What Credentials to User for Laptop Used for Data Acquisition
45 views
Skip to first unread message
Vincent Balbarin
Aug 29, 2023, 11:51:05 AM8/29/23
to Discuss
Hello,
We have a graduate student who is using Globus Automation to move data from their data acquisition laptop running Ubuntu and Globus Connect Personal to a Globus Connect Server Endpoint where the data is pre-processed.
They have the automation running properly but would not like GCP to use their SSO credentials, since the laptop will have a single local Ubuntu login account shared with others on the team.
Is the best practice to create a Globus ID associated with the instrument and use that as a login? The options to create a service account create users that do not end in @clients.auth.globus.org and cannot be used with GCP.
Thanks,
Vincent
Michael Link
Aug 31, 2023, 11:12:19 AM8/31/23
to Vincent Balbarin, Discuss
Hi Vincent,
It's possible to create a GCP endpoint owned by client credentials. It
requires an additional step to separately create the endpoint on the
service side, and then associate it with the GCP configuration on the
laptop. I'll describe that process at the end of this message.
As far as best practices, it depends on how you'll be accessing the GCP
collection. The main consideration is that only the owner can access
the main GCP collection, which means you would only be able to access
that collection using methods that support client credentials. If
you'll need to access the main GCP collection from the web, a shared
GlobusID is fine.
Another common option is to create a GCP guest collection, which allows
you to share access with other users or client credentials. In this
case, the owner of the GCP endpoint is less important; only the owner
can access the main GCP collection or create guest collections, but the
presence of the GCP on a shared machine does not expose the owner
account credentials in any way. Guest collections require the GCP
endpoint to be managed under a subscription.
Let us know if you have any other questions.
Mike
Create a GCP endpoint using client credentials:
Using the Globus CLI, set the environment variables to authenticate with
client credentials *[1], and then create the GCP endpoint and receive
its setup key *[2]. You would then use that setup key when running GCP
setup, instead of a user login. To enter the setup key during a GUI
setup, choose "Advanced Options" and then "I have a setup key". To pass
the setup key during a command line setup, simply pass the key as an
argument to the -setup parameter, e.g. "./globusconnectpersonal -setup
<setup key>".
[1]
https://docs.globus.org/cli/environment_variables/#client_credentials_with_globus_cli_client_id
[2] https://docs.globus.org/cli/reference/gcp_create_mapped/
It's possible to create a GCP endpoint owned by client credentials. It
requires an additional step to separately create the endpoint on the
service side, and then associate it with the GCP configuration on the
laptop. I'll describe that process at the end of this message.
As far as best practices, it depends on how you'll be accessing the GCP
collection. The main consideration is that only the owner can access
the main GCP collection, which means you would only be able to access
that collection using methods that support client credentials. If
you'll need to access the main GCP collection from the web, a shared
GlobusID is fine.
Another common option is to create a GCP guest collection, which allows
you to share access with other users or client credentials. In this
case, the owner of the GCP endpoint is less important; only the owner
can access the main GCP collection or create guest collections, but the
presence of the GCP on a shared machine does not expose the owner
account credentials in any way. Guest collections require the GCP
endpoint to be managed under a subscription.
Let us know if you have any other questions.
Mike
Create a GCP endpoint using client credentials:
Using the Globus CLI, set the environment variables to authenticate with
client credentials *[1], and then create the GCP endpoint and receive
its setup key *[2]. You would then use that setup key when running GCP
setup, instead of a user login. To enter the setup key during a GUI
setup, choose "Advanced Options" and then "I have a setup key". To pass
the setup key during a command line setup, simply pass the key as an
argument to the -setup parameter, e.g. "./globusconnectpersonal -setup
<setup key>".
[1]
https://docs.globus.org/cli/environment_variables/#client_credentials_with_globus_cli_client_id
[2] https://docs.globus.org/cli/reference/gcp_create_mapped/
Balbarin, Vincent
Aug 31, 2023, 11:33:19 AM8/31/23
to Michael Link, Discuss
Thanks for the useful tips, Greg.
After I wrote the message, the same thought occurred to me and requested a “service” account under our IDP to enable management of its lifecycle under our business/institutional processes.
We're excited to get this proof of concept running and sharing it with the rest of the researchers here.
Best,
/Vincent
From: Michael Link <ml...@globus.org>
Sent: Thursday, August 31, 2023 11:12:14 AM
To: Balbarin, Vincent <vincent....@yale.edu>; Discuss <dis...@globus.org>
Subject: Re: [Globus Discuss] What Credentials to User for Laptop Used for Data Acquisition
Sent: Thursday, August 31, 2023 11:12:14 AM
To: Balbarin, Vincent <vincent....@yale.edu>; Discuss <dis...@globus.org>
Subject: Re: [Globus Discuss] What Credentials to User for Laptop Used for Data Acquisition
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.globus.org%2Fcli%2Fenvironment_variables%2F%23client_credentials_with_globus_cli_client_id&data=05%7C01%7Cvincent.balbarin%40yale.edu%7C01d2208825944fe3988c08dbaa34aaf3%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C638290915415148005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yv5R4mUaTLifyC4QQwHMcOhl3%2FSUgwtKgc1hY5mXyEc%3D&reserved=0
[2] https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.globus.org%2Fcli%2Freference%2Fgcp_create_mapped%2F&data=05%7C01%7Cvincent.balbarin%40yale.edu%7C01d2208825944fe3988c08dbaa34aaf3%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C638290915415148005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=E%2BhT2ARkBPJVAQpqX5KA4%2FLH02DjaUn3S3TghuHqX7c%3D&reserved=0
[2] https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.globus.org%2Fcli%2Freference%2Fgcp_create_mapped%2F&data=05%7C01%7Cvincent.balbarin%40yale.edu%7C01d2208825944fe3988c08dbaa34aaf3%7Cdd8cbebb21394df8b4114e3e87abeb5c%7C0%7C0%7C638290915415148005%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=E%2BhT2ARkBPJVAQpqX5KA4%2FLH02DjaUn3S3TghuHqX7c%3D&reserved=0
Reply all
Reply to author
Forward
0 new messages