brockpalen/globus-connect-server.conf

## globus-connect-server.conf
;----------------------------------------------------------------------------;
;                          Globus User Configuration
;----------------------------------------------------------------------------;
; These settings configure how to contact Globus when
; creating or modifying an endpoint.
[Globus]

; Globus user name. If not set, or left at its default, then the
; value of GLOBUS_USER environment variable is used, falling back to
; prompting if it is not present.
User = %(GLOBUS_USER)s

; Globus login password. If not set, or left at its default, then the
; value of the GLOBUS_PASSWORD environment variable is used, falling back
; to prompting if it is not present.
Password = %(GLOBUS_PASSWORD)s

;----------------------------------------------------------------------------;
;                        Globus Endpoint Configuration                       ;
;----------------------------------------------------------------------------;
; Set these if you want to add or modify the core attributes of the endpoint.
[Endpoint]

; Name of the endpoint. Can be either user#name or name, but if the former,
; the user must match [Globus] User above
; The special value %(SHORT_HOSTNAME)s will substitute the non-qualified
; portion of an ec2 instance's public hostname, falling back to the
; non-qualified hostname portion of the machine's nodename
Name = %(SHORT_HOSTNAME)s

; True or False, determining if the endpoint will be public or private.
; If not specified, this will default to False (non-public).
Public = True

; Default directory when users login to this endpoint (optional).
; If not specified, this will default to /~/.
DefaultDirectory = /~/

;----------------------------------------------------------------------------;
;                           Security Configuration                           ;
;----------------------------------------------------------------------------;
; These are the default service security settings, for services which will be
; accessed from Globus (GridFTP and MyProxy).
; There can be an override in the GridFTP or MyProxy sections below.
[Security]

; If this is true, then use the relay.globusonline.org to generate
; a random service credential so that Globus can access this service.
; Otherwise, Globus Connect Server will assume the Certificate and Key have
; been generated by some other method.
; Note that FetchCredentialFromRelay will only work if the key and certificate
FetchCredentialFromRelay = True

; Path to the certificate.
; If FetchCredentialsFromRelay is True, and the fetch conditions are met,
; this CertificateFile value will be overwritten.
; If not specified, this will default to
; /var/lib/globus-connect-server/grid-security/hostcert.pem
;; CertificateFile =
;

; Path to the private key.
; If FetchCredentialsFromRelay is True, and the fetch conditions are met,
; this KeyFile value will be overwritten.
; If not specified, this will default to
; /var/lib/globus-connect-server/grid-security/hostkey.pem
;; KeyFile =

; Path to where the trusted certificate directory. The
; Globus Relay CA will be installed there, as well as the MyProxy
; trust roots and CA if the MyProxy server is running elsewhere.
; If not specified, this will default to
; /var/lib/globus-connect-server/grid-security/certificates/
;; TrustedCertificateDirectory =

; Type of identity provider for the Globus service to use. This may
; be one of the following values:
;     MyProxy
;         Use the MyProxy server defined in the [MyProxy] section of this
;         configuration file
;     OAuth
;         Use the OAuth server defined in the [OAuth] section of this
;         configuration file
;     CILogon
;         Use the CILogon OAuth server
IdentityMethod = CILogon

; Authorization method for mapping the grid credential to a local username,
; by default, this is inferred from the IdentityMethod above. If using MyProxy,
; the MyProxyGridmapCallout is used; if using CILogon, the CILogon method
; is used. If the CILogon provides certificates that don't match local policy,
; you might need to use Gridmap to explicitly map the credentials to local
; accounts
;; AuthorizationMethod = MyProxyGridmapCallout | CILogon | Gridmap

; Path to a grid-mapfile to use with the Gridmap authorization method. The
; default is shown below
;; Gridmap = /etc/grid-security/grid-mapfile


; The name of the identity provider (see https://cilogon.org/ for a list
; of valid names)
CILogonIdentityProvider = University of Michigan

;----------------------------------------------------------------------------;
;                            GridFTP Configuration                           ;
;----------------------------------------------------------------------------;
; This section configures a GridFTP server. It can be processed on the
; GridFTP server host to generate a GridFTP configuration file, and on
; that or any other host to add a GridFTP server to an endpoint
[GridFTP]

; The host name (and optional port) to contact this GridFTP Server, in the form
; host[:port]. If not set, no gridftp server will be configured. The default
; pulls the server name from EC2 metadata if present, falling back to the local hostname and uses the default port 2811.
Server = %(HOSTNAME)s

; If this is set to True, then assume the Server name is the current machine
; and configure a GridFTP server on this machine, even if it the Server doesn't
; match the current hostname. Also, if ServerBehindNAT is set to True, the
; DataInterface will be set to the Server string automatically.
; If False, globus-connect-server-setup  will only configure the gridftp
; server if the Server above matches the local machine's hostname. The default
; is False.
ServerBehindNAT = True


