/
Adding Guest (Shared) Collections to an Existing Mapped Collection

Adding Guest (Shared) Collections to an Existing Mapped Collection

Owned by UKY CCS RCD
Jun 21, 2024
2 min read

In Globus v5, an administrator can allow users to create shared collections off of it. As the name suggests, these types of collections allow a user to share files with others who do not have access to the system. This document shows the command(s) to enable this, as well as some basic points to ensure that users and the people they share with don’t perform unintended actions on your underlying data storage.

Configuration on System


To enable guest collections on an existing collection, you will need to run globus-connect-server collection update with the --allow-guest-collectionsflag. You can also use this flag (and other flags to be discussed) when running globus-connect-server collection create as well.

globus-connect-server collection <Collection-ID> update --allow-guest-collection

 

For our use case, we typically want users to only be able to share files in a read-only fashion and share only those paths where they can already create data. To allow for read-only guest collections, we need to add a few additional flags

  1. --disable-anonymous-writes : prevent users from granting anonymous users write permissions to guest collections.

  2. -sharing-user-deny root : prevent root from being able to share on this collection; this user is usually prevented from logging in to the collection in the first place, but this is an additional layer of protection.

  3. --sharing-restrict-paths : Set what paths users can share files from and what permissions they have. The is provided as a JSON.

globus-connect-server collection update <Collection-ID> --allow-guest-collections \ --disable-anonymous-writes \ --sharing-user-deny root \ --sharing-restrict-paths file:posix/collection/share-restrictions.json

 

The sharing-restrictions.json will look something like the following. In this configuration, all paths are prevented from sharing except for a few marked as read-only. With these settings, even if the files shared in guest collections normally allow the user to write to it, they will not be able to do so in this type of collection, and thus anyone else accessing the guest collection.

{ "DATA_TYPE": "path_restrictions#1.0.0", "none": ["/"], "read": ["$HOME", "/path/to/scratch-data/", "/path/to/project-data/" ... ] }

Additional Notes

  • When sharing paths that are restricted to read-only, either in access or sharing policies, a user can still grant write permissions to someone on the shared collection. This other person, however, will still not be able to create files in it.

Center for Computational Sciences