Last Updated: June 18, 2020


The Box connector enables use of a Globus data access interface on an Box storage system, via the Box API. This requires the installation of Globus Connect Server and an additional package that is specific to the Box storage system called the Box DSI.

The Box connector is a premium feature available only to Globus subscribers, and is thus only available for Managed Endpoints.

The installation must be done by a system administrator, and has the following distinct set of steps:

  • Create a Box Application for your Box Enterprise account

  • Grant the Box Application access to your Enterprise

  • Create a Box Storage Gateway

  • Create a Box Mapped Collection


Box Connector Virtual Filesystem

The Box Connector provides a cloud storage system that allows users to create and share files and folders. While the Box services supports many features such as bookmarks and file versioning, the Box Connector only supports access to the latest version of files stored in the Box service.

Create a Box Application

The Box Connector uses the Box API to interact with the Box web service. In order to do this. You must create an application configuration on the Box developers console and enable the features that the Box Connector needs.

  • Open the Newapp Page

  • Select Custom App for the App Type

  • Select OAuth2.0 with JWT (Server Authentication) for the Authentication type

  • Enter a name for your app.

  • Update your app configuration as follows:

    • set the Application Access to Enterprise

    • check the following Application Scopes

      • Read and write all files and folders stored in Box

      • Manage Users

    • Under Advanced Features, enable Generate User Access Tokens

    • Make sure to save your changes

  • Copy the Client ID under the OAuth2.0 Credentials section. You will need this to Grant the Box Application access to your Enterprise

  • Under the Add and Manage Public Keys section press Generate a Public/Private Keypair. This will prompt you to save a .json (you may need to allow a popup) configuration file on your machine. You will need this file when creating the Box Storage Gateway in GCS Manager.

Grant the Box Application access to your Enterprise

In order for the Box connector to access files owned by users of your enterprise, the application created in the previous step must be allowed access by the enterprise administrator. The administrator must perform the following steps:

  • Open the Enterpise App Settings page for you Box Enterprise account

  • Under the Custom Applications section, select Authorize New App

  • When prompted for the API Key, enter the Client ID for the Application from the Create a Box Application step.

Note

This authorization action must be performed again by the enterprise administrator if you ever make any changes to the box application or its requested scopes.

Storage Gateway

A Box Connector Storage Gateway is created with the command globus-connect-server storage-gateway create box, and can be updated with the command globus-connect-server storage-gateway update box.

Before looking into the policy options specific to the Box Connector, please familiarize yourself with the Globus Connect Server v5 Data Access Guide which describes the steps to create and update a storage gateway, using the POSIX connector as an example. The commands to create and update a storage gateway for the Box Connector are similar.

Box Connector Storage Gateway Policies

The Box Connector has policies to set the box application configuration.

Box Settings

The --box-settings command-line option is used to pass the key information created when the Box application is created to be used by the Box Connector.

Example 1. Box Settings

After creating the keypair on the Box Application configuration screen, the browser will download a file with a name with the suffix _config.json. We’ll need to pass path to this file to the command line when creating a Box Storage Gateway. For our example, we’ll assume the file downloaded has a name 996511312_fb430f1403fb_config.json.

--box-settings file:996511312_fb430f1403fb_config.json

Creating the Storage Gateway

Now that we have decided on all our policies, we’ll use the command to create the storage gateway.

% globus-connect-server storage-gateway create box \
    "Box Storage Gateway" \
    --domain example.org \
    --box-settings file:996511312_fb430f1403fb_config.json

Storage Gateway Created: 7187a9a0-68e4-48ea-b3b9-7fd06630f8ab

This was successful and the output the ID of the new storage gateway ( 7187a9a0-68e4-48ea-b3b9-7fd06630f8ab in this case) for our reference. Note that this will always be a unique value if you run the command. If you forget the id of a storage gateway, you can always use the command globus-connect-server storage-gateway list to get a list of the storage gateways on the endpoint.

You can also add other policies to configure additional identity mapping and path restriction policies as described in the Globus Connect Server v5 Data Access Guide.

Note that this creates the storage gateway, but does not yet make it accessible via Globus and HTTPS. You’ll need to follow the steps in the next section.

Collection

A Box Collection is created with the command globus-connect-server collection create, and can be updated with the command globus-connect-server collection update.

As the Box Connector does not introduce any policies beyond those used by the base collection type, you can follow the sequence in the Collections Section of the Globus Connect Server v5 Data Access Guide. Recall however, that the paths are interpreted as described above in Box Connector Virtual Filesystem.

Appendix A: Document Types for the Box Connector

BoxStoragePolicies Document

The BoxStoragePolicies document describes box-specific configuration policies. These contain data needed to interact with the Box service via its API.