; Port range to use for incoming connections.  The format is
; "startport,endport". If not set, this will default to 50000,51000
IncomingPortRange = 50000,53000

; Port range to use for outgoing connections.  The format is
; "startport,endport".  Only use this if your firewall restricts outgoing
; ports and gridftp won't work otherwise. The default is not restrict outgoing
; TCP ports
;; OutgoingPortRange = 50000,51000

; Hostname or IP address of the interface to use for data connections. If not
; set in this file, then the default behavior is:
; - When run on an EC2 instance, the data interface will be automatically
;   configured to use the public ipv4 address of the instance.
; - When run on a non-EC2 instance, if ServerBehindNAT is True, then
;   the hostname of the Server string is used. If this resolves to a private
;   IP adddress, a warning will be issued.
; - Otherwise, this will not be set, and the gridftp server will tell clients
;   to connect to the IP address that the control connection was established
;   on.
;; DataInterface =

; Restricted path configuration.
; A comma separated list of full paths that clients may access.  Each path may
; be prefixed by R and/or W, denoting read or write access, or N to explicitly
; deny access to a path.  If a given path is a directory, all contents and
; subdirectories will be given the same access.  Order of paths does not matter
; -- the permissions on the longest matching path will apply.  The special
; character '~' will be replaced by the authenticated user's home directory,
; and * may be used for simple wildcard matching.
; By default all paths are allowed, and access control is handled by the OS.
; Examples:
; Allow read access to /data and full access to the user's home directory:
; RestrictPaths = RW~,R/data
; Allow full access to the home directory, but deny hidden files there:
; RestrictPaths = RW~,N~/.*
RestrictPaths =

;
; Enable sharing with Globus for this server.
; If not specified, this will default to False.
Sharing = True

; ------------------------
; ADVANCED SHARING OPTIONS
; ------------------------

; Using the same syntax as RestrictPaths above, this defines additional
; restrictions which paths that sharing clients may access.
;; SharingRestrictPaths =


; Path of a directory where GridFTP will store files used to control
; sharing access to individual accounts.  The variables $USER and $HOME
; should be used in order to define a unique path per user.
; If not specified, this will default to "$HOME/.globus/sharing".
;
; For instance, with SharingStateDir = "/var/globusonline/sharing/$USER",
; user "bob" would be enabled for sharing only if a path exists with the
; name "/var/globusonline/sharing/bob/" and is writable by bob.
;
;;SharingStateDir =

;-----------------------------------------------------------------------------
;                            MyProxy Configuration                           ;
;-----------------------------------------------------------------------------
; This section configures a MyProxy server. It can be processed on the
; MyProxy server host to generate myproxy-server configuration files and
; a MyProxy CA, or can be used on a GridFTP server host to determine how
; to fetch trust roots, or to associate the MyProxy server with a
; Globus endpoint
[MyProxy]

; The contact URI of the MyProxy server. The format is  host[:port], with
; a default port of 7512 if not present
; If not set, then no myproxy server will be configured. The special value
; %(HOSTNAME)s will substitute an ec2 instance's public hostname, falling back
; to the machine's nodename
;;Server = %(HOSTNAME)s

; If this is set to True, then assume the Server name is the current machine
; and configure a MyProxy server on this machine, even if it the Server doesn't
; match the current hostname.
; If False, globus-connect-server-setup  will only configure the MyProxy
; server if the Server above matches the local machine's hostname. The default
; is False.
;;ServerBehindNAT = True

; Directory in which to place the MyProxy CA files,
; including the cacert and key, and the set of signed certificates.
; If not present, the default is /var/lib/globus-connect-server/myproxy-ca
;
;; CADirectory = /var/lib/globus-connect-server/myproxy-ca

; Path to store the myproxy service configuration file.
; If not specified, the default is
; /var/lib/globus-connect-server/myproxy-server.conf
;
;; ConfigFile = /var/lib/globus-connect-server/myproxy-server.conf

[OAuth]
; The public host name of the MyProxy OAuth server.
; If not set, then no MyProxy Oauth server will be configured. The special value
; %(HOSTNAME)s will substitute an ec2 instance's public hostname, falling back
; to the machine's nodename
;; Server = %(HOSTNAME)s

; If this is set to True, then assume the Server name is the current machine
; and configure a OAuth server on this machine, even if it the Server doesn't
; match the current hostname.
; If False, globus-connect-server-setup  will only configure the OAuth
; server if the Server above matches the local machine's hostname. The default
; is False.
;;ServerBehindNAT = True

; A cascading stylesheet file to use with OAuth server web pages. The
; stylesheet will be used to style the MyProxy OAuth web interface. If not set,
; then the default Globus-look web style will be used.
;; Stylesheet =
;
; An image file to use as the logo of the MyProxy OAuth server. If not set,
; the Globus logo image is used.
;; Logo =

