Globus Connect Server CLI Command summary

-d, --deployment-key DEPLOYMENT_KEY_PATH

Path for deployment key configuration

-c, --client-id TEXT

The --client-id option has been removed, see the 'endpoint key convert' command to update your deployment key

--export-node NODE_INFO_JSON

File to write node configuration to for

--agree-to-delete-previous-secret

Do not prompt for confirmation to delete a node-specific secret

-d, --deployment-key DEPLOYMENT_KEY_PATH

Path for deployment key configuration

-c, --client-id TEXT

The --client-id option has been removed, see the 'endpoint key convert' command to update your deployment key

--incoming-port-range LOW_PORT HIGH_PORT

Allowed port range for incoming TCP data connections [default: 50000, 51000]

--outgoing-port-range LOW_PORT HIGH_PORT

Port range used as the source for outgoing TCP data connections

-i, --ip-address IP_ADDRESS

IP address of the GCS Node. Use this option multiple times to set multiple IPs

--data-interface IP_ADDRESS

IP interface of the GCS Node used for Globus data transfers

--import-node NODE_INFO_JSON

File to read node configuration from (created by --export-node)

--export-node NODE_INFO_JSON

File to write node configuration to for restoring later

--new-secret

Create a unique auth credential for this node

--enable / --disable

Set the node state to 'active' or 'inactive'

-i, --ip-address TEXT

IP address of the GCS Node. Use this option multiple times to set multiple IPs

--data-interface TEXT

IPv4 interface of the GCS Node used for Globus data transfers

--incoming-port-range LOW_PORT HIGH_PORT

Allowed port range for incoming TCP data connections. Set to "" "" to remove this setting

--outgoing-port-range LOW_PORT HIGH_PORT

Port range used as the source for outgoing TCP data connections. Set to "" "" to remove this setting

--high-assurance

Flag indicating that High Assurance features are required on this storage gateway

--mfa/--no-mfa

Determine whether MFA authenticated session is required to access Collections [MFA supported on HA storage gateways only]

--domain

Identity Domain which Mapped Collection access is restricted to

--authentication-timeout-mins

Re-authentication threshold

--restrict-paths

Used to define which paths are accessible via Collections based on the storage gateway

--identity-mapping

Used to define a custom identity mapping policy

--network-use

Used to define NetworkUse at the storage gateway layer

--preferred-parallelism

Used in conjunction with the 'Custom' NetworkUse setting to set the preferred parallelism setting per storage gateway

--max-parallelism

Used in conjunction with the 'Custom' NetworkUse setting to set the max parallelism setting per storage gateway

--preferred-concurrency

Used in conjunction with the 'Custom' NetworkUse setting to set the preferred concurrency setting per storage gateway

--max-concurrency

Used in conjunction with the 'Custom' NetworkUse setting to set the max concurrency setting per storage gateway

--user-allow/--user-deny

Used to allow, or deny, Collection access per connector specific username

--posix-group-allow/--posix-group-deny

Used to allow, or deny, Collection access per POSIX group

--s3-user-credential/--s3-unauthenticated

Determines whether Collections based on the storage gateway will require user credentials

--admin-managed-credentials/--no-admin-managed-credentials

Determines whether Endpoint Admins can create/update user credentials

--bucket

Specify which buckets are accessible via the storage gateway

--s3-endpoint

Region-specific URI of the ActiveScale S3 API

--azure-adls / --azure-no-adls

Indicate whether Azure Data Lake Gen2 is enabled for the Azure storage account

--azure-storage-account

Azure storage account to associate the Storage Gateway with

--azure-credential-type

Set the type of credential used for authentication to Azure

--ms-allow-any-account

Allow users to access any Azure Blob Storage account

--ms-tenant

Microsoft Tenant Id. Required when application is configured in single-tenant mode

--ms-client-secret

Secret created by Microsoft to access Azure Blob Storage as the given --ms-client-id

