Storage Gateways

A storage gateway provides the access policies for the endpoint’s connected storage systems. It is a named interface by which authorized users can create and manage collections on the connected storage system. A single storage system may be associated with multiple storage gateways, each with its own policies.

Storage gateway policies describe what type connector the storage gateway uses, the paths it allows access to, the login requirements are for the storage gateway, and the algorithm to map Globus identities to the user namespace of the storage gateway (e.g. local accounts).


Each Storage Gateway configures access to one type of data storage. The type of storage is referred to as a connector. Globus Connect Server v5.4 supports the following connectors:


Local file storage backed by any file system that supports basic POSIX file API operations to access files, directories, and basic metadata.

Google Drive

Cloud data stored in the Google Drive web service service.

Spectra Logic Black Pearl

Archive data storage stored in a Spectra Logic Black Pearl system.

Google Cloud Storage

Cloud data stored in the Google Cloud Storage service.

Amazon S3

Cloud data stored in the Amazon S3 service.


Distributed object storage stored in a Ceph RADOS object store.


Cloud data sharing systemd stored in the Box service.

Each of these connectors has some different configuration steps and storage policies. These are described in the individual connector storage gateway management commands.


Connectors other than POSIX are premium features which require a subscription to enable use of those other connectors. See for more information.

High Assurance

When a Storage Gateway is created, it can be configured to require High Assurance for data access. This enhances authentication assurance by enforcing session-based authentication timeouts and higher encryption standards for data in transit. Stricter access controls are employed when accessing the storage gateway configuration and performing data operations on collections created on High Assurance Storage Gateways.


This is a premium feature, and requires a subscription with the high assurance add-on.

If you are using {gcsv5} with high assurance features, you will need to set all storage gateways that have access to restricted data as high assurance.


globus-connect-server storage-gateway create

Create a storage gateway

globus-connect-server storage-gateway delete

Delete a storage gateway

globus-connect-server storage-gateway list

List storage gateways

globus-connect-server storage-gateway show

Show a storage gateway definition

globus-connect-server storage-gateway update

Update an existing Storage Gateway

StorageGateway Document





string storage_gateway#1.0.0

Type of this document


string <uuid>

Unique id string for this Storage Gateway.



Name of the Storage Gateway.


string <uuid>

Id of the connector type that this Storage Gateway interacts with.



Flag indicating if the storage_gateway requires high assurance features.

require_high_assurance (deprecated)


Alias for high_assurance.



Timeout (in minutes) during which a user is required to have authenticated to access files or create user credentials on this Storage Gateway.

For a high assurance Storage Gateway, this must be done within the current Globus Auth session, otherwise, the caller can perform the authentication with any application which uses Globus Auth.

authentication_assurance_timeout (deprecated)


Alias for authentication_timeout_mins.


array (string)

List of allowed domains. Users creating credentials or collections on this storage_gateway must have an identity in one of these domains.


array ( IdentityMapping )

List of identity mappings to attempt to apply to user identities to determine what accounts are available for access.[Private]


array (string)

List of connector-specific usernames allowed to access this Storage Gateway.[Private]


array (string)

List of connector-specific usernames denied access to this Storage Gateway.[Private]


One of { object PathRestrictions ​ }

Path restrictions within this Storage Gateway. paths are interpreted as absolute paths in the file namespace of the connector.[Private]



Local POSIX user the GridFTP server should run as when accessing this Storage Gateway.[Private]



NAme of the DSI module to load by the GridFTP server when accessing this Storage Gateway.[Private]


One of { PosixStoragePolicies , , object , object , , , object , object ​ }

Connector-specific storage policies.

  "DATA_TYPE": "storage_gateway#1.0.0",
  "id": "fc1f3ba0-1fa4-42b2-8bb3-53983774fa5f",
  "display_name": "string",
  "connector_id": "145812c8-decc-41f1-83cf-bb2a85a2a70b",
  "high_assurance": true,
  "require_high_assurance": true,
  "authentication_timeout_mins": 30,
  "authentication_assurance_timeout": 30,
  "allowed_domains": [
  "identity_mappings": [
      "DATA_TYPE": "external_identity_mapping#1.0.0",
      "command": [
  "users_allow": [
  "users_deny": [
  "restrict_paths": {
    "DATA_TYPE": "path_restrictions#1.0.0",
    "read": [
    "read_write": [
    "none": [
  "process_user": "gcsweb",
  "load_dsi_module": "google_drive",
  "policies": {
    "DATA_TYPE": "posix_storage_policies#1.0.0",
    "groups_allow": [
    "groups_deny": [

© 2010- The University of Chicago Legal