3 secret key. If not provided, this command will prompt for it

--replace-existing

Replace a user credential that already exists. If not provided, existing credentials will not be updated

delete

Delete a user credential

list

List all User Credentials on the Endpoint

oauth-create

Create a User Credential for connectors that support OAuth2

Option Description

--globus-identity [UUID,USERNAME]

Globus identity id or username id to associate the credential with [required]

--mapped-user TEXT

GCSv5 mapped identity username. If not provided, defaults to the Globus identity username

s3-create

Create an S3 User Credential

Option Description

--globus-identity [UUID,USERNAME]

Globus identity id or username id to associate the credential with [required]

--mapped-user TEXT

GCSv5 mapped identity username. If not provided, defaults to the Globus identity username

--s3-access-key-id TEXT

S3 Access Key ID. If not provided, this command will prompt for it

--s3-secret-key TEXT

S3 secret key. If not provided, this command will prompt for it

--s3-requester-pays / --no-s3-requester-pays

Allow using this credential to access S3 Requester Pays buckets. The account owning these credentials will be charged for S3 operations.

--replace-existing

Replace a user credential that already exists. If not provided, existing credentials will not be updated

s3-key-add

Add IAM keys to an S3 User Credential

Option Description

--s3-secret-key TEXT

S3 secret key. If not provided, this command will prompt for it

--prefix TEXT

The path prefix of all S3 bucket/object path to use with this key. This command is additive and can be run multiple times.

s3-key-delete

Delete IAM keys from an S3 User Credential

s3-key-update

Add IAM keys to an S3 User Credential

Option Description

--s3-secret-key TEXT

S3 secret key.

--prefix TEXT

A prefix to be associated with this key pair. Many are allowed.

show

Show a User Credential

Collection Configuration

$ globus-connect-server collection

Note

Documentation on the GCS CLI collection commands and all available options is available here.
Command Description

batch-delete

Delete multiple guest collections

check

Check collection configuration

Option Description

--mapped-collection-id

Filter results to Guest Collections on a specific Mapped Collection. This is the ID of the Mapped Collection

--filter

Filter results to one of the specified categories of collections. Can be applied multiple times

--storage-gateway-id

Filter results to Collections on a specific Storage Gateway. This is the ID of the Storage Gateway

create, update

Create/Update a new Mapped Collection

Option Description

--auto-delete-timeout

Number of days before unused guest collections will be automatically deleted. Only settable on mapped collections

--acl-expiration-mins

Length of time that guest collection permissions are valid. Settable on HA guest collections and HA mapped collections

--verify

Set the policy for this collection for file integrity verification after transfer

delete

Delete an existing Collection

domain

Manage the collection’s custom domain

list

List Collections

reset-owner-string

Reset the advertised owner string for a collection

role

Manage Roles

set-owner

Set the mapped collection owner

set-owner-string

Set the advertised owner string for a collection

show

Show a Collection definition

Audit Commands

$ globus-connect-server audit

Note

Documentation on the GCS CLI audit commands and all available options is available here.
Command Description

dump

Dump the full audit log database to a structured format

Option Description

-d, --db-path PATH

Path to the audit database [default:~/.globus/audit-logs.db]

load

Load audit logs into database for searching [sudo - elevated perms required]

Option Description

-p, --path PATH

Query by storage path accesses. To query a partial path, add % on either or both ends. Only results related to accessing this path will be returned.

-i, --identity ID

Query by identity. Accepts a Globus identity uuid. Only results that were initiated by this identity will be returned.

-u, --user USERNAME

Query by storage or local username. Only operations initiated by this user will be returned.

-c, --collection UUID

Filter by collection id. Can be passed multiple times.

-t, --task-id [UUID,none]

Filter by task id. Can be passed multiple times.

-o, --op OP

Filter by operation type. Can be passed multiple times. Possible values are STOR, RETR, STAT, CKSM, DELE, REN, MKD, RMD, RDEL.

-S, --start-date DATE

Ending date for queries, formatted year-month-day (e.g. 2020-05-29). Only results that occur on or after this day will be returned. -E, --end-date DATE Ending date for queries, formatted year-month-day (e.g. 2020-05-29). Only results that occur on or before this day will be returned.