--ms-client-id

Application Client Id registered with Microsoft to access Azure Blob Storage

--blackpearl-access-id-file

Path to the BlackPearl user mapping file

--s3-endpoint

Region-specific URI of the BlackPearl API

--box-settings

The Box App Settings JSON data, as a string or a file. This is used when Box is configured as an enterprise application

--box-user-api-rate-limit

Box API rate limit. Limiting the number of requests per second per user

--box-allow-any-account

Allow users to access any Box account

--box-client-id

Application Client Id registered with Box

--box-client-secret

Secret associated with the given --box-client-id Box application

--ceph-admin-secret-key

Secret key corresponding to --ceph-admin-key-id

--ceph-admin-key-id

Key ID of an admin key used to resolve Ceph usernames to credentials

--bucket

Specify which buckets are accessible via the storage gateway

--s3-endpoint

Region-specific URI of the Ceph API

--dropbox-user-api-rate-limit

Dropbox API rate limit. Number of requests per second per user

--dropbox-allow-any-account

Allow users to access any Dropbox account

--dropbox-client-secret

Secret associated with the --dropbox-client-id Dropbox application

--dropbox-client-id

Application client id (App Key) registered with the Dropbox App Console

--google-service-account-key

The Google service account key file used when leveraging a Google Service Account for access

--google-cloud-storage-project

Project this Storage Gateway is allowed to access

--google-allow-any-account

Allow users to access any Google Cloud storage account

--google-client-secret

Secret created by Google to access Google as the given --google-client-id

--bucket

Bucket to include in the root of the Storage Gateway

--google-drive-user-api-rate-quota

Negotiated rate quota for Queries per 100 per user

--google-allow-any-account

Allow users to access any Google Drive account

--google-client-secret

Secret created by Google to access Google as the given --google-client-id

--login-name

Name of the HPSS user in the keytab file that the GridFTP server will use to authenticate to HPSS

--authentication-mech

Defines the type of authentication the connector will perform when logging into HPSS

--authenticator

Authenticator used with --authentication-mech to perform authentication to HPSS

--uda-checksum/--no-uda-checksum

Flag that indicates if checksums should be stored within UDAs so that sync-by-checksum transfers can verify the file without staging the file from tape

--irods-authentication-file

Path to iRODS authentication file on the endpoint

--irods-environment-file

Path to iRODS environment file on the endpoint

--ms-user-api-rate-limit

OneDrive API rate limit. Number of requests per second per user

--ms-allow-any-account

Allow users to access any OneDrive account

--ms-tenant

Microsoft Tenant Id. Required when application is configured in single-tenant mode

--ms-client-secret

Secret created by Microsoft to access OneDrive as the given --ms-client-id

--ms-client-id

Application Client Id registered with Microsoft to access OneDrive

--environment

Variables to set in the environment when executing the stage_app

--stage-app

Path to the file staging app to use for this storage gateway

--s3-user-credential/--s3-unauthenticated

Determines whether Collections based on the storage gateway will require user credentials

--admin-managed-credentials/--no-admin-managed-credentials

Determines whether Endpoint Admins can create/update user credentials

--bucket

Specify which buckets are accessible via the storage gateway

--s3-endpoint

Region-specific URI of the ActiveScale S3 API

--globus-identity [UUID,USERNAME]

Globus identity id or username id to associate the credential with [required]

--mapped-user TEXT

GCSv5 mapped identity username. If not provided, defaults to the Globus identity username

--s3-access-key-id TEXT

S3 Access Key ID. If not provided, this command will prompt for it

--s3-secret-key TEXT

S3 secret key. If not provided, this command will prompt for it

--replace-existing

Replace a user credential that already exists. If not provided, existing credentials will not be updated

--globus-identity [UUID,USERNAME]

Globus identity id or username id to associate the credential with [required]

--mapped-user TEXT

GCSv5 mapped identity username. If not provided, defaults to the Globus identity username

--globus-identity [UUID,USERNAME]

Globus identity id or username id to associate the credential with [required]

--mapped-user TEXT

GCSv5 mapped identity username. If not provided, defaults to the Globus identity username

--s3-access-key-id TEXT

S3 Access Key ID. If not provided, this command will prompt for it

--s3-secret-key TEXT

S3 secret key. If not provided, this command will prompt for it

--s3-requester-pays / --no-s3-requester-pays

Allow using this credential to access S3 Requester Pays buckets. The account owning these credentials will be charged for S3 operations.

