/
Adding Users to Globus Endpoints

Adding Users to Globus Endpoints

Owned by UKY CCS RCD
Jun 21, 2024
2 min read

This document details how to add/remove users to the different Globus endpoints that CCS/ITS manages. Each endpoint is organized by the types of data storage they access.

 

Globus Identity Mapping Basics

When setting up a storage gateway for an endpoint, you also have to set up a method to map identities. When someone tries to access a collection on globus.org, the Globus backend will send their identities to the corresponding Storage Gateway and map at least one of them to an identity that the underlying storage system can recognize (if valid). There are two main ways of mapping a user.

Built-in

The built-in method is to create a JSON in the following format.

{ "DATA_TYPE": "expression_identity_mapping#1.0.0", "mappings": [ { "source": <source>, "match": <regex>, "output": <output> }, ... }

Each entry in the mappings array indicates

  1. What component of the Globus ID to use (usually "{username}")

  2. A regular expression to match those ID components

  3. The storage system identity to output if a Globus ID matches

For our systems that use this, we typically use the following for an entry:

{ "source": "{username}", "match": "(tbbu225|...|bch229)@uky\\.edu", "output": "{0}" }

In a nutshell, this means that we map a user’s Globus ID for UKy (e.x. abc123@uky.edu) and map it to their LinkBlue username (e.x. abc123). The regex "(tbbu225|...|bch229)@uky\\.edu" will only capture the specific Linkblue usernames within the parenthesis. For example, If you want to add a user abc123@uky.edu to the regex (tbbu225|bch229)@uky\\.edu, the regex would become (tbbu225|bch229|abc123)@uky\\.edu. The reverse is true for removing a user.

If the identity mapping for a particular user does not match this general case, then you will need to make a new entry in the mapping file. For example, a user with Globus ID smh223@uky.edu that needs to map to samantha , then they would need to have a separate entry as follows.

{ "DATA_TYPE": "expression_identity_mapping#1.0.0", "mappings": [ { "source": "{username}", "match": "(tbbu225|...|bch229)@uky\\.edu", "output": "{0}" }, { "source": "{username}", "match": "smh223@uky\\.edu", "output": "samantha" } }

Custom

Alternatively, Globus also allows you to write a custom script to do identity mapping. The JSON configuration passed to the Storage Gateway will simply specify what command will be ran to perform mapping, similar to the following. See External Mapping Programs Reference more specifics on expected inputs and outputs for a custom script.

{ "DATA_TYPE": "external_identity_mapping#1.0.0", "command": [ "/usr/bin/python3", "/opt/globus/custom-mapping.py" ] }

General Steps for Updating using Built-In Mapping Method

  1. Log into the node with an identity that can manage the endpoint.

    globus-connect-server login localhost

  2. In the JSON file (usually called identity-mapping.json), add the user ID as described in the “Built-in” section of “Globus Identity Mapping Basics”.

  3. After doing this, run the following commands to determine the Storage Gateway ID for the collection you wish to modify and update the mapping.

    globus-connect-server collection list # Find the collection and note the Storage Gateway ID globus-connect-server storage-gateway update <storage-type> <Storage-Gateway-ID> \ --identity-mapping file:identity-mapping.json globus-connect-server logout

 

Related content

Center for Computational Sciences