How do I create a shared endpoint?

[Wei Shi]

I encountered the message

"The backend responded with an error: You do not have permission to create a shared endpoint on the selected path. The administrator of this endpoint has disabled creation of shared endpoints on the selected path."

While I am using GUI or CLI. How do I grant me the correct permissions?

Thanks,

Wei

[Stephen Rosen]

Hi Wei,

Globus Connect Server has a configuration option for restricting which directories can be used for Shared Endpoints.

It's called SharingRestrictPaths and a detailed explanation is offered in these parts of our Globus Connect Server setup guide:

https://docs.globus.org/globus-connect-server-installation-guide/#sharingrestrictpaths_option

https://docs.globus.org/globus-connect-server-installation-guide/#how_to_control_sharing_in_globus_connect_server

If you expand the set of paths enabled for sharing to include the directories which are giving the aforementioned error, it should work.

You should also ensure that you have set `Sharing = True`.

I believe that the error you provided only occurs when that is already set, but want to make sure you have done so.

Let us know if this doesn't resolve the issue or if you have more questions, e.g. about the SharingRestrictPaths option.

Best,

-Stephen

[Wei Shi]

Hi Stephen,

Mine is Globus Connection Personal. Is there any option that I can set?

Thanks,

Wei

[Stephen Rosen]

Hi Wei,

Sharing on Globus Connect Personal is tied to your user's "Plus" status.

"Plus" is basically the way we track an active Subscription being associated with a User*, and it is managed through Plus Groups.

A Plus Group is just a Globus Group which grants the Plus status to its members.

* Actually, Globus Plus is the status for a User which grants access to features like Globus Connect Personal Sharing, and Subscriptions are merely the mechanism by which users can be granted Plus. The difference is mostly academic, but it may help make sense of our documentation.

If your institution has a Subscription, you may already have a Plus Group which you can manage and use for this purpose.

The administrators for that group should be members of your organization who can add your user.

If you don't have a Plus Group, you should reach out to sup...@globus.org to set one up.

Please be aware that not all subscription levels offer Plus: https://www.globus.org/subscriptions

If your user already has plus (it should be visible on this page: https://app.globus.org/account/plus ), and you can also use the "Add Globus Plus Sponsor" button on that page to lookup a listing of Plus Groups which you can request to join.

I note you're using a umich.edu email address, and there appear to be several University of Michigan Plus Groups, so I suspect that one of those would be appropriate.

I hope this helps and clears things up.

Best,

-Stephen

[Wei Shi]

Thank you Stephen. It really clarified many of my doubts.

I verified under my account, indeed I am already under "Plus" status.

By digging a little bit deeper, I think the error was caused by that I didn't grant "Accessible Folders" on container.

Since I only have globus cli installed on my container, is there any command that I can grant read and write to "Accessible Folders"?

I've tried following cli commands, but still encountered same error

globus endpoint create --shared
globus endpoint permission create


Wei

[Wei Shi]

Essentially I ran the following command and had errors:

shiwei@6d1873adcaf3:~/code$ globus endpoint create --shared $ep1:/~/shared_dir "CLI Example Shared Endpoint" \
>     --description "Example endpoint created using the Globus CLI"
Globus CLI Error: A Transfer API Error Occurred.
HTTP status:      403
request_id:       HZpEVUkrV
code:             ClientError.PermissionDenied.Sharing.PathNotAllowed
message:          You do not have permission to create a shared endpoint on the selected path. The administrator of this endpoint has disabled creation of shared endpoints on the selected path.

[Stephen Rosen]

There is very little integration between the Globus CLI and a local instance of Globus Connect Personal.

I'm happy to discuss why this is, at least from the perspective of the CLI development, but it's largely off-topic.

The shortest explanation is that Globus Connect Personal predates the very idea of the Globus CLI, and building a smooth integration between the two is nontrivial.

The only really notable exception is the

   globus endpoint local-id

command. This was fairly easy for us to add, and solves the problem of 'self-discovery' for endpoints, allowing people to write more portable scripts which operate against the Endpoint on their current machine.

