Globus Connect Server v5 Authorization and Authentication

Last Updated: May 20, 2021

This document provides a detailed description of the interactions between various components that manage authentication/authorization when a user transfers or shares files using Globus. Reference architectures are also provided.

Definitions

  • Collection: Collections are discoverable access points that allow data to be transferred through GridFTP or HTTPS. A collection consists of metadata about the collection, a DNS domain for accessing data on the collection, and configuration information

  • Endpoint: Storage connected to the Globus service via Globus Connect Server or Globus Connect Personal. An endpoint has a logical name that points to the physical data movement servers and is associated with identity services. Endpoints contain one or more collections

  • Globus or Globus service: The Globus software as a service, operated by University of Chicago, hosted on Amazon Web Services

  • Globus Auth: The Globus Authentication service

  • Globus OIDC Server: OIDC server that can be installed as part of an endpoint for PAM-based authentication

  • Globus Connect Server: Administrator installed multi-user server that has a data movement and identity service components

  • GlobusID: A free identity provider operated by Globus

  • GridFTP server: Data movement component of Globus Connect Server that uses the high performance GridFTP protocol

  • Globus OIDC Server: Identity component of Globus Connect Server that can be used to authenticate users through PAM

  • Identity set: Set of identities that a user has linked together in Globus

  • Linux PAM: Linux Pluggable Authentication Module (PAM) is a suite of libraries for Linux user authentication

  • OAuth: A widely-used standard for access delegation, more information can be found at http://oauth.net/

Transfer to/from a collection

Configuration

Refer to Identity Provider Integration for the authentication options that Globus supports.

Scenario 1: User uses the Globus Web Application to select file/folder(s) for transfer to another collection.

  1. User accesses the Globus Web App at www.globus.org using a browser

    1. Globus uses TLS connections in all communications to ensure secure operations

    2. User is prompted to authenticate with an account from:

      1. An institutional identity provider

      2. Common identity providers such as Google and ORCID

      3. GlobusID

  2. After logging into the Globus Web App, user navigates to the source collection

    1. If the user’s identity set does not contain an authentication from a valid identity within the time frame configured by the administrator, the user’s browser is redirected to the necessary identity provider for authentication

    2. If the user’s identity set contains an authentication from a valid identity within the time frame configured by the administrator, additional authentication is not required and the user continues at step 5

  3. User authenticates with their identity provider, using MFA if required

  4. User is redirected back to Globus, where Globus Auth validates the OAuth code provided by the identity provider and issues a token

  5. The Globus Web App uses the token to issue a listing request via the Globus Transfer service

    1. A control channel connection is established between Transfer service and Globus Connect server, secured using the transfer service’s certificate. This is used to provide users' security context and request for file listing

  6. GridFTP server uses the Identity Mapping Module to map the identity to a local account

    1. GridFTP server executes a setuid to that local account to access the local files as the user

  7. File listing is retrieved and provided to the user. User selects the files/directories to transfer

  8. User then chooses another collection as the destination for the transfer

    1. Steps 2 to 5 are repeated for the collection if authentication is required

  9. The user chooses the destination folder for transfer and submits a transfer task to Globus

    1. Globus stores the requested transfer in its database

    2. Transfer service then connects to the source and destination collections respectively, to establish a control channel

    3. Data channel connection is established between the source and destination collection

    4. The data channel is authenticated via TLS mutual authentication, ensuring integrity of the data

    5. If encryption is requested by the user or administrator, the file contents are transferred over the TLS data channel using normal TLS message protection (default setting). Else, the file contents is transferred over the data channel without TLS message protection

Scenario 2: User uses the Globus CLI to transfer files between collections

  1. User logs into the Globus CLI using the globus login command

    1. Globus uses TLS connections in all communications to ensure secure operations

    2. User is prompted to authenticate with an account from:

      1. An institutional identity provider

      2. Common identity providers such as Google and ORCID

      3. GlobusID

  2. User provides source and destination to initiate the transfer using the CLI transfer commands

    1. The user will be directed to Auth if identities from specific domains or consents are required to perform the transfer

  3. Steps 5-9 continue as in Scenario 1

  4. More information on the Globus CLI can be found in Globus CLI Docs

Scenario 3: User uses the Globus API transfer files between collections

  • Client authenticates via Globus Auth as documented in the Globus Transfer Docs

  • An access token is returned to the client which is then used to authenticate to the Globus services and submit a transfer request with source collection and path, and destination collection and path

  • Flows described in Scenario 1 are used to activate the collection and transfer the files

Note

  • Additional consents - such as the data_access consent - may be required to transfer from Globus Connect Server v5.4. Please refer to Globus Transfer Docs for more information.

Share files/folders

Detailed information on mapped and guest collection sharing can be found in the Globus Connect Server Data Access Guide.

The following scenarios discuss the process followed when a user shares a guest collection with another user.

Configuration:

  • Globus Connect Server trusts user credentials issued by Globus Auth

  • Globus Connect Server maps user’s credentials issued by Globus Auth to a local account using the configuration in the Identity Mapping Module

  • Globus Collection is configured for sharing with the following parameters:

    • Paths are configured on the system from which sharing is allowed

    • Read-only or read/write shares

    • Allow-list of users allowed to share

    • Deny-list of users not allowed to share

Scenario 1: User A shares a folder with User B

  1. User creates a guest collection with a logical name via the Web App:

    1. Web App submits request to GCS

    2. Globus Connect Server confirms that the user is allowed to share (access-list checks)

    3. Globus Connect Server confirms that the folder can be shared (share restricted path configuration)

    4. Globus Connect Server creates a unique ID for the guest collection

    5. Globus Connect Server stores the collection definition, ID, user A’s credential, and path

    6. Guest collection is created and local configuration is stored to tie the collection to the user’s account, including a unique identifier and path to the share

  2. Globus Connect Server authenticates to Globus Transfer and updates the endpoint document so the guest collection is discoverable

Scenario 2: User B accesses the shared folder

  1. User B accesses the Globus Web App at www.globus.org using a browser

  2. User B initiates a directory listing on the guest collection

  3. Globus Transfer authenticates to the Globus Connect Server server and sends the following information:

    1. Any available permissions for User B for the collection

    2. Unique identifier for the guest collection

  4. Globus Connect Server confirms that sharing is enabled and that the Globus identity is allowed to use sharing capability:

    1. Globus Connect Server resolves the local account that is mapped to the share and performs the directory listing as the resolved user

    2. Globus Connect Server enforces path restrictions and User B’s permissions, and returns the listing to User B via Globus Transfer