-
Notifications
You must be signed in to change notification settings - Fork 2
/
globus-connect-server.conf
279 lines (238 loc) · 12.1 KB
/
globus-connect-server.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
;----------------------------------------------------------------------------;
; Globus User Configuration
;----------------------------------------------------------------------------;
; These settings configure how to contact Globus when
; creating or modifying an endpoint.
[Globus]
; Globus user name. If not set, or left at its default, then the
; value of GLOBUS_USER environment variable is used, falling back to
; prompting if it is not present.
User = %(GLOBUS_USER)s
; Globus login password. If not set, or left at its default, then the
; value of the GLOBUS_PASSWORD environment variable is used, falling back
; to prompting if it is not present.
Password = %(GLOBUS_PASSWORD)s
;----------------------------------------------------------------------------;
; Globus Endpoint Configuration ;
;----------------------------------------------------------------------------;
; Set these if you want to add or modify the core attributes of the endpoint.
[Endpoint]
; Name of the endpoint. Can be either user#name or name, but if the former,
; the user must match [Globus] User above
; The special value %(SHORT_HOSTNAME)s will substitute the non-qualified
; portion of an ec2 instance's public hostname, falling back to the
; non-qualified hostname portion of the machine's nodename
Name = %(SHORT_HOSTNAME)s
; True or False, determining if the endpoint will be public or private.
; If not specified, this will default to False (non-public).
Public = True
; Default directory when users login to this endpoint (optional).
; If not specified, this will default to /~/.
DefaultDirectory = /~/
;----------------------------------------------------------------------------;
; Security Configuration ;
;----------------------------------------------------------------------------;
; These are the default service security settings, for services which will be
; accessed from Globus (GridFTP and MyProxy).
; There can be an override in the GridFTP or MyProxy sections below.
[Security]
; If this is true, then use the relay.globusonline.org to generate
; a random service credential so that Globus can access this service.
; Otherwise, Globus Connect Server will assume the Certificate and Key have
; been generated by some other method.
; Note that FetchCredentialFromRelay will only work if the key and certificate
FetchCredentialFromRelay = True
; Path to the certificate.
; If FetchCredentialsFromRelay is True, and the fetch conditions are met,
; this CertificateFile value will be overwritten.
; If not specified, this will default to
; /var/lib/globus-connect-server/grid-security/hostcert.pem
;; CertificateFile =
;
; Path to the private key.
; If FetchCredentialsFromRelay is True, and the fetch conditions are met,
; this KeyFile value will be overwritten.
; If not specified, this will default to
; /var/lib/globus-connect-server/grid-security/hostkey.pem
;; KeyFile =
; Path to where the trusted certificate directory. The
; Globus Relay CA will be installed there, as well as the MyProxy
; trust roots and CA if the MyProxy server is running elsewhere.
; If not specified, this will default to
; /var/lib/globus-connect-server/grid-security/certificates/
;; TrustedCertificateDirectory =
; Type of identity provider for the Globus service to use. This may
; be one of the following values:
; MyProxy
; Use the MyProxy server defined in the [MyProxy] section of this
; configuration file
; OAuth
; Use the OAuth server defined in the [OAuth] section of this
; configuration file
; CILogon
; Use the CILogon OAuth server
IdentityMethod = MyProxy
; Authorization method for mapping the grid credential to a local username,
; by default, this is inferred from the IdentityMethod above. If using MyProxy,
; the MyProxyGridmapCallout is used; if using CILogon, the CILogon method
; is used. If the CILogon provides certificates that don't match local policy,
; you might need to use Gridmap to explicitly map the credentials to local
; accounts
; The possible values of the option are MyProxyGridmapCallout, CILogon, or
; Gridmap
;; AuthorizationMethod =
; Path to a grid-mapfile to use with the Gridmap authorization method. The
; default is shown below
;; Gridmap = /etc/grid-security/grid-mapfile
; The name of the identity provider (see https://cilogon.org/ for a list
; of valid names)
;; CILogonIdentityProvider = University of Chicago
;----------------------------------------------------------------------------;
; GridFTP Configuration ;
;----------------------------------------------------------------------------;
; This section configures a GridFTP server. It can be processed on the
; GridFTP server host to generate a GridFTP configuration file, and on
; that or any other host to add a GridFTP server to an endpoint
[GridFTP]
; The host name (and optional port) to contact this GridFTP Server, in the form
; host[:port]. If not set, no gridftp server will be configured. The default
; pulls the server name from EC2 metadata if present, falling back to the local hostname and uses the default port 2811.
Server = %(PUBLIC_HOSTNAME)s
; If this is set to True, then assume the Server name is the current machine
; and configure a GridFTP server on this machine, even if it the Server doesn't
; match the current hostname. Also, if ServerBehindNAT is set to True, the
; DataInterface will be set to the Server string automatically.
; If False, globus-connect-server-setup will only configure the gridftp
; server if the Server above matches the local machine's hostname. The default
; is False.
ServerBehindNAT = True
; Port range to use for incoming connections. The format is
; "startport,endport". If not set, this will default to 50000,51000
IncomingPortRange = %(GRIDFTP_PORTS_LOW)s,%(GRIDFTP_PORTS_HIGH)s
; Port range to use for outgoing connections. The format is
; "startport,endport". Only use this if your firewall restricts outgoing
; ports and gridftp won't work otherwise. The default is not restrict outgoing
; TCP ports
;; OutgoingPortRange = 50000,51000
; Hostname or IP address of the interface to use for data connections. If not
; set in this file, then the default behavior is:
; - When run on an EC2 instance, the data interface will be automatically
; configured to use the public ipv4 address of the instance.
