Last active
August 29, 2015 13:56
-
-
Save brockpalen/9058665 to your computer and use it in GitHub Desktop.
Globus Connect Server config file, for creating a GridFTP Globus endpoint using University of Michigan CiLogin for OAuth.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
;----------------------------------------------------------------------------; | |
; Globus User Configuration | |
;----------------------------------------------------------------------------; | |
; These settings configure how to contact Globus when | |
; creating or modifying an endpoint. | |
[Globus] | |
; Globus user name. If not set, or left at its default, then the | |
; value of GLOBUS_USER environment variable is used, falling back to | |
; prompting if it is not present. | |
User = %(GLOBUS_USER)s | |
; Globus login password. If not set, or left at its default, then the | |
; value of the GLOBUS_PASSWORD environment variable is used, falling back | |
; to prompting if it is not present. | |
Password = %(GLOBUS_PASSWORD)s | |
;----------------------------------------------------------------------------; | |
; Globus Endpoint Configuration ; | |
;----------------------------------------------------------------------------; | |
; Set these if you want to add or modify the core attributes of the endpoint. | |
[Endpoint] | |
; Name of the endpoint. Can be either user#name or name, but if the former, | |
; the user must match [Globus] User above | |
; The special value %(SHORT_HOSTNAME)s will substitute the non-qualified | |
; portion of an ec2 instance's public hostname, falling back to the | |
; non-qualified hostname portion of the machine's nodename | |
Name = %(SHORT_HOSTNAME)s | |
; True or False, determining if the endpoint will be public or private. | |
; If not specified, this will default to False (non-public). | |
Public = True | |
; Default directory when users login to this endpoint (optional). | |
; If not specified, this will default to /~/. | |
DefaultDirectory = /~/ | |
;----------------------------------------------------------------------------; | |
; Security Configuration ; | |
;----------------------------------------------------------------------------; | |
; These are the default service security settings, for services which will be | |
; accessed from Globus (GridFTP and MyProxy). | |
; There can be an override in the GridFTP or MyProxy sections below. | |
[Security] | |
; If this is true, then use the relay.globusonline.org to generate | |
; a random service credential so that Globus can access this service. | |
; Otherwise, Globus Connect Server will assume the Certificate and Key have | |
; been generated by some other method. | |
; Note that FetchCredentialFromRelay will only work if the key and certificate | |
FetchCredentialFromRelay = True | |
; Path to the certificate. | |
; If FetchCredentialsFromRelay is True, and the fetch conditions are met, | |
; this CertificateFile value will be overwritten. | |
; If not specified, this will default to | |
; /var/lib/globus-connect-server/grid-security/hostcert.pem | |
;; CertificateFile = | |
; | |
; Path to the private key. | |
; If FetchCredentialsFromRelay is True, and the fetch conditions are met, | |
; this KeyFile value will be overwritten. | |
; If not specified, this will default to | |
; /var/lib/globus-connect-server/grid-security/hostkey.pem | |
;; KeyFile = | |
; Path to where the trusted certificate directory. The | |
; Globus Relay CA will be installed there, as well as the MyProxy | |
; trust roots and CA if the MyProxy server is running elsewhere. | |
; If not specified, this will default to | |
; /var/lib/globus-connect-server/grid-security/certificates/ | |
;; TrustedCertificateDirectory = | |
; Type of identity provider for the Globus service to use. This may | |
; be one of the following values: | |
; MyProxy | |
; Use the MyProxy server defined in the [MyProxy] section of this | |
; configuration file | |
; OAuth | |
; Use the OAuth server defined in the [OAuth] section of this | |
; configuration file | |
; CILogon | |
; Use the CILogon OAuth server | |
IdentityMethod = CILogon | |
; Authorization method for mapping the grid credential to a local username, | |
; by default, this is inferred from the IdentityMethod above. If using MyProxy, | |
; the MyProxyGridmapCallout is used; if using CILogon, the CILogon method | |
; is used. If the CILogon provides certificates that don't match local policy, | |
; you might need to use Gridmap to explicitly map the credentials to local | |
; accounts | |
;; AuthorizationMethod = MyProxyGridmapCallout | CILogon | Gridmap | |
; Path to a grid-mapfile to use with the Gridmap authorization method. The | |
; default is shown below | |
;; Gridmap = /etc/grid-security/grid-mapfile | |
; The name of the identity provider (see https://cilogon.org/ for a list | |
; of valid names) | |
CILogonIdentityProvider = University of Michigan | |
;----------------------------------------------------------------------------; | |
; GridFTP Configuration ; | |
;----------------------------------------------------------------------------; | |
; This section configures a GridFTP server. It can be processed on the | |
; GridFTP server host to generate a GridFTP configuration file, and on | |
; that or any other host to add a GridFTP server to an endpoint | |
[GridFTP] | |
; The host name (and optional port) to contact this GridFTP Server, in the form | |
; host[:port]. If not set, no gridftp server will be configured. The default | |
; pulls the server name from EC2 metadata if present, falling back to the local hostname and uses the default port 2811. | |
Server = %(HOSTNAME)s | |
; If this is set to True, then assume the Server name is the current machine | |
; and configure a GridFTP server on this machine, even if it the Server doesn't | |
; match the current hostname. Also, if ServerBehindNAT is set to True, the | |
; DataInterface will be set to the Server string automatically. | |
; If False, globus-connect-server-setup will only configure the gridftp | |
