Globus Connect Server Administration Guides
  • Quickstart Guide
  • Installation Guide
  • Data Access Admin Guide
  • Domain Guide
  • HTTPS Access to Collections
  • Identity Mapping Admin Guide
  • Globus OIDC Installation Guide
  • Troubleshooting Guide
  • Command-Line Reference
    • Command summary
    • Audit
      • Load
      • Query
      • Dump
    • Endpoint
      • Setup
      • Show
      • Update
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription ID
      • Cleanup
      • Key Convert
      • Domain
      • Role
      • Upgrade
    • OIDC
      • Create
      • Delete
      • Register
      • Show
      • Update
    • Node
      • Create
      • Disable
      • Enable
      • New Secret
      • Setup
      • List
      • Show
      • Update
      • Cleanup
      • Delete
    • Login
    • Session
      • Consent
      • Show
      • Update
    • Whoami
    • Logout
    • Storage Gateway
      • Create
      • List
      • Show
      • Update
      • Delete
    • Collection
      • Create
      • List
      • Show
      • Batch Delete
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription Admin Verified Collection Property
      • Update
      • Delete
      • Domain
      • Check
      • Role
    • Auth Policy
      • Create
      • List
      • Show
      • Update
      • Delete
    • Sharing Policy
      • Create
      • List
      • Show
      • Delete
    • User Credentials
      • Activescale Create
      • OAuth Create
      • Delete
      • List
      • S3 Create
      • S3 Keys Add
      • S3 Keys Delete
      • S3 Keys Update
    • Self Diagnostic
  • Globus Connect Server Manager API
    • Authorization
    • Versioning
    • Endpoint
    • Roles
    • Nodes
    • Storage Gateways
    • Collections
    • User Credentials
    • Domains
    • Sharing Policies
  • API Access for Portals
  • Automated Endpoint Deployment
  • Data Access Application Guide
  • Application Migration Guide
  • Change Log
Skip to main content
Globus Docs
  • APIs
    Auth Flows Groups Search Timers Transfer Globus Connect Server Compute Helper Pages
  • Applications
    Globus Connect Personal Globus Connect Server Premium Storage Connectors Compute Command Line Interface Python SDK JavaScript SDK
  • Guides
  • Support
    FAQs Mailing Lists Contact Us Check Support Tickets
  1. Home
  2. Globus Connect Server
  3. v5.4
  4. Command-Line Reference
  5. Command summary

Globus Connect Server CLI Command summary

Table of Contents
  • 1. Overview
  • 2. Command agnostic options
  • 3. Endpoint Configuration
  • 4. Node Configuration
  • 5. Connector agnostic Storage Gateway Configuration
  • 6. POSIX specific Storage Gateway Configuration
  • 7. ActiveScale specific Storage Gateway Configuration
  • 8. Azure-Blob specific Storage Gateway Configuration
  • 9. BlackPearl specific Storage Gateway Configuration
  • 10. Box specific Storage Gateway Configuration
  • 11. Ceph specific Storage Gateway Configuration
  • 12. DropBox specific Storage Gateway Configuration
  • 13. Google Cloud specific Storage Gateway Configuration
  • 14. Google Drive specific Storage Gateway Configuration
  • 15. HPSS Drive specific Storage Gateway Configuration
  • 16. iRODS Drive specific Storage Gateway Configuration
  • 17. OneDrive Drive specific Storage Gateway Configuration
  • 18. POSIX Staging Drive specific Storage Gateway Configuration
  • 19. S3 specific Storage Gateway Configuration
  • 20. User Credentials Commands
  • 21. Collection Configuration
  • 22. Audit Commands
  • 23. Auth Policy Commands
  • 24. OIDC Commands
  • 25. Session Commands
  • 26. Sharing Policy Commands

1. Overview

Common Globus Connect Server CLI commands used to configure Endpoints, Storage Gateways, Collections and associated policies.

While not all commands/options are listed below, each section includes a link to the command-specific documentation page.

