Globus provides a platform and services for simplifying data management and sharing for science gateways and applications. It offers fast and reliable file transfers between any storage systems, secure data sharing without copying data, and APIs and SDKs for building applications. Globus uses OAuth authentication and supports a variety of interfaces like CLI, Python SDK, and Jupyter notebooks to enable access.

1. Simplifying Science Gateway
Data Management with Globus
1: Introduction to Globus
Vas Vasiliadis
vas@uchicago.edu
Gateways 2020, October 15, 2020

2. Warning: We may have unregistered attendees…
2

3. Globus is …
a non-profit service
developed and operated by
3

4. Our mission is to…
increase the efficiency and
effectiveness of researchers
engaged in data-driven
science and scholarship
through sustainable software
4

5. Thank you, funders...
U . S . D E P A R T M E N T O F
ENERGY
5

6. Thank you, subscribers!

7. Core capabilities
7

8. Fast, reliable file transfer …from any to any system
User-initiated,
or automated
transfer request
1
Instrument,
Lab server
Compute
Facility
Globus transfers files
reliably, securely
2
Globally accessible
multi-tenant service
• Fire-and-forget transfers
• Optimized speed
• Assured reliability
• Unified view of storage
• Browser, REST API, CLI
Optional
notifications
3

9. Secure data sharing …from any storage
Collaborator logs into Globus
and accesses shared files;
no local account required;
download via Globus2
On-prem or public
cloud storage
Select files to share,
select user or group,
and set access
permissions
1Globally accessible
multi-tenant service
Globus controls
access to shared files
on existing storage
Laptop, server,
compute facility
• Fine-grained access
control “overlay” on
storage system
• Share with any
identity, email, group
• No need to stage
data just for sharing

10. Conceptual architecture: Hybrid SaaS
DATA
Channel
CONTROL
Channel
Source
Endpoint
Destination
Endpoint
Subscriber owned
and administered
storage system
Globus
“connector”
software
No data relay or
staging via Globus
cloud service
Subscriber
Control
Domain
Globus
Control
Domain
Single, globally accessible
multi-tenant service

11. Endpoints (Collections)
• Storage abstraction
– All transfers happen between two endpoints
• Collection (end user) ~= Endpoint (sysadmin)
• Useful endpoints for testing/demonstration
– Globus Tutorial Endpoint 1 and 2
– ESnet Read-Only *
– DME Datasets *, DME PerfTest *
11

12. …software deployed
on a storage system
to create a Globus
endpoint

13. Globus Connectors
ActiveScale
Object
Storage

14. Coming soon…
Globus Developed
Community Developed
14

15. Let’s take a look…
15

16. Use(r)-appropriate interfaces
GET /endpoint/go%23ep1
PUT /endpoint/demodoc#my_endpt
200 OK
X-Transfer-API-Version: 0.10
Content-Type: application/json
…
Globus
service
Web
CLI
Platform
(RESTful APIs)
16

17. Globus Command Line Interface (CLI)
• Native application: docs.globus.org/cli
• Open source, uses Python SDK
• globus login – get access and refresh tokens
– Tokens stored locally in ~/.globus.cfg
• Service (transfer/auth) invocation uses tokens
• globus logout – delete tokens
docs.globus.org/cli/examples

18. Simple CLI automation examples
• Syncing a directory
– bash script; calls the Globus CLI
– Python module; run as script or import as module
• Staging data for distribution
– bash and Python variants
• Removing directories after files are transferred
– Python script
22
github.com/globus/automation-examples

19. …but, Gateways talk to
APIs, so…
23

20. Globus serves as…
A platform for building science
gateways, web portals and
other applications in support of
research and education
24

21. Globus platform services
• Identity and Access Management (IAM): Auth, Groups
• Data Services: Connect, Transfer, Manifest*
• Search
• Identifiers (collaboration with DataCite)
• Flows*
25
* In development/early release; contact us for access

