2. Globus Connect Server v5 Milestones
v5.0: Google
Drive
v5.1: POSIX guest
collections, HTTPS
v5.x: v4 feature parity+
v5.3
• Multi DTN support
• Additional storage
systems
• Endpoint specific
identity providers
• …
Other
features
v5.2: High
assurance
v5.4: …
3.
4.
5.
6.
7.
8.
9. Out with the old, in with the new
• Host endpoints Mapped collections
– Need local account to access data
• Shared endpoints Guest collections
– No local account needed for data access, permissions set in Globus
• Use host endpoint to create shared endpoint
Use storage gateway to create (guest) collections
• Access via GridFTP Access via GridFTP or HTTPS
• Initially available via Globus Connect Server v5.2
10. Conceptual architecture: Mapped collections
Globus Endpoint
Subscriber
Security
Domain
Globus
Security
Domain
DATA
Channel
CONTROL
Channel
No data relay or staging via Globus;
files move directly between endpoints
User identity mapped
to local account
Single, globally accessible
multi-tenant service
Globus
“client” software
Subscriber owned
and administered
storage system
External Security Domain
(User, web app, data portal,
science gateway, …)
11. Conceptual architecture: Guest Collections
Subscriber
Security
Domain
User managed ”overlay” permissions
stored in Globus service
Guest
Collection
DATA
Channel
CONTROL
Channel
Subscriber managed filesystem
and endpoint policies
External Security Domain
(User, web app, data portal,
science gateway, …)
Globus Endpoint
Globus
Security
Domain
12. Globus Connect Server 5.3
• Support for
– high assurance data access (mapped and guest)
– standard data access (guest only)
• Multiple connectors:
– POSIX
– Google Drive
– AWS S3
– Ceph
– Box
13. Globus Connect Server v5 installation flow
• Install GCSv5.3+ binaries
• Register the endpoint at developers.globus.org
• Add connectors
• Add storage gateways
– Set as high assurance, configure authentication assurance timeout
– Set policy on type of collections supported
• Add mapped collection
– User must login with identity from configured domain
– Local account determined by removing the TLD:
username@example1.org username is local account
https://docs.globus.org/globus-connect-server-v5-installation-guide/ for
installation instructions
14. Next set of features
• Multi DTN support
• Standard mapped collections
• Custom authentication to collection (rather than
CILogon)
• Custom pluggable mapping model
• …
15. Resources
• New terminologies and ways of doing things:
https://docs.globus.org/globus-connect-server-v5-
installation-guide/ for 4.x – 5.x terminology and
architecture changes
• GCSv5.3 installation instructions: https://docs.globus.org/globus-
connect-server-v5-installation-guide/ for installation instructions
Non-shared file system, HTTPS access inaddition to GridFTP, clearer separate of interfaces, security model based on Globus Auth, multi Connectors for single DTN set
Lets explain some of the new terminology from the ground up.
No change here, the DTN is still the physical layer.
Endpoint is still a Globus term, but instead of being the point where users “come in” to access files, it is the management layer and configuration interface for all that exists above it.
Note that multi DTN support is not quite available.
Storage gateways define the interface to the file system and determine what types of collections may be configured. They also determine some of the configuration of the additional authentication features I’ll cover in a bit.
Currently the only connectors in service are POSIX and Google Drive and therefor the only storage gateways that may be configured are POSIX and Google Drive.
At the storage gateway level you can control (by domain) who has access to create collections – obvious in the on prem mapped collections case, but maybe not so obvious in the cloud storage case. (only @domain.edu)
And what we once called endpoints are now called Collections
Mapped = host endpoint
Guest = shared endpoint
Don’t forget we now also offer HTTPS as well!
From a conceptual standpoint things will remain as they always have.
Guest collections will have some additional security, authorization and authentication features I’ll cover in a minute.
Support high assurance data access
The Underlying Driver
Multiple storage connectors per endpoint
Ancillary benefits
New terminologies and ways of doing things
The things that had to change