-f, --field FIELD

Select the fields returned with each result. Can be passed multiple times. Possible values are start_ts, end_ts, op, path, peer_addr, length, result, count, client_addr, auth_type, process_user, storage_user, root_path, task_id, collection_id, identity_id.

-F, --format [json,csv]

Output in a structured format instead of the default text. json or csv.

-d, --db-path PATH

Path to the audit database [default: ~/.globus/audit-logs.db]

query

Search audit log database

Option Description

-p, --path PATH

Query by storage path accesses. To query a partial path, add % on either or both ends. Only results related to accessing this path will be returned.

-i, --identity ID

Query by identity. Accepts a Globus identity uuid. Only results that were initiated by this identity will be returned.

-u, --user USERNAME

Query by storage or local username. Only operations initiated by this user will be returned.

-c, --collection UUID

Filter by collection id. Can be passed multiple times.

-t, --task-id [UUID,none]

Filter by task id. Can be passed multiple times.

-o, --op OP

Filter by operation type. Can be passed multiple times. Possible values are STOR, RETR, STAT, CKSM, DELE, REN, MKD, RMD, RDEL.

-S, --start-date DATE

Ending date for queries, formatted year-month-day (e.g. 2020-05-29). Only results that occur on or after this day will be returned. -E, --end-date DATE Ending date for queries, formatted year-month-day (e.g. 2020-05-29). Only results that occur on or before this day will be returned.

-f, --field FIELD

Select the fields returned with each result. Can be passed multiple times. Possible values are start_ts, end_ts, op, path, peer_addr, length, result, count, client_addr, auth_type, process_user, storage_user, root_path, task_id, collection_id, identity_id.

-F, --format [json,csv]

Output in a structured format instead of the default text. json or csv.

-d, --db-path PATH

Path to the audit database [default: ~/.globus/audit-logs.db]

Auth Policy Commands

$ globus-connect-server auth-policy

Note

Auth policies are applied to Mapped Collections and can be used to enforce which Identity Domains Guest Collections users must (or must not) belong to in order to access a Guest Collection. Documentation on the GCS CLI auth-policy commands and all available options is available here.
Command Description

create,update

Create, or update, an authentication policy

Option Description

--high-assurance

Flag indicating if authentication policy will be used on high assurance collections. This setting is immutable [Create only]

--authentication-assurance-timeout

INTEGER Number of seconds within which someone must have authenticated to satisfy the policy

--description DESCRIPTION

Description for the authentication policy [Update only]

--display-name DISPLAY_NAME

Display name for the authentication policy [Update only]

--include DOMAIN

Domain which can be used a user’s linked identities to satisfy the authentication policy. This option can be given multiple times. The domain may use wildcards for a portion of the string. Specify a value of "" to include all domains

--exclude DOMAIN

Domain which cannot be used a user’s linked identities to satisfy the authentication policy. This option can be given multiple times. The domain may use wildcards for a portion of the string. Specify a value of "" to exclude no domains

--project-id PROJECT_ID

Auth project ID where the authentication policy will be stored

delete

Delete the authentication policy

list

List all authentication policies available to you

show

Display the authentication policy

OIDC Commands

$ globus-connect-server oidc

Note

Documentation on the GCS CLI oidc commands and all available options is available here.
Command Description

create, update

Create, or update, an OIDC server for this endpoint [sudo - elevated perms required]

Option Description

--display-name TEXT

Display name for the OIDC server [required]

--support-contact TEXT

Support contact name for the OIDC server [required]

--support-email TEXT

Support contact email address for the OIDC server [required]

-p, --pam-service TEXT

Specify the PAM service module to use for authentication. Default is 'login'

--server-name DOMAIN_NAME

Fully-qualified domain name for the OIDC service

--certificate-path PATH

Path to the certificate for the virtual host for the OIDC service

--certificate-chain-path PATH

Path to the certificate chain for the virtual host for the OIDC service

--private-key-path PATH

Path to the private key for the virtual host for the OIDC service

--manage-certificate-and-key

Encrypt and synchronize the certificate and key between data transfer nodes; if not passed, you are responsible for ensuring that the certificate, chain, and key files are present on each data transfer node

--quickstart-server-name TEXT

DNS label to use for configuring the OIDC server to use a subdomain of the endpoint’s domain.

register

Register an existing OIDC server for use by this endpoint [sudo - elevated perms required]

Option Description

--display-name TEXT

Display name for the OIDC server [required]

--discovery-url URL

The OpenID Connect discovery URL for the server. The domain of the url will be the main domain of the IdP and must be asserted by the OIDC server. [required]

--domain DOMAIN

An alternate domain asserted by the OIDC server. It is not necessary to pass the domain from the 'discovery-url'. May be passed multiple times.