; vim: filetype=dosini : nospell :
	;----------------------------------------------------------------------------;
	; Globus User Configuration
	;----------------------------------------------------------------------------;
	; These settings configure how to contact Globus when
	; creating or modifying an endpoint.
	[Globus]

	; Globus user name. If not set, or left at its default, then the
	; value of GLOBUS_USER environment variable is used, falling back to
	; prompting if it is not present.
	User = %(GLOBUS_USER)s

	; Globus login password. If not set, or left at its default, then the
	; value of the GLOBUS_PASSWORD environment variable is used, falling back
	; to prompting if it is not present.
	Password = %(GLOBUS_PASSWORD)s

	;----------------------------------------------------------------------------;
	; Globus Endpoint Configuration ;
	;----------------------------------------------------------------------------;
	; Set these if you want to add or modify the core attributes of the endpoint.
	[Endpoint]

	; Name of the endpoint. Can be either user#name or name, but if the former,
	; the user must match [Globus] User above
	; The special value %(SHORT_HOSTNAME)s will substitute the non-qualified
	; portion of an ec2 instance's public hostname, falling back to the
	; non-qualified hostname portion of the machine's nodename
	Name = %(SHORT_HOSTNAME)s

	; True or False, determining if the endpoint will be public or private.
	; If not specified, this will default to False (non-public).
	Public = True

	; Default directory when users login to this endpoint (optional).
	; If not specified, this will default to /~/.
	DefaultDirectory = /~/

	;----------------------------------------------------------------------------;
	; Security Configuration ;
	;----------------------------------------------------------------------------;
	; These are the default service security settings, for services which will be
	; accessed from Globus (GridFTP and MyProxy).
	; There can be an override in the GridFTP or MyProxy sections below.
	[Security]

	; If this is true, then use the relay.globusonline.org to generate
	; a random service credential so that Globus can access this service.
	; Otherwise, Globus Connect Server will assume the Certificate and Key have
	; been generated by some other method.
	; Note that FetchCredentialFromRelay will only work if the key and certificate
	FetchCredentialFromRelay = True

	; Path to the certificate.
	; If FetchCredentialsFromRelay is True, and the fetch conditions are met,
	; this CertificateFile value will be overwritten.
	; If not specified, this will default to
	; /var/lib/globus-connect-server/grid-security/hostcert.pem
	;; CertificateFile =
	;

	; Path to the private key.
	; If FetchCredentialsFromRelay is True, and the fetch conditions are met,
	; this KeyFile value will be overwritten.
	; If not specified, this will default to
	; /var/lib/globus-connect-server/grid-security/hostkey.pem
	;; KeyFile =

	; Path to where the trusted certificate directory. The
	; Globus Relay CA will be installed there, as well as the MyProxy
	; trust roots and CA if the MyProxy server is running elsewhere.
	; If not specified, this will default to
	; /var/lib/globus-connect-server/grid-security/certificates/
	;; TrustedCertificateDirectory =

	; Type of identity provider for the Globus service to use. This may
	; be one of the following values:
	; MyProxy
	; Use the MyProxy server defined in the [MyProxy] section of this
	; configuration file
	; OAuth
	; Use the OAuth server defined in the [OAuth] section of this
	; configuration file
	; CILogon
	; Use the CILogon OAuth server
	IdentityMethod = CILogon

	; Authorization method for mapping the grid credential to a local username,
	; by default, this is inferred from the IdentityMethod above. If using MyProxy,
	; the MyProxyGridmapCallout is used; if using CILogon, the CILogon method
	; is used. If the CILogon provides certificates that don't match local policy,
	; you might need to use Gridmap to explicitly map the credentials to local
	; accounts
	;; AuthorizationMethod = MyProxyGridmapCallout \| CILogon \| Gridmap

	; Path to a grid-mapfile to use with the Gridmap authorization method. The
	; default is shown below
	;; Gridmap = /etc/grid-security/grid-mapfile


	; The name of the identity provider (see https://cilogon.org/ for a list
	; of valid names)
	CILogonIdentityProvider = University of Michigan

	;----------------------------------------------------------------------------;
	; GridFTP Configuration ;
	;----------------------------------------------------------------------------;
	; This section configures a GridFTP server. It can be processed on the
	; GridFTP server host to generate a GridFTP configuration file, and on
	; that or any other host to add a GridFTP server to an endpoint
	[GridFTP]

	; The host name (and optional port) to contact this GridFTP Server, in the form
	; host[:port]. If not set, no gridftp server will be configured. The default
	; pulls the server name from EC2 metadata if present, falling back to the local hostname and uses the default port 2811.
	Server = %(HOSTNAME)s