--replace-existing

Replace a user credential that already exists. If not provided, existing credentials will not be updated

--s3-secret-key TEXT

S3 secret key. If not provided, this command will prompt for it

--prefix TEXT

The path prefix of all S3 bucket/object path to use with this key. This command is additive and can be run multiple times.

--s3-secret-key TEXT

S3 secret key.

--prefix TEXT

A prefix to be associated with this key pair. Many are allowed.

--mapped-collection-id

Filter results to Guest Collections on a specific Mapped Collection. This is the ID of the Mapped Collection

--filter

Filter results to one of the specified categories of collections. Can be applied multiple times

--storage-gateway-id

Filter results to Collections on a specific Storage Gateway. This is the ID of the Storage Gateway

--auto-delete-timeout

Number of days before unused guest collections will be automatically deleted. Only settable on mapped collections

--acl-expiration-mins

Length of time that guest collection permissions are valid. Settable on HA guest collections and HA mapped collections

--verify

Set the policy for this collection for file integrity verification after transfer

-d, --db-path PATH

Path to the audit database [default:~/.globus/audit-logs.db]

-p, --path PATH

Query by storage path accesses. To query a partial path, add % on either or both ends. Only results related to accessing this path will be returned.

-i, --identity ID

Query by identity. Accepts a Globus identity uuid. Only results that were initiated by this identity will be returned.

-u, --user USERNAME

Query by storage or local username. Only operations initiated by this user will be returned.

-c, --collection UUID

Filter by collection id. Can be passed multiple times.

-t, --task-id [UUID,none]

Filter by task id. Can be passed multiple times.

-o, --op OP

Filter by operation type. Can be passed multiple times. Possible values are STOR, RETR, STAT, CKSM, DELE, REN, MKD, RMD, RDEL.

-S, --start-date DATE

Ending date for queries, formatted year-month-day (e.g. 2020-05-29). Only results that occur on or after this day will be returned. -E, --end-date DATE Ending date for queries, formatted year-month-day (e.g. 2020-05-29). Only results that occur on or before this day will be returned.

-f, --field FIELD

Select the fields returned with each result. Can be passed multiple times. Possible values are start_ts, end_ts, op, path, peer_addr, length, result, count, client_addr, auth_type, process_user, storage_user, root_path, task_id, collection_id, identity_id.

-F, --format [json,csv]

Output in a structured format instead of the default text. json or csv.

-d, --db-path PATH

Path to the audit database [default: ~/.globus/audit-logs.db]

-p, --path PATH

Query by storage path accesses. To query a partial path, add % on either or both ends. Only results related to accessing this path will be returned.

-i, --identity ID

Query by identity. Accepts a Globus identity uuid. Only results that were initiated by this identity will be returned.

-u, --user USERNAME

Query by storage or local username. Only operations initiated by this user will be returned.

-c, --collection UUID

Filter by collection id. Can be passed multiple times.

-t, --task-id [UUID,none]

Filter by task id. Can be passed multiple times.

-o, --op OP

Filter by operation type. Can be passed multiple times. Possible values are STOR, RETR, STAT, CKSM, DELE, REN, MKD, RMD, RDEL.

-S, --start-date DATE

Ending date for queries, formatted year-month-day (e.g. 2020-05-29). Only results that occur on or after this day will be returned. -E, --end-date DATE Ending date for queries, formatted year-month-day (e.g. 2020-05-29). Only results that occur on or before this day will be returned.