; server if the Server above matches the local machine's hostname. The default | |
; is False. | |
ServerBehindNAT = True | |
; Port range to use for incoming connections. The format is | |
; "startport,endport". If not set, this will default to 50000,51000 | |
IncomingPortRange = 50000,53000 | |
; Port range to use for outgoing connections. The format is | |
; "startport,endport". Only use this if your firewall restricts outgoing | |
; ports and gridftp won't work otherwise. The default is not restrict outgoing | |
; TCP ports | |
;; OutgoingPortRange = 50000,51000 | |
; Hostname or IP address of the interface to use for data connections. If not | |
; set in this file, then the default behavior is: | |
; - When run on an EC2 instance, the data interface will be automatically | |
; configured to use the public ipv4 address of the instance. | |
; - When run on a non-EC2 instance, if ServerBehindNAT is True, then | |
; the hostname of the Server string is used. If this resolves to a private | |
; IP adddress, a warning will be issued. | |
; - Otherwise, this will not be set, and the gridftp server will tell clients | |
; to connect to the IP address that the control connection was established | |
; on. | |
;; DataInterface = | |
; Restricted path configuration. | |
; A comma separated list of full paths that clients may access. Each path may | |
; be prefixed by R and/or W, denoting read or write access, or N to explicitly | |
; deny access to a path. If a given path is a directory, all contents and | |
; subdirectories will be given the same access. Order of paths does not matter | |
; -- the permissions on the longest matching path will apply. The special | |
; character '~' will be replaced by the authenticated user's home directory, | |
; and * may be used for simple wildcard matching. | |
; By default all paths are allowed, and access control is handled by the OS. | |
; Examples: | |
; Allow read access to /data and full access to the user's home directory: | |
; RestrictPaths = RW~,R/data | |
; Allow full access to the home directory, but deny hidden files there: | |
; RestrictPaths = RW~,N~/.* | |
RestrictPaths = | |
; | |
; Enable sharing with Globus for this server. | |
; If not specified, this will default to False. | |
Sharing = True | |
; ------------------------ | |
; ADVANCED SHARING OPTIONS | |
; ------------------------ | |
; Using the same syntax as RestrictPaths above, this defines additional | |
; restrictions which paths that sharing clients may access. | |
;; SharingRestrictPaths = | |
; Path of a directory where GridFTP will store files used to control | |
; sharing access to individual accounts. The variables $USER and $HOME | |
; should be used in order to define a unique path per user. | |
; If not specified, this will default to "$HOME/.globus/sharing". | |
; | |
; For instance, with SharingStateDir = "/var/globusonline/sharing/$USER", | |
; user "bob" would be enabled for sharing only if a path exists with the | |
; name "/var/globusonline/sharing/bob/" and is writable by bob. | |
; | |
;;SharingStateDir = | |
;----------------------------------------------------------------------------- | |
; MyProxy Configuration ; | |
;----------------------------------------------------------------------------- | |
; This section configures a MyProxy server. It can be processed on the | |
; MyProxy server host to generate myproxy-server configuration files and | |
; a MyProxy CA, or can be used on a GridFTP server host to determine how | |
; to fetch trust roots, or to associate the MyProxy server with a | |
; Globus endpoint | |
[MyProxy] | |
; The contact URI of the MyProxy server. The format is host[:port], with | |
; a default port of 7512 if not present | |
; If not set, then no myproxy server will be configured. The special value | |
; %(HOSTNAME)s will substitute an ec2 instance's public hostname, falling back | |
; to the machine's nodename | |
;;Server = %(HOSTNAME)s | |
; If this is set to True, then assume the Server name is the current machine | |
; and configure a MyProxy server on this machine, even if it the Server doesn't | |
; match the current hostname. | |
; If False, globus-connect-server-setup will only configure the MyProxy | |
; server if the Server above matches the local machine's hostname. The default | |
; is False. | |
;;ServerBehindNAT = True | |
; Directory in which to place the MyProxy CA files, | |
; including the cacert and key, and the set of signed certificates. | |
; If not present, the default is /var/lib/globus-connect-server/myproxy-ca | |
; | |
;; CADirectory = /var/lib/globus-connect-server/myproxy-ca | |
; Path to store the myproxy service configuration file. | |
; If not specified, the default is | |
; /var/lib/globus-connect-server/myproxy-server.conf | |
; | |
;; ConfigFile = /var/lib/globus-connect-server/myproxy-server.conf | |
[OAuth] | |
; The public host name of the MyProxy OAuth server. | |
; If not set, then no MyProxy Oauth server will be configured. The special value | |
; %(HOSTNAME)s will substitute an ec2 instance's public hostname, falling back | |
; to the machine's nodename | |
;; Server = %(HOSTNAME)s | |
; If this is set to True, then assume the Server name is the current machine | |
; and configure a OAuth server on this machine, even if it the Server doesn't | |
; match the current hostname. | |
; If False, globus-connect-server-setup will only configure the OAuth | |
; server if the Server above matches the local machine's hostname. The default | |
; is False. | |
;;ServerBehindNAT = True | |
; A cascading stylesheet file to use with OAuth server web pages. The | |
; stylesheet will be used to style the MyProxy OAuth web interface. If not set, | |
; then the default Globus-look web style will be used. | |
;; Stylesheet = | |
; | |
; An image file to use as the logo of the MyProxy OAuth server. If not set, | |
; the Globus logo image is used. | |
;; Logo = | |
; vim: filetype=dosini : nospell : |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment