Hi Andrew,
Thanks for raising some important questions.
To your first concern, OSG has decided that GridFTP and Globus will not be part of their infrastructure in the future; their transition plan is described here:
https://opensciencegrid.org/technology/policy/gridftp-gsi-migration/. As much as we would like to see continued use of Globus within the high energy physics community, we respect their decision to invest in building bespoke tools.
Regarding the broader question of supporting GSI-based GridFTP servers, we're guided by the voices of the community. We have shared plans for transitioning to a new security model based on OAuth, and there's no demand for ongoing support of both approaches from our users. The majority of legacy GridFTP servers are within the high energy physics community and, with their move away from GridFTP to other transfer tools, we are hard pressed to invest our limited resources in maintaining multiple security models and versions. We will continue to support GSI until the transition from GCSv4 to GCSv5 is complete. From that point forward, only the new security model in GCSv5 will be supported within the Globus service.
In the same spirit of being user driven, our focus has always been to make advanced data management capabilities available to every researcher, regardless of technical ability, while also reducing (ideally, eliminating!) the burden on system administrators that provide these capabilities to their users. It’s with this goal in mind that we introduced modern authN/authZ approaches like OAuth to the community a few years ago, and started the effort to rebuild Globus Connect Server. In addition to removing the friction of managing X.509 certs, GCSv5 also simplifies packaging, reduces firewall requirements by using port 443 for the control channel, and provides tools that give admins a lot more flexibility in managing their Globus deployments.
You also raised the spectre of vendor lock-in which I don’t believe is an issue in this context. The vast majority of Globus users simply use the web app to move and share data. Hence there are no barriers to switching to another service since Globus doesn’t own any of the user’s data -- the storage systems “behind” all Globus endpoints are under the sole control of their respective owners. Likewise, for those institutions that have integrated Globus capabilities into other systems (portals, science gateways, etc.), switching might require a bit more effort (e.g. to use another provider’s APIs) but that's no different than, for instance, deciding to use a different library in their code. Also, the fact that we use open standards like OAuth and OIDC means that any auth infrastructure they build is easily portable between solutions.
I hope this clarifies things and provides some added perspective. Happy to continue the conversation if you have other questions.
Cheers,
Vas
> On Jan 27, 2021, at 8:59 AM, 'Cherry, Andrew J.' via Discuss <
dis...@globus.org> wrote:
>
> Hi Vas,
>
> This does lead me to another question, and I think this is a good context to ask this question for the sake of clarity. As a resource provider, I have fielded the "is GridFTP is going away?" question more than once, and I think terminology muddies the waters since different people may mean different things when they say "GridFTP protocol" -- they could be thinking about specific implementations (since there are now different methods of handling the control channel with v4 vs v5 along with different auth mechanisms) and not necessarily about the base transfer protocol under the hood.
>
> When I see this sort of question from an end user or site administrator, sometimes I find that they are not actually asking whether the underlying file transfer protocol is changing. Often what they're really asking about is compatibility of server implementations with the Globus cloud service and whether they are going to experience vendor lock-in. And I've also heard some users express concern about losing an open source high throughput file transfer mechanism.
>
> We know that Globus is no longer maintaining the Globus Toolkit and the GSI authentication layer it relies on, but there does exist a third party open source fork of the Globus Toolkit code, the Grid Community Toolkit (maintained and supported by OSG). I expect that there are probably sites embedded in the OSG ecosystem that are using this implementation in order to continue supporting workflows that rely on the legacy clients, and it seems probable that there might be instances of this that have also have some transfers brokered by the Globus service, particularly if they were previously running the toolkit or the OSG packages and not the full GCSv4 version with the overlying autoconfiguration pieces.
>
> I think the more pertinent question for an end user or site admin is this one: once GCSv5 (which uses https for the control channel and native OAuth for authentication) reaches critical mass and GCSv4 begins to phase out, will the Globus cloud service continue to maintain compatibility with "traditional" GSI-based GridFTP servers like the Grid Community Toolkit? Or will we eventually reach the point where GCSv5 is the only server option that works with your service? This was perhaps a clearer picture when Globus maintained the toolkit and announced end of support, but it's a more ambiguous situation when we have third party server implementations, and I don't know if I've actually seen a clear statement about it.
>
> Thanks....
>
> -Andrew
>