2. Command agnostic options

$ globus-connect-server collection list --show-stack-trace --use-explicit-host localhost

Option Description

--use-explicit-host

Used to specify the node to direct GCS CLI commands to

--show-stack-trace

Used to produce more verbose error output

3. Endpoint Configuration

$ globus-connect-server endpoint

Note

Documentation on the GCS CLI endpoint commands and all available options is available here.
Command Description

cleanup

Permanently delete an Endpoint definition

domain [delete,show]

Show or Delete Endpoint domain

domain update

Update Endpoint Custom Domain

Option Description

--domain

DNS name to use for this endpoint

--wildcard

Flag indicating that this is a wildcard domain; if true, all collections on this endpoint which don’t have custom domains will be subdomains of this domain

--managed/--unmanaged

If --managed, automatically synchronize domain certificates and keys using Globus services

--private-key-path

Path to a file containing the private key to use for this domain

--certificate-chain-path

Path to a file containing the x.509 certificate chain to use for this domain

--certificate-path

Path to a file containing the x.509 certificate to use for this domain

key

Manage Endpoint Deployment Key [deployment-key.json]

reset-owner-string

Reset the advertised Endpoint owner string to the Endpoints ClientID

role

Manage Endpoint roles

set-owner

Update the Endpoint owner role assignment

set-owner-string

Update the advertised Endpoint owner string

set-subscription-id

Update an Endpoints Globus Subscription assignment

setup

Create an Endpoint

Option Description

--always-create-project

Create a new Globus Auth project for this endpoint

--project-admin

Globus username of the admin of the Auth project where the new endpoint client will be registered. Only required if the project admin identity is different from the endpoint owner

--project-name

Name of the Globus Auth project where the new endpoint client will be registered

--dont-set-advertised-owner

Skip the interactive step to set the endpoint advertised owner

--public/--private

Determines whether an Endpoint is visible to identities without an Endpoint role assignment

--agree-to-letsencrypt-tos

Agree to LetsEncrypt TOS

4. Node Configuration

$ globus-connect-server node

Note

Documentation on the GCS CLI node commands and all available options is available here.
Command Description

cleanup

Clean up a Globus Connect Server node [sudo - elevated perms required]

create

Create a Globus Connect Server node configuration

Option Description

-d, --deployment-key DEPLOYMENT_KEY_PATH

Path for deployment key configuration

-c, --client-id TEXT

The --client-id option has been removed, see the 'endpoint key convert' command to update your deployment key

--export-node NODE_INFO_JSON

File to write node configuration to for

delete

Delete a Node by ID

disable

Set the local node status to 'inactive,' as the root user on the server [no GCS CLI session required]

enable

Set the local node status to 'active,' as the root user on the server [no GCS CLI session required]

list

List all Nodes on the Endpoint

new-secret

Create a new secret for this node

Option Description

--agree-to-delete-previous-secret

Do not prompt for confirmation to delete a node-specific secret

setup

Set up a Globus Connect Server node [sudo - elevated perms required]

Option Description

-d, --deployment-key DEPLOYMENT_KEY_PATH

Path for deployment key configuration

-c, --client-id TEXT

The --client-id option has been removed, see the 'endpoint key convert' command to update your deployment key

--incoming-port-range LOW_PORT HIGH_PORT

Allowed port range for incoming TCP data connections [default: 50000, 51000]

--outgoing-port-range LOW_PORT HIGH_PORT

Port range used as the source for outgoing TCP data connections

-i, --ip-address IP_ADDRESS

IP address of the GCS Node. Use this option multiple times to set multiple IPs

--data-interface IP_ADDRESS

IP interface of the GCS Node used for Globus data transfers

--import-node NODE_INFO_JSON

File to read node configuration from (created by --export-node)

--export-node NODE_INFO_JSON

File to write node configuration to for restoring later

--new-secret

Create a unique auth credential for this node

show

Display the state of a Node

update

Update a Node’s config

Option Description

--enable / --disable

Set the node state to 'active' or 'inactive'

-i, --ip-address TEXT

IP address of the GCS Node. Use this option multiple times to set multiple IPs

--data-interface TEXT

IPv4 interface of the GCS Node used for Globus data transfers

--incoming-port-range LOW_PORT HIGH_PORT

Allowed port range for incoming TCP data connections. Set to "" "" to remove this setting

--outgoing-port-range LOW_PORT HIGH_PORT

Port range used as the source for outgoing TCP data connections. Set to "" "" to remove this setting

5. Connector agnostic Storage Gateway Configuration

$ globus-connect-server storage-gateway

Note

Documentation on the GCS CLI storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--high-assurance

Flag indicating that High Assurance features are required on this storage gateway

--mfa/--no-mfa

Determine whether MFA authenticated session is required to access Collections [MFA supported on HA storage gateways only]

--domain

Identity Domain which Mapped Collection access is restricted to

--authentication-timeout-mins

Re-authentication threshold

--restrict-paths

Used to define which paths are accessible via Collections based on the storage gateway