; - When run on a non-EC2 instance, if ServerBehindNAT is True, then
; the hostname of the Server string is used. If this resolves to a private
; IP adddress, a warning will be issued.
; - Otherwise, this will not be set, and the gridftp server will tell clients
; to connect to the IP address that the control connection was established
; on.
DataInterface = %(GRIDFTP_IP)s
; Restricted path configuration.
; A comma separated list of full paths that clients may access. Each path may
; be prefixed by R and/or W, denoting read or write access, or N to explicitly
; deny access to a path. If a given path is a directory, all contents and
; subdirectories will be given the same access. Order of paths does not matter
; -- the permissions on the longest matching path will apply. The special
; character '~' will be replaced by the authenticated user's home directory,
; and * may be used for simple wildcard matching.
; By default all paths are allowed, and access control is handled by the OS.
; Examples:
; Allow read access to /data and full access to the user's home directory:
; RestrictPaths = RW~,R/data
; Allow full access to the home directory, but deny hidden files there:
; RestrictPaths = RW~,N~/.*
RestrictPaths =
;
; Require an encrypted data connection for all transfers. Transfers attempted
; without encryption will result in error.
;; RequireEncryption = False
;
; Enable sharing with Globus for this server.
; If not specified, this will default to False.
;
; NOTE: In order to use sharing, the endpoint will need to be a
; managed endpoint associated with a Globus subscription uuid. Additional
; configuration must be done using the endpoint-manage globus cli command.
;; Sharing = True
; ------------------------
; ADVANCED SHARING OPTIONS
; ------------------------
; Using the same syntax as RestrictPaths above, this defines additional
; restrictions which paths that sharing clients may access.
;; SharingRestrictPaths =
; Path of a directory where GridFTP will store files used to control
; sharing access to individual accounts. The variables $USER and $HOME
; should be used in order to define a unique path per user.
; If not specified, this will default to "$HOME/.globus/sharing".
;
; For instance, with SharingStateDir = "/var/globusonline/sharing/$USER",
; user "bob" would be enabled for sharing only if a path exists with the
; name "/var/globusonline/sharing/bob/" and is writable by bob.
;
;;SharingStateDir =
; Allow or Deny sharing for specific users or groups.
; Each option takes a comma separated list of user or group names.
; Users named in SharingUsersDeny and members of groups named in
; SharingGroupsDeny will be denied sharing features.
; If SharingUsersAllow or SharingGroupsAllow is set, only those users
; or group members may share, and all other users will be denied.
; Any user for which sharing is denied will not be allowed to create shares,
; and existing shares owned by that user will not be accessible.
; By default these options are not set, and all users are allowed to share.
;; SharingUsersAllow =
;; SharingGroupsAllow =
;;
;; SharingUsersDeny =
;; SharingGroupsDeny =
;-----------------------------------------------------------------------------
; MyProxy Configuration ;
;-----------------------------------------------------------------------------
; This section configures a MyProxy server. It can be processed on the
; MyProxy server host to generate myproxy-server configuration files and
; a MyProxy CA, or can be used on a GridFTP server host to determine how
; to fetch trust roots, or to associate the MyProxy server with a
; Globus endpoint
[MyProxy]
; The contact URI of the MyProxy server. The format is host[:port], with
; a default port of 7512 if not present
; If not set, then no myproxy server will be configured. The special value
; %(HOSTNAME)s will substitute an ec2 instance's public hostname, falling back
; to the machine's nodename
Server = %(PUBLIC_HOSTNAME)s
; If this is set to True, then assume the Server name is the current machine
; and configure a MyProxy server on this machine, even if it the Server doesn't
; match the current hostname.
; If False, globus-connect-server-setup will only configure the MyProxy
; server if the Server above matches the local machine's hostname. The default
; is False.
ServerBehindNAT = True
; Directory in which to place the MyProxy CA files,
; including the cacert and key, and the set of signed certificates.
; If not present, the default is /var/lib/globus-connect-server/myproxy-ca
;
;; CADirectory = /var/lib/globus-connect-server/myproxy-ca
; Path to store the myproxy service configuration file.
; If not specified, the default is
; /var/lib/globus-connect-server/myproxy-server.conf
;
;; ConfigFile = /var/lib/globus-connect-server/myproxy-server.conf
[OAuth]
; The public host name of the MyProxy OAuth server.
; If not set, then no MyProxy Oauth server will be configured. The special value
; %(HOSTNAME)s will substitute an ec2 instance's public hostname, falling back
; to the machine's nodename
;; Server = %(HOSTNAME)s
; If this is set to True, then assume the Server name is the current machine
; and configure a OAuth server on this machine, even if it the Server doesn't
; match the current hostname.
; If False, globus-connect-server-setup will only configure the OAuth
; server if the Server above matches the local machine's hostname. The default
; is False.
ServerBehindNAT = True
; A cascading stylesheet file to use with OAuth server web pages. The
; stylesheet will be used to style the MyProxy OAuth web interface. If not set,
; then the default Globus-look web style will be used.
;; Stylesheet =
;
; An image file to use as the logo of the MyProxy OAuth server. If not set,
; the Globus logo image is used.
;; Logo =
; vim: filetype=dosini : nospell :