"Accessible Folders" is a Globus Connect Personal setting, and if you want to modify the state of Globus Connect Personal installation, you either need to

- use the GUI to adjust its settings

- IF you are using Globus Connect Personal for Linux, adjust the command-line arguments to Globus Connect Personal when you launch it

You can get help text for the Globus Connect Personal command-line entry point with

  ./globusconnect -h

from the dir where you unpacked the Globus Connect Personal tarball.

The option you'll want to try using is `-restrict-paths` and the help text offers a fairly comprehensive explanation of its usage.

The `globus endpoint create --shared` command is for creating a Shared Endpoint on a path where you have access.

So once you have the local permissions configuration required, that will presumably be the command you want to run in order to start sharing data out of a directory.

`globus endpoint permission create` creates Access Control List rules (ACLs) on Shared Endpoints, and will therefore be the logical next step once you have a Shared Endpoint created and functioning.

[Wei Shi]

Hi Stephen,

Everything seemed to be working properly, but I just couldn't make the folder sharing work.

Here are my steps and observations:

1. Run "globus endpoint create --personal" to create the GCP

2. Run "globusconnectpersonal -setup".

3. Run "globusconnectpersonal -start". Since the default share folder is /~/, I didn't provide settings to -restrict-paths

4. Use browser to login to "globus.org"

5. Click "Endpoints" tab to the left and I am able to see the GCP

6. Click the GCP and select the "Shares" tab on the top

7. Click "Add a Shared Endpoint" button

8. There is a button to the right of Path input box. When I clicked it, I can see all folders and files under /~/. My understanding is only "Accessible Folders" are visible to be selected. So all folders and files under /~/ are available to share.

9. Select one folder and clicke "Select" button to confirm.

10. Fill up Display Name and Description, and then click Create Share

11. Error message is shown on browser page: "The backend responded with an error: You do not have permission to create a shared endpoint on the selected path. The administrator of this endpoint has disabled creation of shared endpoints on the selected path."

When I looked into GCP outputs. Here are the messages:

-------------------------------------------------------------------------------

#relaytool connected
#gridftp 0
#relaytool connected
Got connection from ('127.0.0.1', 37294)
GCP-2.3.9L
Sock fd: 5
[182] Thu Dec 12 16:34:23 2019 :: GFork functionality not enabled.:
globus_gfork: GFork error: Env not set