--identity-mapping

Used to define a custom identity mapping policy

--network-use

Used to define NetworkUse at the storage gateway layer

--preferred-parallelism

Used in conjunction with the 'Custom' NetworkUse setting to set the preferred parallelism setting per storage gateway

--max-parallelism

Used in conjunction with the 'Custom' NetworkUse setting to set the max parallelism setting per storage gateway

--preferred-concurrency

Used in conjunction with the 'Custom' NetworkUse setting to set the preferred concurrency setting per storage gateway

--max-concurrency

Used in conjunction with the 'Custom' NetworkUse setting to set the max concurrency setting per storage gateway

--user-allow/--user-deny

Used to allow, or deny, Collection access per connector specific username

delete

Delete an existing storage gateway

list

List storage gateways

show

Show a storage gateway definition

6. POSIX specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] posix

Note

Documentation on the GCS CLI storage-gateway create posix options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--posix-group-allow/--posix-group-deny

Used to allow, or deny, Collection access per POSIX group

7. ActiveScale specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] activescale

Note

Documentation on the GCS CLI ActiveScale specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--s3-user-credential/--s3-unauthenticated

Determines whether Collections based on the storage gateway will require user credentials

--admin-managed-credentials/--no-admin-managed-credentials

Determines whether Endpoint Admins can create/update user credentials

--bucket

Specify which buckets are accessible via the storage gateway

--s3-endpoint

Region-specific URI of the ActiveScale S3 API

8. Azure-Blob specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] azure-blob

Note

Documentation on the GCS CLI Azure Blob specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--azure-adls / --azure-no-adls

Indicate whether Azure Data Lake Gen2 is enabled for the Azure storage account

--azure-storage-account

Azure storage account to associate the Storage Gateway with

--azure-credential-type

Set the type of credential used for authentication to Azure

--ms-allow-any-account

Allow users to access any Azure Blob Storage account

--ms-tenant

Microsoft Tenant Id. Required when application is configured in single-tenant mode

--ms-client-secret

Secret created by Microsoft to access Azure Blob Storage as the given --ms-client-id

--ms-client-id

Application Client Id registered with Microsoft to access Azure Blob Storage

9. BlackPearl specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] blackpearl

Note

Documentation on the GCS CLI BlackPearl specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--blackpearl-access-id-file

Path to the BlackPearl user mapping file

--s3-endpoint

Region-specific URI of the BlackPearl API

10. Box specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] box

Note

Documentation on the GCS CLI Box specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--box-settings

The Box App Settings JSON data, as a string or a file. This is used when Box is configured as an enterprise application

--box-user-api-rate-limit

Box API rate limit. Limiting the number of requests per second per user

--box-allow-any-account

Allow users to access any Box account

--box-client-id

Application Client Id registered with Box

--box-client-secret

Secret associated with the given --box-client-id Box application

11. Ceph specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] ceph

Note

Documentation on the GCS CLI Ceph specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--ceph-admin-secret-key

Secret key corresponding to --ceph-admin-key-id

--ceph-admin-key-id

Key ID of an admin key used to resolve Ceph usernames to credentials

--bucket

Specify which buckets are accessible via the storage gateway

--s3-endpoint

Region-specific URI of the Ceph API

12. DropBox specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] dropbox

Note

Documentation on the GCS CLI DropBox specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--dropbox-user-api-rate-limit

Dropbox API rate limit. Number of requests per second per user

--dropbox-allow-any-account

Allow users to access any Dropbox account

--dropbox-client-secret

Secret associated with the --dropbox-client-id Dropbox application

--dropbox-client-id

Application client id (App Key) registered with the Dropbox App Console

13. Google Cloud specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] google-cloud

Note

Documentation on the GCS CLI Google Cloud specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--google-service-account-key

The Google service account key file used when leveraging a Google Service Account for access

--google-cloud-storage-project

Project this Storage Gateway is allowed to access

--google-allow-any-account

Allow users to access any Google Cloud storage account

--google-client-secret

Secret created by Google to access Google as the given --google-client-id

--bucket

Bucket to include in the root of the Storage Gateway

14. Google Drive specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] google-drive

Note

Documentation on the GCS CLI Google Drive specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--google-drive-user-api-rate-quota

Negotiated rate quota for Queries per 100 per user

--google-allow-any-account

Allow users to access any Google Drive account

--google-client-secret

Secret created by Google to access Google as the given --google-client-id

15. HPSS Drive specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] hpss

Note

Documentation on the GCS CLI HPSS specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--login-name

