automating GCS deployment with ansible

[Yuriy Halytskyy]

I am trying to create a playbook to automate managing GCS server with ansible. Couldn't find anything up to date on the web, so decided to create my own modules. Ansible allows developing modules in python so using globus SDK seemed like a good fit.

First question is about credentials. I could connect to GCS endpoint with client_id and a secret created from an endpoint itself, after adding administrator role. Using an app credential even after assigning a role results in 401 error (invalid Bearer token). Is this the right way to authenticate?

        client = globus_sdk.ConfidentialAppAuthClient(
            client_id=client_id, client_secret=client_secret
        )

        # not sure what the right scope is but this one works

        scopes = "urn:globus:auth:scope:transfer.api.globus.org:all"
        cc_authorizer = globus_sdk.ClientCredentialsAuthorizer(client, scopes)

       gcs = globus_sdk.GCSClient(gcs_address = ..., authorizer = cc_authorizer)

Would be good not having to hard code IDs. Is it possible to have more than one storage gateway of the same connector type on an endpoint? e.g. two or more posix gateways. So if I have a config that looks like the one below, is it possible to uniquely identify a gateway?

    -  storage_gateway:
        endpoint: "xxx.xxx.data.globus.org"

        connector: Posix
       ....

And the same question about collections. Confusingly it seems possible to have two different collections with the same display_name, so I am not sure how to uniquely refer to one without hard coding IDs.

And the last question about connector IDs. I can see how to get a name from ID using sdk, but what about reverse? If an ansible playbook wants to specify "connector: Posix" how do I translate it to an ID? At the moment I just maintain reverse dictionary in the module, but it would be nice if SDK could do it.

 

Cheers,

Yuriy

[Jason Alt]

Hello Yuriy-

Our Ansible bits are at https://github.com/globus/globus-connect-server-deploy/tree/master/ansible, though it only supports installation at the moment. The next logical step would be a GCS module for configuring the endpoint so you're definitely on the right track.

>  I could connect to GCS endpoint with client_id and a secret created from an endpoint itself

Yes and no. Using a confidential client app is the best way to perform automation, but using the endpoint's client ID/secret is not recommended. Instead, go to https://app.globus.org/settings/developers, select/create a project and select "Register a service account or application credential for automation" and use that client for configuring the endpoint.

> # not sure what the right scope is but this one works

>  scopes = "urn:globus:auth:scope:transfer.api.globus.org:all"

The scope you are looking for is "https://auth.globus.org/scopes/<endpoint_id>/manage_collections".

> Would be good not having to hard code IDs.

The gateway and collection IDs are the best way to guarantee the same targets between Ansible runs. Display names can change, keywords can be removed. I wouldn't recommend hard-coding IDs within the module but saving them "some way" (TM) on the Ansible node for lookup later would be useful.

> Is it possible to have more than one storage gateway of the same connector type on an endpoint? e.g. two or more posix gateways.

yes.

> And the last question about connector IDs. I can see how to get a name from ID using sdk, but what about reverse? If an ansible playbook wants to specify "connector: Posix" how do I translate it to an ID? At the moment I just maintain reverse dictionary in the module, but it would be nice if SDK could do it.

We'll add this to the feature backlog. 

Jason

[Lev Gorenstein]

To piggy-back on what Jason said:

Would be good not having to hard code IDs.

The gateway and collection IDs are the best way to guarantee the same targets between Ansible runs. Display names can change, keywords can be removed. I wouldn't recommend hard-coding IDs within the module but saving them "some way" (TM) on the Ansible node for lookup later would be useful.

This exactly what we've done $JOB-1 in Puppet. Relevant IDs (and deployment-keys.json file, for that matter) were defined as parameters that the module would pull from hiera store.

The sure-fire way to uniquely identify a gateway (or endpoint, or collection) is by their UUID (pardon the pun).

Is it possible to have more than one storage gateway of the same connector type on an endpoint? e.g. two or more posix gateways.

yes.

Storage gateways are keepers of storage access policies for the underlying connected storage system (see the diagram and description at https://docs.globus.org/globus-connect-server/v5.4/#globus_connect_version_5_terminology). So if you have multiple storage systems that differ by access or authentication policies (e.g. regular vs. High Assurance, or institutional vs. federated, or department A vs department B, or presented filesystems, etc) - that'd be separate gateways.  The diagram above includes such an example for two separate POSIX gateways.

As a somewhat extravagant real life example, here's a case that I have helped to implement: https://app.globus.org/file-manager/collections/7c154371-085e-410b-9a94-51349106bb4b/gateways

For unrelated historic reasons, /home and /scratch on this cluster used to be separate GCSv4 endpoints. So during v5 migration, in order to preserve existing shares and ACLs, they became separate mapped collections on the same v5 endpoint.  Each collection hangs off of its own storage gateway.  Authentication requirements are the same, and the only real difference between the two gateways is just the section of the filesystem they expose (the PathRestriction document).

Lev

[Yuriy Halytskyy]

Hi Jason,

> The scope you are looking for is "https://auth.globus.org/scopes/<endpoint_id>/manage_collections".

Thanks, that works. Is it possible to get an endpoint ID from GCS url or vice versa? /api/endpoint will give me an ID but for that I need to authenticate with a scope...

> The gateway and collection IDs are the best way to guarantee the same targets between Ansible runs.

Makes sense. I was a bit confused because it is impossible to create a storage gateway with the same name:

'Bearer', 409, 'conflict', 'One or more storage gateways with this display_name already exist.', 'resource_conflict#1.0.0')"}

But I can re-name existing gateway and end up with two of the same name anyway.

Cheers,

Yuriy

[Jason Alt]

> Is it possible to get an endpoint ID from GCS url or vice versa?

There's a few different ways to translate the endpoint ID <-> GCS URL.

Both values are available after `endpoint setup` completes. If you have a shell on a node in the endpoint, you can see this information in /var/lib/globus-connect-server/info.json. If you have the URL and there is at least one active node in the endpoint, you can find the endpoint ID at https://<gcs_url>/api/info (no authentication required). If you have the endpoint ID and either the endpoint is public or you have a role on the endpoint (requires a subscription), you can use the urn:globus:auth:scope:transfer.api.globus.org:all scope to query Transfer for the endpoint document which should contain the GCS URL, see https://docs.globus.org/api/transfer/endpoint/#get_endpoint_by_id.

Jason

[Yuriy Halytskyy]

I had a go at making an ansible collection with endpoint, storage_gateway and collection modules.

Just a prototype at this point, will need some tests and (most likely) lots of bug fixes.

https://github.com/yhal-nesi/globus_ansible_collections

Would you be interested in making this a part of globus-connect-server-deploy repo?

Cheers,

Yuriy