Restricting directory access in a guest collection?

[Chandin Wilson]

Hi Globus folk,

I've pored over the docs and come over here for ideas and thoughts.

As part of an FTP site rework several years back, I created a Globus guest collection for public read access to data sets that span several filesystems, all helpfully mounted under one /data mount point and published as '/'.

A fresh requirement / desire has come in, to restrict access (on a temporary basis) to a directory underneath, say /9/RESTRICTED_STUFF.

I'd think a sharing policy would cover this, but here's the thing -- a sharing policy requires a user, and the sharing policy at the / is to the null user. Naively trying the "null" user on a sharing-policy creates this type of results:


sh-4.4# globus-connect-server sharing-policy list b2ad3bf5-46c3-cc4c-f88b-9b9b133b0593
Sharing Policy ID | Collection ID | Sharing Path Restrictions | Users
------------------------------------ | ------------------------------------ | ------------------------------- | -------------
d25c61d8-03d7-2490-4b83-e2af04dbed6a | b2ad3bf5-46c3-cc4c-f88b-9b9b133b0593 | N/9/RESTRICTED_STUFF | ["null"]
413f4531-c4fb-650e-b862-b6ec95dccc7d | b2ad3bf5-46c3-cc4c-f88b-9b9b133b0593 | RW/ | null



thanks for any insights!

--Chan

Chan Wilson NOAA GFDL & RDHPCS Toolsmith
General Specialist, Information Technology and Agriculture
chandin...@noaa.gov +1-608-216-5689

[Karl Kornel]

Hi Chandin,

 

As I understand it, a Sharing Policy applies to the Mapped Collection, and controls the restrictions that apply to a specific user, as identified by that specific user’s local username.

 

From the output you provided, I would say that the following policies are in place:

 

• The default policy allows read-write access to the collection’s root path.

• For local username “null”, disallow access to path “/9/RESTRICTED_STUFF”.

 

Per the documentation at https://docs.globus.org/globus-connect-server/v5.4/reference/sharing-policy/create/: “If using sharing policies, it is important to understand that the policies used by Globus are a union of all rights granted to that user, either explicitly (by including their name in a sharing policy), or implicitly as part of the default sharing policy.”

 

So, for local username “null”, the following rules apply:

 

• Disallow access to path “/9/RESTRICTED_STUFF”.

• Allow read-write access to everything else.

 

NOTE: I say “read/write”, because that is what is being allowed at the Mapped Collection level.  But you already said that, at the Guest Collection level, read-only access is being provided to users.  So, even though the Mapped Collection configuration allows read-write, the Guest Collection configuration is read-only, and so read-only is what actually applies.

 

So, how can you get what you want?  Well first you should probably delete Sharing Policy ID d25c61d8-03d7-2490-4b83-e2af04dbed6a, since I don’t think your Guest Collection is owned by local username “null”.

 

Then, there are two ways to get what you want:

 

1. You can change the default sharing policy for the Mapped Collection, blocking all sharing of path “/9/RESTRICTED_STUFF”.  You would do this using the command `globus-connect-server collection show --include-private-policies b2ad3bf5-46c3-cc4c-f88b-9b9b133b0593` and ` globus-connect-server collection update --sharing-restrict-paths=… b2ad3bf5-46c3-cc4c-f88b-9b9b133b0593`.

2. You can re-create the sharing policy you originally created, but with the correct local username (the local username of the user that owns the Guest Collection).

 

Good luck!

 

~ Karl