Name of the HPSS user in the keytab file that the GridFTP server will use to authenticate to HPSS

--authentication-mech

Defines the type of authentication the connector will perform when logging into HPSS

--authenticator

Authenticator used with --authentication-mech to perform authentication to HPSS

--uda-checksum/--no-uda-checksum

Flag that indicates if checksums should be stored within UDAs so that sync-by-checksum transfers can verify the file without staging the file from tape

16. iRODS Drive specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] irods

Note

Documentation on the GCS CLI iRODS specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--irods-authentication-file

Path to iRODS authentication file on the endpoint

--irods-environment-file

Path to iRODS environment file on the endpoint

17. OneDrive Drive specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] onedrive

Note

Documentation on the GCS CLI OneDrive specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--ms-user-api-rate-limit

OneDrive API rate limit. Number of requests per second per user

--ms-allow-any-account

Allow users to access any OneDrive account

--ms-tenant

Microsoft Tenant Id. Required when application is configured in single-tenant mode

--ms-client-secret

Secret created by Microsoft to access OneDrive as the given --ms-client-id

--ms-client-id

Application Client Id registered with Microsoft to access OneDrive

18. POSIX Staging Drive specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] posix-staging

Note

Documentation on the GCS CLI POSIX Staging specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--environment

Variables to set in the environment when executing the stage_app

--stage-app

Path to the file staging app to use for this storage gateway

19. S3 specific Storage Gateway Configuration

$ globus-connect-server storage-gateway [create|update] s3

Note

Documentation on the GCS CLI S3 specific storage-gateway commands and all available options is available here.
Command Description

create, update

Create/Update a Storage Gateway

Option Description

--s3-user-credential/--s3-unauthenticated

Determines whether Collections based on the storage gateway will require user credentials

--admin-managed-credentials/--no-admin-managed-credentials

Determines whether Endpoint Admins can create/update user credentials

--bucket

Specify which buckets are accessible via the storage gateway

--s3-endpoint

Region-specific URI of the ActiveScale S3 API

20. User Credentials Commands

$ globus-connect-server user-credentials

Note

The User Credentials commands are executed against the Storage-Gateway supporting a Mapped Collection requiring user/identity credential updates. Documentation on the GCS CLI user-credentials commands and all available options is available here.
Command Description

activescale-create

Create an Active Scale User Credential

Option Description

--globus-identity [UUID,USERNAME]

Globus identity id or username id to associate the credential with [required]

--mapped-user TEXT

GCSv5 mapped identity username. If not provided, defaults to the Globus identity username

--s3-access-key-id TEXT

S3 Access Key ID. If not provided, this command will prompt for it

--s3-secret-key TEXT

S3 secret key. If not provided, this command will prompt for it

--replace-existing

Replace a user credential that already exists. If not provided, existing credentials will not be updated

delete

Delete a user credential

list

List all User Credentials on the Endpoint

oauth-create

Create a User Credential for connectors that support OAuth2

Option Description

--globus-identity [UUID,USERNAME]

Globus identity id or username id to associate the credential with [required]

--mapped-user TEXT

GCSv5 mapped identity username. If not provided, defaults to the Globus identity username

s3-create

Create an S3 User Credential

Option Description

--globus-identity [UUID,USERNAME]

Globus identity id or username id to associate the credential with [required]

--mapped-user TEXT

GCSv5 mapped identity username. If not provided, defaults to the Globus identity username

--s3-access-key-id TEXT

S3 Access Key ID. If not provided, this command will prompt for it

--s3-secret-key TEXT

S3 secret key. If not provided, this command will prompt for it

--s3-requester-pays / --no-s3-requester-pays

Allow using this credential to access S3 Requester Pays buckets. The account owning these credentials will be charged for S3 operations.

--replace-existing

Replace a user credential that already exists. If not provided, existing credentials will not be updated

s3-key-add

Add IAM keys to an S3 User Credential

Option Description

--s3-secret-key TEXT

S3 secret key. If not provided, this command will prompt for it

--prefix TEXT

The path prefix of all S3 bucket/object path to use with this key. This command is additive and can be run multiple times.

s3-key-delete

Delete IAM keys from an S3 User Credential

s3-key-update

Add IAM keys to an S3 User Credential

Option Description

--s3-secret-key TEXT

S3 secret key.

