globus-connect-server storage-gateway create ceph - Create a Ceph Storage Gateway


The globus-connect-server storage-gateway create ceph command creates a new ceph storage gateway. When creating a storage gateway, provide the policies to access a storage system via Globus Connect Server collections.

The Ceph connector provides access to the Ceph distributed object storage system.

Authentication Policies

There are three command-line options that control which user identities are allowed access to the data on a storage gateway: --domain, --authentication-timeout-mins, and --high-assurance.

The value of the --domain command-line option restricts access to users who have an identity in the given domain. This may be configured to be multiple values to allow authentication by multiple identity providers. If more than one domain is allowed, the storage gateway needs to have an identity mapping method configured to decide how to process names from the different identity namespaces. See Identity Mapping Policies for more information.

The value of the --authentication-timeout-mins command-line option defines the timeout (in minutes) after which a user will need to re-authenticate in order to access mapped collections on non high assurance storage gateways or for any data access on high assurance storage gateways. If this is not supplied, the default value of this timeout is 11 days.

The value of the --high-assurance command-line option defines whether the storage gateway manages high assurance data. If it is set, then the authentication timeout is enforced on per application sessions.

Identity Mapping Policies

Globus Connect Server v5.4 supports a flexible system for mapping user identity information in Globus to the local account needed to access data on a variety of storage systems. This includes a default mapping for cases where there is only one allowed domain, as well as pattern-based mappings and callouts to external programs for custom mapping algorithms.

Default Identity to Username Mapping

When Globus Connect Server maps an identity to an account, it strips off the data after the @ character by default, so the username is mapped to the account user.

Custom Identity to Username Mapping

The --identity-mapping command-line option configures a storage gateway to use either an expression based identity mapping or an external identity mapping program. See the Identity Mapping Guide for more information.

The --identity-mapping command-line option can be passed on the command-line with a few different types of data as its arguments:

--identity-mapping external:CMD

When mapping a identity to a username, Globus Connect Server invokes the command-line program CMD to map the identity. The value of the CMD string will be parsed as a shell command-line, so arguments may be included if quoted. A full description of the input, output, and arguments to the program are included in Identity Mapping Guide.

--identity-mapping file:JSON_FILE
--identity-mapping JSON

The JSON_FILE argument is a path to a file which contains a JSON document containing the mapping configuration, as described in the Identity Mapping Guide. The JSON argument is the json document itself.

User Policies

The --user-allow and --user—​deny command-line options control which users may access data on a storage gateway. These operate on the result of the identity mapping, a user name that is in the namespace of storage gateway. This may be a user name, id, or email address based on the storage gateway requirements.

A username is allowed or denied access depending on whether the --user-allow and --user—​deny command-line option are set on a storage gateway, and whether the username is present in one or both of those policies. In general, if a username is in the value of --user—​deny it is always denied, and if a --user-allow policy is provided the username must be in the policy value in order to be allowed access.

The full set of effects of these policies are contained in the following table:

--user-allow --user—​deny result





not a member






not a member





not a member



not a member

not a member


not a member






Ceph Policies

The --s3-endpoint, --ceph-admin-key-id, --ceph-admin-secret-key, and --bucket command-line options control access to a ceph storage cluster.


The --s3-endpoint command-line option is used by Globus Connect Server to contact the S3 API to access data on the ceph cluster.

Admin Credentials

The --ceph-admin-key-id and --ceph-admin-secret-key command-line options are the administrator credentials needed by Globus Connect Server to access user keys to access Ceph storage. See the Ceph connector documentation for more information about configuring Globus Connect Server to use Ceph.

Bucket Restrictions and Visibility

The --bucket command-line option argument is the name of a bucket which is allowed access by this storage gateway. If no buckets are configured, then any buckets accessible using the user’s credentials may be accessed by collections on this storage gateway.


You can also use the data access command-line options to restrict access to buckets.

Data Access Policies

The --restrict-paths command-line option controls access to subtrees of the data provided by the storage gateway. This is configured using the PathRestrictions document type.

Path restrictions provide a framework for administrators to constrain data access on the storage gateway. Restrictions can be set at the folder level. They may allow read, write, or deny access to data. These are absolute paths from the root of the storage gateway virtual file system.


-h, --help

Show help message and exit.


Show the version and exit.

-F, --format "text"|"json"

Output format for this command. If the format is json, then the resulting role document is displayed.

--user-deny username

Connector-specific username for a user denied access to this Storage Gateway. Give this option multiple times to deny multiple users. Set a value of "" to clear this value.

--user-allow username

Connector-specific username for a user allowed access to this Storage Gateway. Give this option multiple times to allow multiple users. Set a value of "" to clear this value.

--identity-mapping external:CMD
--identity-mapping file:JSON_FILE | JSON

Identity Mapping configuration for use in this Storage Gateway. You can use JSON input to specify a complete mapping document, or, if you want to use an external command for mapping, use external:command --arguments. Give this option multiple times to set multiple mappings in order of precedence. Set a value of null to clear this value.

--restrict-paths JSON | file:JSON_FILE

Path restrictions for accessing data on collections created using this storage gateway.

--domain DOMAIN

Allowed domain. Give this option multiple times to allow multiple domains. Users creating credentials or collections on this storage gateway must have an identity in one of these domains.

--authentication-timeout-mins INT

Timeout (in minutes) during which a user is required to have authenticated in a session to access this storage gateway.


Flag indicating that High Assurance features are required on this storage gateway.

--bucket BUCKET

Buckets to allow access to. Pass this option multiple times to include multiple buckets. Set a value of null to clear this value. If not specified, any bucket on the ceph storage cluster which a user’s credentials can access may be accessed via this storage gateway.

--s3-endpoint URL

Region-specific URI of the S3 API.

--ceph-admin-key-id KEY_ID

Key ID of an admin key used to resolve Ceph usernames to credentials

--ceph-admin-secret-key SECRET_KEY

Secret key associated with the admin key id.