22. Globus Auth addresses security challenges
• Make it easy for developers to provide login for
their apps (web, mobile, desktop, command line)
• …and protect all REST API communications
o App  Globus service (MRDP, Jupyter Notebook)
o App  non-Globus service (graph service in MRDP)
o Service  Service
• …while
– Not introducing yet another identity
– Providing a platform to consolidate existing identities
– Providing a least privileges security model (via consents)
– Being web friendly and language/framework agnostic
26

23. Based on widely used web standards
• OAuth 2.0 Authorization Framework (a.k.a. OAuth2)
• OpenID Connect Core 1.0 (a.k.a. OIDC)
• Access via OAuth2 and OIDC libraries of your choice
– Google OAuth Client Libraries, Apache mod_auth_openidc, etc.
– Globus Python SDK
27
docs.globus.org/api/auth

24. Fundamental Concepts
• Scopes: APIs that client is requesting access to
– Scope syntax: OpenID Connect: openid, email, profile
– https://auth.globus.org/scopes/<service-name>:<scope-name>
– A service can have multiple scopes
• Consents: authorize client to access a service, within
limited scope, on the resource owner’s (user’s) behalf
28

25. Globus account
• Globus Account = Primary identity + Linked Identities
– An identity can be primary on only one account
– Identities can be linked to only one account
• Account does not have own identifier
– An account is uniquely identified using its primary identity
• Effective identity = linked identity from a particular
identity provider required by a client or service
29

26. Identity id vs. username
• Identity id
– Unique among all Globus Auth identities; will never be reused
– UUID
– Always use this to refer to an identity
• Identity username
– Unique at any point in time; may change, may be re-used
– Case-insensitive user@domain
– Can map to/from id, for user experience
• Globus Auth API allows mapping back and forth
30

27. Auth Example: Authorization Code Grant
31
Client
(Web Portal,
Application,
Jupyter)
Globus Transfer
(Resource Server)
Globus Auth
(Authorization
Server)
5. Authenticate using client id
and secret, send authorization
code
Browser (User)
1. Access
portal
2.
Redirects
user
3. User authenticates and
consents
4. Authorization
code
6. Access token(s)
7. Authenticate with access
token(s) to give the client
the authority invoke the
transfer service
Identity
Provider

28. Globus Transfer API
• Globus Web App consumes public Transfer API
• Resource named by URL (standard REST approach)
– Query params allow refinement (e.g., subset of fields)
• Globus APIs use JSON for documents and resource
representations
• Requests authorized via OAuth2 access token
– Authorization: Bearer asdflkqhafsdafeawk
docs.globus.org/api/transfer
32

29. Globus Python SDK
• Python client library for the Globus Auth and Transfer
REST APIs
• globus_sdk.TransferClient class handles
connection management, security, framing,
marshaling
from globus_sdk import TransferClient
tc = TransferClient()
globus-sdk-python.readthedocs.io
33

30. Experimenting with the API using Jupyter Hub
• jupyter.demo.globus.org
– Sign in with Globus and verify consents
– Go to folder: globus-jupyter-notebooks/GlobusWorldTour
– Open: Platform_Introduction_JupyterHub_Auth.ipynb
• If you mess it up and want to “go back to the beginning”
– Navigate back to your Jupyter server’s root folder
– Run NotebookPuller.ipynb
• To use the notebook outside of our hub…
– github.com/globus/globus-jupyter-notebooks
– Authentication  copy-paste auth code, exchange for access token
34

31. Support resources
• Globus documentation: docs.globus.org
• Sample code: github.com/globus
• Helpdesk and issue escalation: support@globus.org
• Customer engagement team
• Globus professional services team
– Assist with portal/gateway/app architecture and design
– Develop custom applications that leverage the Globus platform
– Advise on customized deployment and integration scenarios

32. Join the Globus community
• Access the service: globus.org/login
• Create a personal endpoint: globus.org/app/endpoints/create-gcp
• Documentation: docs.globus.org
• Engage: globus.org/mailing-lists
• Subscribe: globus.org/subscriptions
• Need help? support@globus.org
• Follow us: @globusonline