--prefix TEXT

A prefix to be associated with this key pair. Many are allowed.

show

Show a User Credential

21. Collection Configuration

$ globus-connect-server collection

Note

Documentation on the GCS CLI collection commands and all available options is available here.
Command Description

batch-delete

Delete multiple guest collections

check

Check collection configuration

Option Description

--mapped-collection-id

Filter results to Guest Collections on a specific Mapped Collection. This is the ID of the Mapped Collection

--filter

Filter results to one of the specified categories of collections. Can be applied multiple times

--storage-gateway-id

Filter results to Collections on a specific Storage Gateway. This is the ID of the Storage Gateway

create, update

Create/Update a new Mapped Collection

Option Description

--acl-expiration-mins [INT|null]

Length of time that guest collection permissions are valid. Settable on HA guest collections and HA mapped collections and used by the guest collections attached to the mapped collection. When set on both the HA mapped collection and one of its HA guest collections, the lessor value will be in effect. Pass '--acl-expiration-mins ""' to drop any previous setting

--allow-guest-collections / --no-allow-guest-collections

Allow Guest Collections to be created on this Collection. This option is only usable on Mapped Collections. If this option is disabled on a Mapped Collection which already has associated Guest Collections, those collections will no longer be accessible

--activity-notifications _COMMA_SEPARATED_LIST

[UPDATE Only] Configure activity notifications for guest collections. The value is a comma-separated list of one or more of the following values: succeeded, failed, source, destination. Use the value "all" to enable all activity notifications. Use the value "" to disable all activity notifications. Only settable on guest collections. Defaults to no activity notifications

--auto-delete-timeout INTEGER

Number of days before unused guest collections will be automatically deleted. Only settable on mapped collections. Values must be an integer greater than 0. Defaults to disabled

--contact-email TEXT

Email address of the support contact for this Collection. This is visible to end users so that they may contact your organization for support

--contact-info TEXT

Non-email contact information for the Collection, e.g. phone and mailing address. This is visible to end users for support

--default-directory TEXT

Default directory when browsing the collection

--delete-protected

If --delete-protected, then this collection can not be deleted until --no-delete- protected is used with the collection update command. This option is enabled by default as of GCS v5.4.69.

--department TEXT

Department which operates the Collection

--description TEXT

Description for the Collection

--disable-anonymous-writes / --enable-anonymous-writes

Allow anonymous write ACLs on Guest Collections attached to this Mapped Collection. This option is only usable on non high assurance Mapped Collections and the setting is inherited by the hosted Guest Collections. Anonymous write ACLs are enabled by default (requires an endpoint with API v1.8.0)

--disable-https

Explicitly disable HTTPS support (requires a managed endpoint with API v1.1.0)

--display-name TEXT

[UPDATE Only] New name for the Collection

--domain-name TEXT

DNS host name for the collection (mapped collections only). This may be either a host name or a fully-qualified domain name, but if it is the latter it must be a subdomain of the endpoint’s domain

--enable-https

Explicitly enable HTTPS support (requires a managed endpoint with API v1.1.0)

--flow-transfer-destination [UUID|null]

Restrict transfers using the collection as the destination to only transfers invoked by the given Globus flow. The value is the ID of the Globus flow. Specify null to remove the collection’s association with the flow. When this is enabled, storing files via the collection HTTPS interface is disabled

--flow-transfer-source [UUID|null]

Restrict transfers using the collection as the source to only transfers invoked by the given Globus flow. The value is the ID of the Globus flow. Specify null to remove the collection’s association with the flow. When this is enabled, retrieving files via the collection HTTPS interface is disabled

--force-encryption / --no-force-encryption

When set, all transfers to and from this collection are always encrypted

--google-project-id TEXT

For Google Cloud Storage backed Collections only. The Google Cloud Platform project ID which is used by this Collection

--guest-auth-policy-id [UUID|null]

Set the auth policy on a mapped collection which is inherited by all guest collections attached to the mapped collection. Pass '-- guest-auth-policy-id null' to remove the auth policy from the collection. This option is only usable on mapped collections

--identity-id TEXT

Globus Auth identity to who acts as the owner of this Collection. This identity is an administrator on the Endpoint. This ID must be in your current identity set

--info-link TEXT

Link for info about the Collection

--keywords TEXT,TEXT,…​

Comma separated list of keywords to help searches for the Collection

--organization TEXT

Organization for the Collection

--posix-sharing-group-allow NAME | file:PATH | ""