-f, --field FIELD

Select the fields returned with each result. Can be passed multiple times. Possible values are start_ts, end_ts, op, path, peer_addr, length, result, count, client_addr, auth_type, process_user, storage_user, root_path, task_id, collection_id, identity_id.

-F, --format [json,csv]

Output in a structured format instead of the default text. json or csv.

-d, --db-path PATH

Path to the audit database [default: ~/.globus/audit-logs.db]

--high-assurance

Flag indicating if authentication policy will be used on high assurance collections. This setting is immutable [Create only]

--authentication-assurance-timeout

INTEGER Number of seconds within which someone must have authenticated to satisfy the policy

--description DESCRIPTION

Description for the authentication policy [Update only]

--display-name DISPLAY_NAME

Display name for the authentication policy [Update only]

--include DOMAIN

Domain which can be used a user’s linked identities to satisfy the authentication policy. This option can be given multiple times. The domain may use wildcards for a portion of the string. Specify a value of "" to include all domains

--exclude DOMAIN

Domain which cannot be used a user’s linked identities to satisfy the authentication policy. This option can be given multiple times. The domain may use wildcards for a portion of the string. Specify a value of "" to exclude no domains

--project-id PROJECT_ID

Auth project ID where the authentication policy will be stored

--display-name TEXT

Display name for the OIDC server [required]

--support-contact TEXT

Support contact name for the OIDC server [required]

--support-email TEXT

Support contact email address for the OIDC server [required]

-p, --pam-service TEXT

Specify the PAM service module to use for authentication. Default is 'login'

--server-name DOMAIN_NAME

Fully-qualified domain name for the OIDC service

--certificate-path PATH

Path to the certificate for the virtual host for the OIDC service

--certificate-chain-path PATH

Path to the certificate chain for the virtual host for the OIDC service

--private-key-path PATH

Path to the private key for the virtual host for the OIDC service

--manage-certificate-and-key

Encrypt and synchronize the certificate and key between data transfer nodes; if not passed, you are responsible for ensuring that the certificate, chain, and key files are present on each data transfer node

--quickstart-server-name TEXT

DNS label to use for configuring the OIDC server to use a subdomain of the endpoint’s domain.

--display-name TEXT

Display name for the OIDC server [required]

--discovery-url URL

The OpenID Connect discovery URL for the server. The domain of the url will be the main domain of the IdP and must be asserted by the OIDC server. [required]

--domain DOMAIN

An alternate domain asserted by the OIDC server. It is not necessary to pass the domain from the 'discovery-url'. May be passed multiple times.

--client-id CLIENT-ID

You must configure Globus Auth as a client on your OIDC Server. This is the Client ID of that that client configuration, which Globus will use to authenticate with your OIDC server. This is not the Globus client-id of your endpoint. [required]

--client-secret SECRET

You must configure Globus Auth as a client on your OIDC Server. This is the Client secret for the Client ID that Globus will use to authenticate with your OIDC server. This is not the Globus client- secret of your endpoint. [required]

--username-claim TEXT

Identity provider claim that maps to the user name. In most cases this should be 'preferred_username'. [required]

--id-claim TEXT

Identity provider claim that maps to the immutable ID. In most cases this should be 'sub'. [required]

--support-contact TEXT

Support contact name for the OIDC server [required]

--support-email TEXT

Support contact email address for the OIDC server [required]

-u, --user USER

Restrict this policy to the given user. This may be passed multiple times to apply the policy to multiple users [required]

--read PATH

Restrict sharing to be read only for the given path. This may be passed multiple times to allow multiple read path restrictions

--read-write PATH

Restrict sharing to be read/write for the given path. This may be passed multiple times to allow multiple read/write path restrictions

--none PATH

Restrict sharing to be disallowed for the given path. This may be passed multiple times to allow multiple restrictions