How to access a guest collection with a script

50 views
Skip to first unread message

Yuriy Halytskyy

unread,
Jan 15, 2024, 10:06:36 PM1/15/24
to Discuss
Hi,

I am trying to figure out how to set up an automated access to a guest collection by  registering an app https://auth.globus.org/v2/web/developers to get a client id and secret.

Web interface insists on giving it redirect URLs. Form submission is blocked when that form field is empty.  An actual url (such as localhost) doesn't work because it then treats that client as public and doesn't allow me to add a client secret later. But single space in place of a url works??? Surely there is a better way to do this.

Then I need to grant access to my guest collection. Doing it via https://app.globus.org/file-manager/collections/<collection-id>/sharing/create doesn't let me choose my service user. The search box cannot find them. I can use browser dev tools to call https://transfer.api.globus.org/v0.10/endpoint/xxx/access with proper client ID manually, and everything works. Again, surely there is an easier way to share a collection with an application?

Cheers,
Yuriy

Karl Kornel

unread,
Jan 16, 2024, 2:30:22 AM1/16/24
to Yuriy Halytskyy, Discuss

Hi Yuriy,

 

When you say “access to a guest collection”, do you mean that you want to give it the ability to do things like list directories, initiate transfers, and download files over HTTPS (for suitably-enabled guest collections)?

 

If that is true, then you are right that you need a Confidential Client, something that has a Client ID (a UUID) and Secret, and its own Globus Identity (which is “UU...@clients.auth.globus.org”).  Native apps don’t have a secret, because they’re meant to be deployed in locations where users have full access to the code (including to any secrets embedded within the code).

 

Could you please provide some more information on how your app is going to be deployed?  Is it going to be in a location where users will have access to the code (for example, by running a script), or will it be accessed through a more-limited way that prevents access to code (like, through a web UI)?

 

~ Karl

 

--
You received this message because you are subscribed to the Google Groups "Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@globus.org.

Yuriy Halytskyy

unread,
Jan 16, 2024, 3:58:23 AM1/16/24
to Discuss, akko...@stanford.edu, Yuriy Halytskyy
Hi Karl,

>When you say “access to a guest collection”, do you mean that you want to give it the ability to do things like list directories, initiate transfers, and download files over HTTPS (for suitably-enabled guest collections)?
Yes

> Could you please provide some more information on how your app is going to be deployed?  Is it going to be in a location where  users will have access to the code (for example, by running a script), or will it be accessed through a more-limited way that prevents access to code (like, through a web UI)?

We just want a way to copy things from a data collecting machine to a globus accessible location without user involvement. An "app" is a service account to facilitate that. A web UI to register the application is a bit confusing as it insists on having redirect URLs, even though there will be no redirects involved (actually it seems I was wrong, specifying a random url, like https://localhost, also works, so it doesn't have to be a space)globus2.png

Sharing a guest collection with this app looks a bit of a challenge though, as the web UI cannot find it
globus3.png
And without being able to find the "user", I cannot click "Add Permission" link. It can still be done by using browser dev tools and replacing the ID. So I attempt to add some user, get 409 because the user already has access but that doesn't matter because I just need to substitute the user ID with client ID and click re-send:

globus4.png

globus5.png

I hope it makes sense :).

Cheers,
Yuriy

Jason Alt

unread,
Jan 16, 2024, 10:22:20 AM1/16/24
to Yuriy Halytskyy, Discuss, akko...@stanford.edu
Use https://app.globus.org/settings/developers and choose "Register a service account or application credential for automation" instead of the older Auth developer's interface.

You can enter the client username (i...@clients.auth.globus.org) into the permissions search bar and click add without the search finding the match.

Jason

Stephen Rosen

unread,
Jan 16, 2024, 11:08:29 AM1/16/24
to Jason Alt, Yuriy Halytskyy, Discuss, akko...@stanford.edu
I'd like to add a small note that it's a known issue that "client identities" don't appear in the user search.
We have some significant enhancements on our roadmap for user search, which I believe will solve this. I don't know the status of that work offhand, but our team is enthusiastic about it!

Explicitly entering the ID in the web GUI as Jason suggests will work in the meantime. You could also add permissions via the CLI and enter the username -- it's more or less the same as doing so via the web interface.

Patrick Mulrooney

unread,
Jan 16, 2024, 11:27:16 AM1/16/24
to Discuss, yuriy.h...@nesi.org.nz

I thought this guide might be helpful you could adapt it if you are not using a service account pretty easily, https://groups.google.com/a/globus.org/g/discuss/c/hqlyAWifoC4.

Yuriy Halytskyy

unread,
Jan 17, 2024, 4:14:24 AM1/17/24
to Discuss, jaso...@globus.org, Discuss, akko...@stanford.edu, Yuriy Halytskyy
Hi Jason,
Thank you, that's what I needed. I think I tried with client ID before, but adding @clients.. didn't cross my mind. All working now.

Cheers,
Yuriy

Reply all
Reply to author
Forward
0 new messages