POSIX group allowed access to create guest collections. The parameter value may be either a group name or a filename prefixed by 'file:'. In the latter case, the contents of that file are read as one or more lines of whitespace delimited group names. This option can be used multiple times. Set a value of "" to clear this

--posix-sharing-group-deny NAME | file:PATH | ""

POSIX group denied permission to create guest collections. The parameter value may be either a group name or a filename prefixed by 'file:'. In the latter case, the contents of that file are read as one or more lines of whitespace delimited group names. This option can be used multiple times. Set a value of "" to clear this

--posix-staging-sharing-group-allow NAME | file:PATH | ""

POSIX Staging group allowed access to create guest collections. The parameter value may be either a group name or a filename prefixed by 'file:'. In the latter case, the contents of that file are read as one or more lines of whitespace delimited group names. This option can be used multiple times. Set a value of "" to clear this

--posix-staging-sharing-group-deny NAME | file:PATH | ""

POSIX Staging group denied permission to create guest collections. The parameter value may be either a group name or a filename prefixed by 'file:'. In the latter case, the contents of that file are read as one or more lines of whitespace delimited group names. This option can be used multiple times. Set a value of "" to clear this

--public / --private

Set the Collection to be public or private (defaults to public)

--restrict-transfers-to-high-assurance [inbound|outbound|all|null]

Restrict inbound, outbound, or all transfers between high assurance collections. Only settable on high assurance mapped collections and inherited by all attached guest collections. Setting this feature will disable HTTPS access on the mapped collection and its attached guest collections. Setting to the value null removes this restriction

--sharing-restrict-paths [JSON|file:JSON_FILE]

Path restrictions for sharing data on guest collections based on this collection. This option is only usable on Mapped Collections

--sharing-user-allow NAME | file:PATH | ""

Connector-specific username allowed to create guest collections.collections. The parameter value may be either a user name or a filename prefixed by 'file:'. In the latter case, the contents of that file are read as one or more lines of whitespace delimited user names. This option can be used multiple times. Set a value of "" to clear this

--sharing-user-deny NAME | file:PATH | ""

Connector-specific username denied permission to create guest collections. The parameter value may be either a user name or a filename prefixed by 'file:'. In the latter case, the contents of that file are read as one or more lines of whitespace delimited user names. This option can be used multiple times. Set a value of "" to clear this

--skip-auto-delete / --no-skip-auto-delete

[UPDATE Only] Option indicating whether the guest collection is subject to automatic deletion if --auto-delete-timeout is set on its mapped collection. Only settable on guest collections. Defaults to false

--user-message-link TEXT

Link to additional messaging for clients to display to users when interacting with this endpoint, linked to an http or https URL with this collection

--user-message TEXT

A message for clients to display to users when interacting with this collection

--verify [force|disable|default]

Set the policy for this collection for file integrity verification after transfer. 'force' requires all transfers to perform verification. 'disable' disables all verification checks. 'default' allows the user to decide on verification at Transfer task submit time. When set on mapped collections, this policy is inherited by any guest collections

delete

Delete an existing Collection

domain

Manage the collection’s custom domain

list

List Collections

reset-owner-string

Reset the advertised owner string for a collection

role

Manage Roles

set-owner

Set the mapped collection owner

set-owner-string

Set the advertised owner string for a collection

show

Show a Collection definition

22. Audit Commands

$ globus-connect-server audit

Note

Documentation on the GCS CLI audit commands and all available options is available here.
Command Description

dump

Dump the full audit log database to a structured format

Option Description

-d, --db-path PATH

Path to the audit database [default:~/.globus/audit-logs.db]

load

Load audit logs into database for searching [sudo - elevated perms required]

Option Description

-p, --path PATH

Query by storage path accesses. To query a partial path, add % on either or both ends. Only results related to accessing this path will be returned.

-i, --identity ID

Query by identity. Accepts a Globus identity uuid. Only results that were initiated by this identity will be returned.

-u, --user USERNAME

Query by storage or local username. Only operations initiated by this user will be returned.

-c, --collection UUID

Filter by collection id. Can be passed multiple times.

-t, --task-id [UUID,none]

Filter by task id. Can be passed multiple times.

-o, --op OP

Filter by operation type. Can be passed multiple times. Possible values are STOR, RETR, STAT, CKSM, DELE, REN, MKD, RMD, RDEL.