Name

Type

Description

DATA_TYPE

string box_storage_policies#1.0.0

Type of this document

enterpriseID

string

Identifies which Box Enterprise this Storage Gateway is authorized access to.[Private]

boxAppSettings

object

Values that the Storage Gateway uses to identify and authenticate the with the Box API.[Private]

{
  "DATA_TYPE": "box_storage_policies#1.0.0",
  "enterpriseID": "123456",
  "boxAppSettings": {
    "clientID": "pahZae7RaiX8thooOu2ooquo",
    "clientSecret": "ahNgik3uveiW4uiZYuquee3IFune6goo",
    "appAuth": {
      "publicKeyID": "xa6Ecas0",
      "privateKey": "-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFLTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQItFqhI7c+9m0CAggA\nMAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBBollBX+MTwIorhEBGMAGUYBIIE\n0PyvnRMb3diA+wB1GIJqLzBk4KqyKcWbP4NukwxWYvr8ZmC5MuaZQKsC0YqjZNMw\niTYaOUmjoA6HQYJr+Yt7wuU9g07N2isl+RnlZEUSrTUYVMu1NLb7A4zkCKFlV/dC\nTSb3IED//ne+i3+oaQImrO86ppGcNoaYmx4kCf9o9Etre040a7lLNQs9SB5ukHMZ\nfXGb1X5n0jXCqfJ4SYcSefK3fOVawbIg0ocMg99TZaBWvWb0C3w/+cn8MqT5FmOW\ncqMZSHtqq8/DdfNpfA7CLd6e5st2yKEnbYma2m7HR+SsCAhhOYligiMlwGCKw/JT\nYmKIB2wRu54dJOdvZVF/7kJkw5igooGxrBKXmlxVO+2TDs8fjx7F42W00XoOLTIy\nGGabLkAPQXOO5XOJsMaX/A3u9YUezoG7BZKsuPHlIxsJjylJqM0uA1nUObRxI77W\nyWEz1aHvDnEEvF/rBrNGV8ARiTNo02AKtvMLiW8H4d+G+8tlwCUB8CAkgOXwQpP5\nnqeibn4Y88GqE1z2EF7YGTjrTre/qvPJOIvYDYVONmc9DblitOMLerQdodgNC+3q\nrTDxPET9xGJ2Gg+TYWXYiEkQJMotpWR+zDB0uJVsBqfAVFvn6WFa8hp1m4Il2vNK\nCSFi8yUegK3vJiw1ZFUx42v9m8nyTiVJ/LvZYVkr2SxjI4mk2jCEP7YctTpT2Fpd\nYCXe6LGxzIh1QcEsz6ETaBtcQ2ZGoZYqURIoH3OoJ+Bqp2tsK8E/JJ5A5rSWRfeb\nssIG62iy/nDseq9sp1J5LfdOE45k5AQ0+48Box+b/j1Gdn30ckT+ffjO2HwGwAbG\nNpwgC/yJ8xyrgHGlRRULeu2zRndCcSsrRr0l9hYPiD4+JYPvaVPNf1O/Ry/OIFQZ\n+0VeWEHOziS4sheMTp6rof68zdND9NabhrUL/bjMnu6jZxFfLjj8ecVIq4TNoPRL\nHfnIEYb8z2bfMzv3raOa49Z6hgbkrQwmt/aAwp2tk9gx7FmIWghS4EktgXKYaYiG\ndPJWWnFSXOSYveF5otryISbwqZU4EDsPk8S/Yd9VTF9t/YxWpMGfsP/UKWILR3Lq\nF86JpuKgSB8eMrKDX4zTxgOqpPFaoxQYcQcM1X8BaYlfnHTtOS9gDYXyfVbxmnu9\nXTOjPdwI+enqWYADZ0HDsEghujxFOQKtefBq0isgzvMNmIB/II/09eCSPqk38oKO\nDIVPVrYqB1FtGMINDzyljCI5q9Z1Duw+9M0IYCv4k1v0fVsowNHfTGc1PcMHGZXs\nudejICJ02UZjvhW9GCE0Gswk1Td64f8afqDYvXviCI3545HZy3UZqMGNNT7nx2zY\n9Vih8pl0027MXj1IScCuC90YZr0TyhpfZadfQJB27Bh8bBaS+Jal3+vfgXTNwXLm\nTGN9EdRKaSZS7CFAmgwDEQ1wkO5v0yvOBWVgw9QcFigu9y7hPAGu91bDb8t5EEMR\nsIklo0H7U2yx2eiEB5aFbb6ufKC4+WShDvYkSEhpalqUL7wplV7lR4ZyuwLa4PG/\nShgYXEgibyksa7ggI7wJwe85laWkycrOn5/lvRUNrvSvDoQJlMsQD5h/Bscvw1K8\nNWXaierPdI1GtR0zWujxbVi29fafqwJSP6V3dTSLLbAI\n-----END ENCRYPTED PRIVATE KEY-----",
      "passphrase": "Aip4eengaeQuoib2Eme3thei"
    }
  }
}

© 2010- The University of Chicago Legal