Ally, Globus (Online) has new “sharing” functionality that may be suitable for this use case. With Globus you can create “shared endpoints” on a storage system running a (new) GridFTP server. Each shared endpoint is basically giving Globus a virtual, change-rooted access path to a particular folder on your server. Once a folder is exported to Globus as a shared endpoint, the shared endpoint owner can then set access control policies that allow read or read-write access on any folder tree within the shared endpoint to any Globus user or group.
So in your case, you have a data archive that is accessible via GridFTP. Upgrade to the newest GridFTP server if you haven’t already — better yet, install Globus Connect Server, which makes the installation and configuration of GridFTP easier. Enable sharing on that server (https://support.globus.org/entries/23857088-Installing-Globus-Connect-Server). Create one or more shared endpoints for folders on your data archives. Then configure the access control on those shared endpoints to grant read or read-write access to the endpoints, or specific folders within the endpoints, to specific Globus users and groups. Here’s a webinar we gave recently that includes a demonstration of the Globus sharing functionality: http://fasterdata.es.net/fasterdata-home/more-references/esnet-helpful-talks-and-tutorials/delivering-a-campus-data-service-with-globus-and-esnet/ Regards, -Steve On Jan 23, 2014, at 5:01 AM, Ally Hume <[email protected]> wrote: > Hi Michael, > > This is exactly the type of thing I'd like to do but I would like to do it on > a per-user basis. We have a desire to decouple the access control of our data > archive system (which will be accessible via GridFTP) from the unix file > system access control. I would therefore like to be able to call out to a > module or service than specifies a restrict path for each authenticated user. > > Ally Hume > Software Architect > EPCC, The University of Edinburgh > > > > > On 22 Jan 2014, at 22:39, Michael Link <[email protected]> wrote: > >> Hi Ally, >> >> GT 5.2 has a path restriction feature that can do what I think you're >> asking. See '-restrict-paths' here: >> http://toolkit.globus.org/toolkit/docs/5.2/5.2.5/gridftp/admin/#commandlineoptions-server >> >> For instance, the configuration '-restrict-paths RW~/,R/data' would enable >> read/write access to the users home directory and read access to the /data >> directory, while denying all other paths. >> >> If that doesn't fit your needs, can you give some examples of what you'd >> like to do? >> >> Mike >> >> On 1/22/2014 6:23 AM, Ally Hume wrote: >>> Does anybody know of a way to perform GridFTP's file permission >>> authorization using a call out to an external component rather than simply >>> mapping users to a unix user and replying on the unix file permissions to >>> handle the authorization? Ideally I'd like for the call out service to be >>> able to specify a restricted set of folders from all the folders that the >>> unix user has permissions to access. >>> >>> Is this type of thing possible with GT5? I've seen hints of people trying >>> to do something like this with GT4 but I'm not sure if this is possible >>> with the latest version. >>> >>> Regards, >>> >>> Ally Hume >>> Software Architect >>> EPCC, The University of Edinburgh >>> >>> >>> >> > > > -- > The University of Edinburgh is a charitable body, registered in > Scotland, with registration number SC005336. >