-S, --start-date DATE

Ending date for queries, formatted year-month-day (e.g. 2020-05-29). Only results that occur on or after this day will be returned. -E, --end-date DATE Ending date for queries, formatted year-month-day (e.g. 2020-05-29). Only results that occur on or before this day will be returned.

-f, --field FIELD

Select the fields returned with each result. Can be passed multiple times. Possible values are start_ts, end_ts, op, path, peer_addr, length, result, count, client_addr, auth_type, process_user, storage_user, root_path, task_id, collection_id, identity_id.

-F, --format [json,csv]

Output in a structured format instead of the default text. json or csv.

-d, --db-path PATH

Path to the audit database [default: ~/.globus/audit-logs.db]

query

Search audit log database

Option Description

-p, --path PATH

Query by storage path accesses. To query a partial path, add % on either or both ends. Only results related to accessing this path will be returned.

-i, --identity ID

Query by identity. Accepts a Globus identity uuid. Only results that were initiated by this identity will be returned.

-u, --user USERNAME

Query by storage or local username. Only operations initiated by this user will be returned.

-c, --collection UUID

Filter by collection id. Can be passed multiple times.

-t, --task-id [UUID,none]

Filter by task id. Can be passed multiple times.

-o, --op OP

Filter by operation type. Can be passed multiple times. Possible values are STOR, RETR, STAT, CKSM, DELE, REN, MKD, RMD, RDEL.

-S, --start-date DATE

Ending date for queries, formatted year-month-day (e.g. 2020-05-29). Only results that occur on or after this day will be returned. -E, --end-date DATE Ending date for queries, formatted year-month-day (e.g. 2020-05-29). Only results that occur on or before this day will be returned.

-f, --field FIELD

Select the fields returned with each result. Can be passed multiple times. Possible values are start_ts, end_ts, op, path, peer_addr, length, result, count, client_addr, auth_type, process_user, storage_user, root_path, task_id, collection_id, identity_id.

-F, --format [json,csv]

Output in a structured format instead of the default text. json or csv.

-d, --db-path PATH

Path to the audit database [default: ~/.globus/audit-logs.db]

23. Auth Policy Commands

$ globus-connect-server auth-policy

Note

Auth policies are applied to Mapped Collections and can be used to enforce which Identity Domains Guest Collections users must (or must not) belong to in order to access a Guest Collection. Documentation on the GCS CLI auth-policy commands and all available options is available here.
Command Description

create,update

Create, or update, an authentication policy

Option Description

--high-assurance

Flag indicating if authentication policy will be used on high assurance collections. This setting is immutable [Create only]

--authentication-assurance-timeout

INTEGER Number of seconds within which someone must have authenticated to satisfy the policy

--description DESCRIPTION

Description for the authentication policy [Update only]

--display-name DISPLAY_NAME

Display name for the authentication policy [Update only]

--include DOMAIN

Domain which can be used a user’s linked identities to satisfy the authentication policy. This option can be given multiple times. The domain may use wildcards for a portion of the string. Specify a value of "" to include all domains

--exclude DOMAIN

Domain which cannot be used a user’s linked identities to satisfy the authentication policy. This option can be given multiple times. The domain may use wildcards for a portion of the string. Specify a value of "" to exclude no domains

--project-id PROJECT_ID

Auth project ID where the authentication policy will be stored

delete

Delete the authentication policy

list

List all authentication policies available to you

show

Display the authentication policy

24. OIDC Commands

$ globus-connect-server oidc

Note

Documentation on the GCS CLI oidc commands and all available options is available here.
Command Description

create, update

Create, or update, an OIDC server for this endpoint [sudo - elevated perms required]

Option Description

--display-name TEXT

Display name for the OIDC server [required]

--support-contact TEXT

Support contact name for the OIDC server [required]

--support-email TEXT

Support contact email address for the OIDC server [required]

-p, --pam-service TEXT

Specify the PAM service module to use for authentication. Default is 'login'

--server-name DOMAIN_NAME

Fully-qualified domain name for the OIDC service

--certificate-path PATH

Path to the certificate for the virtual host for the OIDC service

--certificate-chain-path PATH

Path to the certificate chain for the virtual host for the OIDC service

--private-key-path PATH

Path to the private key for the virtual host for the OIDC service

--manage-certificate-and-key

Encrypt and synchronize the certificate and key between data transfer nodes; if not passed, you are responsible for ensuring that the certificate, chain, and key files are present on each data transfer node

--quickstart-server-name TEXT

DNS label to use for configuring the OIDC server to use a subdomain of the endpoint’s domain.

register

Register an existing OIDC server for use by this endpoint [sudo - elevated perms required]

Option Description

--display-name TEXT

Display name for the OIDC server [required]

--discovery-url URL

The OpenID Connect discovery URL for the server. The domain of the url will be the main domain of the IdP and must be asserted by the OIDC server. [required]

--domain DOMAIN

An alternate domain asserted by the OIDC server. It is not necessary to pass the domain from the 'discovery-url'. May be passed multiple times.

