Symlink Management

[Jason Simms]

Hello all,

I see that by default Globus doesn't follow symlinks:

https://docs.globus.org/faq/transfer-sharing/#symlinks_and_path_restrictions

And it makes sense why this is in place. But we have a collection into /home, and many users likewise have a lab directory within /labs, and as such they regularly create a symlink within their home directory that would be nice to access via Globus.

First, are there any "gotchas" that I should be aware of if I want to enable symlinks? I imagine that regular permissions will be enforced, so I don't suspect I have to worry about users creating malicious links, but perhaps I am missing something key.

Second, if I do want to enable them, I don't quite understand the instructions to enable "rp-follow-symlinks option to the GridFTP server." I'm new to Globus configuration, so any guidance is welcome!"

Warmest regards,

Jason

--

Jason L. Simms, Ph.D., M.P.H.

Research Computing Manager

Swarthmore College
Information Technology Services

(610) 328-8102

[Lev Gorenstein]

Jason,

If both /home and /labs are allowed on the collection (i.e. both paths are listed as permitted in its storage gateway path restrictions), then symlink will be shown, and clicking on the symlink would bring you into its /labs target as expected.

But if /labs is not a permitted path for this collection, then by default it will be shown, but will not be followed (with a ‘you don’t have permission’ error upon clicking). Unless you use the rp-follow-symlinks trick (and defer access control to filesystem-only permissions as opposed to filesystem+Globus ones).

Lev

P.S. To enable rp-follow-symlinks feature: add

rp_follow_symlinks 1

to /etc/gridftp.conf (or to something like /etc/gridftp.d/z_symlinks)

[Karl Kornel]

I just realized, I’m in a similar situation, so it might help if I share my config.

We have a /labs directory on one of our environments, whose contents are symlinks (so, /labs/a points to one place, /labs/b points to another, etc.).  At this time, all of the symlinks point to sub-directories under /oak/stanford.  So, our storage gateway has the following path restrictions:

None: “/“

Read: (empty)

Read-Write: “/labs” and “/oak/stanford”

Our Mapped Collection has a root path of /labs, and has no path restrictions (so, the Storage Gateway path restrictions apply).

We do not have the rp-follow-symlinks setting enabled.  This configuration has worked well for us!

 

~ Karl

To unsubscribe from this group and stop receiving emails from it, send an email to discuss+u...@globus.org.

[Jason Simms]

Hello Lev,

I created a test symlink in my home directory:

ln -s /data/labs/simmstest simmstest

Whether or not rp_follow_symlinks is enabled, I cannot even see the symlink in my home directory (you say that "by default it will be shown"), so of course I can't even attempt to follow it.

Any further thoughts?

Thanks,

Jason

[Lev Gorenstein]

Jason,

Prerequisites for the behavior I described:

1. Both symlink location and its target are allowed on the storage gateway… e.g. you have something like this there

   "read_write": [
    "/home",
    "/data"           # or "/data/labs"
   ]
   

2. Base Path for the mapped collection is high enough to include both symlink location and its target. We typically suggest anchoring at / unless there are strong reasons otherwise - and in your case, I’d say there are strong reasons for the base path of / (since this collection is associated with a cluster, users might like the familiar directories layout).

Would you be able to share path restriction settings on the storage gateway? (should be printed among many other things via gcs storage-gateway show STORAGE_GATEWAY_ID --include-private-policies). Of course please remove anything sensitive before posting to the list (or if you’d like, we can work this as a support ticket and then you could post summary findings for the list).

Lev