[182] Thu Dec 12 16:34:23 2019 :: No configuration file found.
[182] Thu Dec 12 16:34:23 2019 :: Server started in inetd mode.
[182] Thu Dec 12 16:34:23 2019 :: New connection from: localhost:37294
[182] Thu Dec 12 16:34:24 2019 :: localhost:37294: [CLIENT]: USER :globus-mapping:
[182] Thu Dec 12 16:34:24 2019 :: localhost:37294: [SERVER]: 331 Password required for :globus-mapping:.
[182] Thu Dec 12 16:34:24 2019 :: localhost:37294: [CLIENT]: PASS dummy
[182] Thu Dec 12 16:34:24 2019 :: DN /C=US/O=Globus Consortium/OU=Globus Connect User/CN=u_e3hnq4pngrgqjod3qwbsnie4km successfully authorized.
[182] Thu Dec 12 16:34:24 2019 :: User shiwei successfully authorized.
[182] Thu Dec 12 16:34:24 2019 :: localhost:37294: [CLIENT]: PASS dummy
[182] Thu Dec 12 16:34:24 2019 :: localhost:37294: [SERVER]: 230 User shiwei logged in.
[182] Thu Dec 12 16:34:24 2019 :: localhost:37294: [CLIENT]: SITE CLIENTINFO appname="globusonline-dirlist";appver="0.2"
[182] Thu Dec 12 16:34:24 2019 :: localhost:37294: [SERVER]: 250 OK.
[182] Thu Dec 12 16:34:24 2019 :: localhost:37294: [CLIENT]: FEAT
[182] Thu Dec 12 16:34:24 2019 :: localhost:37294: [SERVER]: 211-Extensions supported
 CKSM MD5:10;ADLER32:10;SHA1:10;SHA256:12;SHA512:11;
 DSI file-12.22
 STORATTR
 UPAS
 HTTP
 DCSC P,D
 MFMT
 WHOAMI
 AUTHZ_ASSERT
 MLSR
 MLSC
 UTF8
 LANG EN
 DCAU
 PARALLEL
 SIZE
 MLST Type*;Size*;Modify*;Perm*;Charset;UNIX.mode*;UNIX.owner*;UNIX.uid*;UNIX.group*;UNIX.gid*;Unique*;UNIX.slink*;X.count;
 ERET
 ESTO
 SPAS
 SPOR
 REST STREAM
 MDTM
 PASV AllowDelayed;
211 End.
[182] Thu Dec 12 16:34:24 2019 :: localhost:37294: [SERVER]: 200 12.22 (gcc64, 1568732149-85) [Globus Toolkit 6.0.1568732149 GCP-2.3.9L]
[182] Thu Dec 12 16:34:24 2019 :: localhost:37294: [CLIENT]: SITE VERSION
[182] Thu Dec 12 16:34:24 2019 :: Processing SITE SHARING TESTPATH /home/shiwei/code
[182] Thu Dec 12 16:34:24 2019 :: localhost:37294: [CLIENT]: SITE SHARING TESTPATH ~/code/
[182] Thu Dec 12 16:34:24 2019 :: localhost:37294: [SERVER]: 500 Requested path can not be accessed via sharing.
[182] Thu Dec 12 16:34:24 2019 :: Closed connection from localhost:37294
event for pid 182
rc=0
gridftp pid 182 exited, rc=0
#gridftp 0
#relaytool connected
#gridftp 0
#relaytool connected

---------------------------------------------------------

Any idea?

Wei

[Michael Link]

Hi Wei,

The default accessible folder for yourself is /~/, but sharing is not
enabled by default. The option -restrict-paths controls the accessible
paths for yourself. The option -shared-paths controls the accessible
paths for sharing.

"globusconnectpersonal -start -shared-paths RW~/" will allow read/write
sharing on your home directory.

You can configure shared paths permanently in the GUI, or by editing the
configuration file directly. See
https://docs.globus.org/faq/globus-connect-endpoints/#how_do_i_configure_accessible_directories_on_globus_connect_personal_for_linux

Mike

> I note you're using a umich.edu <http://umich.edu> email

> address, and there appear to be several University of
> Michigan Plus Groups, so I suspect that one of those
> would be appropriate.
>
>
> I hope this helps and clears things up.
>
> Best,
> -Stephen
>
> On Mon, Dec 9, 2019 at 10:00 PM Wei Shi
> <shi...@umich.edu> wrote:
>
> Hi Stephen,
> Mine is Globus Connection Personal. Is there any
> option that I can set?
>
> Thanks,
>
> Wei
>
> On Monday, December 9, 2019 at 3:44:49 PM UTC-5,
> Stephen Rosen wrote:
>
> Hi Wei,
>
> Globus Connect Server has a configuration option
> for restricting which directories can be used
> for Shared Endpoints.
> It's called SharingRestrictPaths and a
> detailed explanation is offered in these parts
> of our Globus Connect Server setup guide:
> https://docs.globus.org/globus-connect-server-installation-guide/#sharingrestrictpaths_option

> <https://docs.globus.org/globus-connect-server-installation-guide/#sharingrestrictpaths_option>
> https://docs.globus.org/globus-connect-server-installation-guide/#how_to_control_sharing_in_globus_connect_server

[Wei Shi]

I am able to make the share folder working with docker container by using following command:

./globusconnectpersonal -start  -restrict-paths rw~/ -shared-paths RW~/ &

Although I still have issue with file transfer, but I think I've figured out the file sharing settings.

Thank you Mike & Stephen!

Wei