--client-id CLIENT-ID

You must configure Globus Auth as a client on your OIDC Server. This is the Client ID of that that client configuration, which Globus will use to authenticate with your OIDC server. This is not the Globus client-id of your endpoint. [required]

--client-secret SECRET

You must configure Globus Auth as a client on your OIDC Server. This is the Client secret for the Client ID that Globus will use to authenticate with your OIDC server. This is not the Globus client- secret of your endpoint. [required]

--username-claim TEXT

Identity provider claim that maps to the user name. In most cases this should be 'preferred_username'. [required]

--id-claim TEXT

Identity provider claim that maps to the immutable ID. In most cases this should be 'sub'. [required]

--support-contact TEXT

Support contact name for the OIDC server [required]

--support-email TEXT

Support contact email address for the OIDC server [required]

show

Get the status of this OIDC configuration [sudo - elevated perms required]

25. Session Commands

$ globus-connect-server session

Note

Documentation on the GCS CLI session commands and all available options is available here.
Command Description

consent

Update your session with specific consents

show

Show your current auth session

update

Update your CLI auth session

26. Sharing Policy Commands

$ globus-connect-server sharing-policy

Note

Sharing policies are created against Mapped Collections and allow for user-specific Guest Collection/path Sharing Restrictions.

Documentation on the GCS CLI sharing-policy commands and all available options is available here.

Command Description

create

Create a new Sharing Policy

Option Description

-u, --user USER

Restrict this policy to the given user. This may be passed multiple times to apply the policy to multiple users [required]

--read PATH

Restrict sharing to be read only for the given path. This may be passed multiple times to allow multiple read path restrictions

--read-write PATH

Restrict sharing to be read/write for the given path. This may be passed multiple times to allow multiple read/write path restrictions

--none PATH

Restrict sharing to be disallowed for the given path. This may be passed multiple times to allow multiple restrictions

delete

Delete an existing Endpoint Role

list

List Sharing Policies

show

Show a Sharing Policy definition

  • Quickstart Guide
  • Installation Guide
  • Data Access Admin Guide
  • Domain Guide
  • HTTPS Access to Collections
  • Identity Mapping Admin Guide
  • Globus OIDC Installation Guide
  • Troubleshooting Guide
  • Command-Line Reference
    • Command summary
    • Audit
      • Load
      • Query
      • Dump
    • Endpoint
      • Setup
      • Show
      • Update
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription ID
      • Cleanup
      • Key Convert
      • Domain
      • Role
      • Upgrade
    • OIDC
      • Create
      • Delete
      • Register
      • Show
      • Update
    • Node
      • Create
      • Disable
      • Enable
      • New Secret
      • Setup
      • List
      • Show
      • Update
      • Cleanup
      • Delete
    • Login
    • Session
      • Consent
      • Show
      • Update
    • Whoami
    • Logout
    • Storage Gateway
      • Create
      • List
      • Show
      • Update
      • Delete
    • Collection
      • Create
      • List
      • Show
      • Batch Delete
      • Reset Advertised Owner String
      • Set Advertised Owner String
      • Set Owner
      • Set Subscription Admin Verified Collection Property
      • Update
      • Delete
      • Domain
      • Check
      • Role
    • Auth Policy
      • Create
      • List
      • Show
      • Update
      • Delete
    • Sharing Policy
      • Create
      • List
      • Show
      • Delete
    • User Credentials
      • Activescale Create
      • OAuth Create
      • Delete
      • List
      • S3 Create
      • S3 Keys Add
      • S3 Keys Delete
      • S3 Keys Update
    • Self Diagnostic
  • Globus Connect Server Manager API
    • Authorization
    • Versioning
    • Endpoint
    • Roles
    • Nodes
    • Storage Gateways
    • Collections
    • User Credentials
    • Domains
    • Sharing Policies
  • API Access for Portals
  • Automated Endpoint Deployment
  • Data Access Application Guide
  • Application Migration Guide
  • Change Log
© 2010- The University of Chicago Legal Privacy Accessibility