--client-id CLIENT-ID

You must configure Globus Auth as a client on your OIDC Server. This is the Client ID of that that client configuration, which Globus will use to authenticate with your OIDC server. This is not the Globus client-id of your endpoint. [required]

--client-secret SECRET

You must configure Globus Auth as a client on your OIDC Server. This is the Client secret for the Client ID that Globus will use to authenticate with your OIDC server. This is not the Globus client- secret of your endpoint. [required]

--username-claim TEXT

Identity provider claim that maps to the user name. In most cases this should be 'preferred_username'. [required]

--id-claim TEXT

Identity provider claim that maps to the immutable ID. In most cases this should be 'sub'. [required]

--support-contact TEXT

Support contact name for the OIDC server [required]

--support-email TEXT

Support contact email address for the OIDC server [required]

show

Get the status of this OIDC configuration [sudo - elevated perms required]

Session Commands

$ globus-connect-server session

Note

Documentation on the GCS CLI session commands and all available options is available here.
Command Description

consent

Update your session with specific consents

show

Show your current auth session

update

Update your CLI auth session

Sharing Policy Commands

$ globus-connect-server sharing-policy

Note

Sharing policies are created against Mapped Collections and allow for user-specific Guest Collection/path Sharing Restrictions.

Documentation on the GCS CLI sharing-policy commands and all available options is available here.

Command Description

create

Create a new Sharing Policy

Option Description

-u, --user USER

Restrict this policy to the given user. This may be passed multiple times to apply the policy to multiple users [required]

--read PATH

Restrict sharing to be read only for the given path. This may be passed multiple times to allow multiple read path restrictions

--read-write PATH

Restrict sharing to be read/write for the given path. This may be passed multiple times to allow multiple read/write path restrictions

--none PATH

Restrict sharing to be disallowed for the given path. This may be passed multiple times to allow multiple restrictions

delete

Delete an existing Endpoint Role

list

List Sharing Policies

show

Show a Sharing Policy definition

  • Quickstart Guide
  • Installation Guide
  • Data Access Admin Guide
  • Domain Guide
  • HTTPS Access to Collections
  • Identity Mapping Admin Guide
  • Globus OIDC Installation Guide
  • Troubleshooting Guide
  • Command-Line Reference
    • Command summary
    • Audit
      • Load
      • Query
      • Dump
    • Endpoint
      • Setup
      • Show
      • Update
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription ID
      • Cleanup
      • Key Convert
      • Domain
      • Role
      • Upgrade
    • OIDC
      • Create
      • Delete
      • Register
      • Show
      • Update
    • Node
      • Create
      • Disable
      • Enable
      • New Secret
      • Setup
      • List
      • Show
      • Update
      • Cleanup
      • Delete
    • Login
    • Session
      • Consent
      • Show
      • Update
    • Whoami
    • Logout
    • Storage Gateway
      • Create
      • List
      • Show
      • Update
      • Delete
    • Collection
      • Create
      • List
      • Show
      • Batch Delete
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription Admin Verified Collection Property
      • Update
      • Delete
      • Domain
      • Check
      • Role
    • Auth Policy
      • Create
      • List
      • Show
      • Update
      • Delete
    • Sharing Policy
      • Create
      • List
      • Show
      • Delete
    • User Credentials
      • Activescale Create
      • OAuth Create
      • Delete
      • List
      • S3 Create
      • S3 Keys Add
      • S3 Keys Delete
      • S3 Keys Update
    • Self Diagnostic
  • Globus Connect Server Manager API
    • Authorization
    • Versioning
    • Endpoint
    • Roles
    • Nodes
    • Storage Gateways
    • Collections
    • User Credentials
    • Domains
    • Sharing Policies
  • API Access for Portals
  • Automated Endpoint Deployment
  • Data Access Application Guide
  • Application Migration Guide
  • Change Log
© 2010- The University of Chicago Legal Privacy Accessibility