globus endpoint setup
TRANSCRIPT
Creating and Managing Globus Endpoints
Steve Tuecke [email protected]
Raj Kettimuthu [email protected]
Agenda
• Setup and use a Globus Connect Server endpoint – What is Globus Connect Server and how does
it work? – Setup an endpoint and configure it for sharing – Transfer and share data on the endpoint
• Configuring Globus Connect Server – Common integration scenarios
Globus Connect Server for resource providers
Deliver advanced data management services to researchers
Provide an integrated user experience
Reduce your support burden
Globus Connect Server
• Create endpoint in minutes; no complex GridFTP install • Enable all users with local accounts to transfer files • Native packages: RPMs and DEBs • Also available as part of the Globus Toolkit
Local Storage System (HPC cluster, campus server, …)
Globus Connect Server
MyProxy Online CA
GridFTP Server
Local system users
What we are going to do: Install Globus Connect Server • Access server as user “clusteradmin” • Update repo • Install package • Setup Globus Connect Server
Server (AWS EC2) ssh
Test Endpoint
Log into Globus (using Globus username)
Transfer a file
1
2
3 Access the newly created endpoint (as user ‘researcher’)
4
Globus Connect Server Demonstration
7
Globus Connect Server Tutorial
Hands-on Access
• Goal for this session: turn a storage resource into a Globus endpoint
• Each of you is provided with an Amazon EC2 server for this tutorial
• Step 1: Create a Globus account (if you did not do it already)
Log into your host
• Your slip of paper has the host information
• Log in as user ‘clusteradmin’: ssh [email protected]
• Use the password on the slip of paper • ‘clusteradmin’ has passwordless sudo
privileges
Install Globus Connect Server
$ curl –LOs http://www.globus.org/ftppub/gt5/5.2/
stable/installers/repo/globus-repository-5.2-stable-
precise_0.0.3_all.deb
$ sudo dpkg –i globus-repository-5.2-stable-
precise_0.0.3_all.deb
$ sudo aptitude update
$ sudo aptitute –y install globus-connect-server
$ sudo globus-connect-server-setup
‘Cheat sheet’ is here: tinyurl.com/globus-tutorial
You have a working Globus endpoint!
Access endpoint on Globus
• Go to www.globus.org and login with your Globus account
• Go to Manage Data à Start Transfer • Access the endpoint you just created
– <your-Globus-username>#ec2-… – Activate the endpoint as user “researcher”; you should see
the user’s home directory • Access one of ESnet test endpoints
– esnet#*-diskpt1 endpoint
• Transfer – from go#ep1 to your Globus Connect Server endpoint
(ec2-nnn-….) – From esnet#*-diskpt1/data1 to your endpoint
Configuring Globus Connect Server
• Globus Connect Server configuration is stored in: – /etc/globus-connect-server.conf
• To enable configuration changes you must run: – globus-connect-server-setup
• “Rinse and repeat”
Configuration file walkthrough
• Structure based on .ini format: [Section] Option
• Most common options to configure Hostname Public RestrictedPaths Sharing SharingRestrictedPaths IdentityMethod (CILogon, OAuth)
• More details are available at: support.globus.org/forums/22095911
Basic Configuration
• Change your endpoint’s name in the Globus Connect Server configuration file: vim /etc/globus-connect-server.conf
– Set [Endpoint] Name = “dtn”
• Run: globus-connect-server-setup – Enter your Globus username and password when
prompted
• Access the endpoint in your browser using the new name
MyProxy OAuth server
• Web-based endpoint activation – Sites run a MyProxy OAuth server
o MyProxy OAuth server in Globus Connect Server – Users enter username/password only on site’s
webpage to activate an endpoint – Globus gets short-term X.509 credential via OAuth
protocol • MyProxy without Oauth
– Site passwords flow through Globus to site MyProxy server
– Globus does not store passwords – Still a security concern for some sites
17
Making your endpoint public
• Try to access the endpoint created by the person sitting next to you
• You will get the following message: • ‘Could not find endpoint with name
‘dtn’ owned by user ‘<neighbor’s username>’
Making endpoint public
• On your Globus Connect Server server: – sudo vim /etc/globus-connect-server.conf – Uncomment [Endpoint] Public = False – Replace ‘False’ with ‘True’ – Run sudo globus-connect-server-setup
• Try accessing your neighbor’s endpoint: you will be prompted for credentials…
• …but you cannot access it, since you do not have an account on that server
Enable sharing on your endpoint
• sudo vim /etc/globus-connect-server.conf
• Uncomment [GridFTP] Sharing = True • Go to the Web UI Start Transfer page • Select endpoint <username>#dtn • You can create shared endpoints that
point to a specific directory on this endpoint and share with other Globus users – Need plus subscription
Firewall configuration
• Allow inbound connections to port 2811 (GridFTP control channel), 7512 (MyProxy CA), 443 (OAuth)
• Allow inbound connections to ports 50000-51000 (GridFTP data channel) – If transfers to/from this machine will happen only from/
to a known set of endpoints (not common), you can restrict connections to this port range only from those machines
• If your firewall restricts outbound connections – Allow outbound connections if the source port is in the
range 50000-51000
22
Amazon AWS
100GE
10GE10GE
100GE
10GE
10GE100GE
DATA
TCP ports50000-51000
Lab1 Science DMZ
Lab1 Border Router
ESnet 100GEESnet Router
Lab2 Border Router
Lab2 Science DMZ
Lab1 DTN
DTN DTN
OrchestrationOrchestration
Lab2 DTN
ESnet Router
Lab1 DTN security
filters
Lab2 DTN security
filters
TCP ports 443,2811, 7512
TCP ports 443,2811, 7512
Logical data path
Physical data path
Logical control path
Physical control path
Lab1 DTN security filters Lab2 DTN security filters
Enable your resource. It’s easy.
• Signup: globus.org/signup • Connect your system:
globus.org/globus-connect-server • Learn and troubleshoot:
support.globus.org/forums/20133407 • Need help? support.globus.org • Follow us: @globusonline
End of Advanced Globus Connect Server Tutorial
24