Hi Steve, Thank you for replying. I enjoyed the webinar and the functionality is very interesting.
Is there any documentation that explains how the sharing works from a security point of view? If I share my data at Edinburgh with you then does the Edinburgh site simply have to trust Globus Online when Globus Online tells Edinburgh that Steve Tuecke wants to access one of Ally Hume's endpoints? You obviously cannot log onto the Edinburgh site though our Authentication method because Edinburgh's authorisation service does not know about you. I'm just speculating here so it would be great to read how it is done. Regards, Ally On 23 Jan 2014, at 21:45, Steve Tuecke <[email protected]> wrote: > Ally, > > Globus (Online) has new “sharing” functionality that may be suitable for this > use case. With Globus you can create “shared endpoints” on a storage system > running a (new) GridFTP server. Each shared endpoint is basically giving > Globus a virtual, change-rooted access path to a particular folder on your > server. Once a folder is exported to Globus as a shared endpoint, the shared > endpoint owner can then set access control policies that allow read or > read-write access on any folder tree within the shared endpoint to any Globus > user or group. > > So in your case, you have a data archive that is accessible via GridFTP. > Upgrade to the newest GridFTP server if you haven’t already — better yet, > install Globus Connect Server, which makes the installation and configuration > of GridFTP easier. Enable sharing on that server > (https://support.globus.org/entries/23857088-Installing-Globus-Connect-Server). > Create one or more shared endpoints for folders on your data archives. > Then configure the access control on those shared endpoints to grant read or > read-write access to the endpoints, or specific folders within the endpoints, > to specific Globus users and groups. > > Here’s a webinar we gave recently that includes a demonstration of the Globus > sharing functionality: > > http://fasterdata.es.net/fasterdata-home/more-references/esnet-helpful-talks-and-tutorials/delivering-a-campus-data-service-with-globus-and-esnet/ > > Regards, > -Steve > > On Jan 23, 2014, at 5:01 AM, Ally Hume <[email protected]> wrote: > >> Hi Michael, >> >> This is exactly the type of thing I'd like to do but I would like to do it >> on a per-user basis. We have a desire to decouple the access control of our >> data archive system (which will be accessible via GridFTP) from the unix >> file system access control. I would therefore like to be able to call out >> to a module or service than specifies a restrict path for each authenticated >> user. >> >> Ally Hume >> Software Architect >> EPCC, The University of Edinburgh >> >> >> >> >> On 22 Jan 2014, at 22:39, Michael Link <[email protected]> wrote: >> >>> Hi Ally, >>> >>> GT 5.2 has a path restriction feature that can do what I think you're >>> asking. See '-restrict-paths' here: >>> http://toolkit.globus.org/toolkit/docs/5.2/5.2.5/gridftp/admin/#commandlineoptions-server >>> >>> For instance, the configuration '-restrict-paths RW~/,R/data' would enable >>> read/write access to the users home directory and read access to the /data >>> directory, while denying all other paths. >>> >>> If that doesn't fit your needs, can you give some examples of what you'd >>> like to do? >>> >>> Mike >>> >>> On 1/22/2014 6:23 AM, Ally Hume wrote: >>>> Does anybody know of a way to perform GridFTP's file permission >>>> authorization using a call out to an external component rather than simply >>>> mapping users to a unix user and replying on the unix file permissions to >>>> handle the authorization? Ideally I'd like for the call out service to be >>>> able to specify a restricted set of folders from all the folders that the >>>> unix user has permissions to access. >>>> >>>> Is this type of thing possible with GT5? I've seen hints of people trying >>>> to do something like this with GT4 but I'm not sure if this is possible >>>> with the latest version. >>>> >>>> Regards, >>>> >>>> Ally Hume >>>> Software Architect >>>> EPCC, The University of Edinburgh >>>> >>>> >>>> >>> >> >> >> -- >> The University of Edinburgh is a charitable body, registered in >> Scotland, with registration number SC005336. >> > > -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