	; If this is set to True, then assume the Server name is the current machine
	; and configure a GridFTP server on this machine, even if it the Server doesn't
	; match the current hostname. Also, if ServerBehindNAT is set to True, the
	; DataInterface will be set to the Server string automatically.
	; If False, globus-connect-server-setup will only configure the gridftp
	; server if the Server above matches the local machine's hostname. The default
	; is False.
	ServerBehindNAT = True


	; Port range to use for incoming connections. The format is
	; "startport,endport". If not set, this will default to 50000,51000
	IncomingPortRange = 50000,53000

	; Port range to use for outgoing connections. The format is
	; "startport,endport". Only use this if your firewall restricts outgoing
	; ports and gridftp won't work otherwise. The default is not restrict outgoing
	; TCP ports
	;; OutgoingPortRange = 50000,51000

	; Hostname or IP address of the interface to use for data connections. If not
	; set in this file, then the default behavior is:
	; - When run on an EC2 instance, the data interface will be automatically
	; configured to use the public ipv4 address of the instance.
	; - When run on a non-EC2 instance, if ServerBehindNAT is True, then
	; the hostname of the Server string is used. If this resolves to a private
	; IP adddress, a warning will be issued.
	; - Otherwise, this will not be set, and the gridftp server will tell clients
	; to connect to the IP address that the control connection was established
	; on.
	;; DataInterface =

	; Restricted path configuration.
	; A comma separated list of full paths that clients may access. Each path may
	; be prefixed by R and/or W, denoting read or write access, or N to explicitly
	; deny access to a path. If a given path is a directory, all contents and
	; subdirectories will be given the same access. Order of paths does not matter
	; -- the permissions on the longest matching path will apply. The special
	; character '~' will be replaced by the authenticated user's home directory,
	; and * may be used for simple wildcard matching.
	; By default all paths are allowed, and access control is handled by the OS.
	; Examples:
	; Allow read access to /data and full access to the user's home directory:
	; RestrictPaths = RW~,R/data
	; Allow full access to the home directory, but deny hidden files there:
	; RestrictPaths = RW~,N~/.*
	RestrictPaths =

	;
	; Enable sharing with Globus for this server.
	; If not specified, this will default to False.
	Sharing = True

	; ------------------------
	; ADVANCED SHARING OPTIONS
	; ------------------------

	; Using the same syntax as RestrictPaths above, this defines additional
	; restrictions which paths that sharing clients may access.
	;; SharingRestrictPaths =


	; Path of a directory where GridFTP will store files used to control
	; sharing access to individual accounts. The variables $USER and $HOME
	; should be used in order to define a unique path per user.
	; If not specified, this will default to "$HOME/.globus/sharing".
	;
	; For instance, with SharingStateDir = "/var/globusonline/sharing/$USER",
	; user "bob" would be enabled for sharing only if a path exists with the
	; name "/var/globusonline/sharing/bob/" and is writable by bob.
	;
	;;SharingStateDir =

	;-----------------------------------------------------------------------------
	; MyProxy Configuration ;
	;-----------------------------------------------------------------------------
	; This section configures a MyProxy server. It can be processed on the
	; MyProxy server host to generate myproxy-server configuration files and
	; a MyProxy CA, or can be used on a GridFTP server host to determine how
	; to fetch trust roots, or to associate the MyProxy server with a
	; Globus endpoint
	[MyProxy]

	; The contact URI of the MyProxy server. The format is host[:port], with
	; a default port of 7512 if not present
	; If not set, then no myproxy server will be configured. The special value
	; %(HOSTNAME)s will substitute an ec2 instance's public hostname, falling back
	; to the machine's nodename
	;;Server = %(HOSTNAME)s

	; If this is set to True, then assume the Server name is the current machine
	; and configure a MyProxy server on this machine, even if it the Server doesn't
	; match the current hostname.
	; If False, globus-connect-server-setup will only configure the MyProxy
	; server if the Server above matches the local machine's hostname. The default
	; is False.
	;;ServerBehindNAT = True

	; Directory in which to place the MyProxy CA files,
	; including the cacert and key, and the set of signed certificates.
	; If not present, the default is /var/lib/globus-connect-server/myproxy-ca
	;
	;; CADirectory = /var/lib/globus-connect-server/myproxy-ca

	; Path to store the myproxy service configuration file.
	; If not specified, the default is
	; /var/lib/globus-connect-server/myproxy-server.conf
	;
	;; ConfigFile = /var/lib/globus-connect-server/myproxy-server.conf

	[OAuth]
	; The public host name of the MyProxy OAuth server.
	; If not set, then no MyProxy Oauth server will be configured. The special value
	; %(HOSTNAME)s will substitute an ec2 instance's public hostname, falling back
	; to the machine's nodename
	;; Server = %(HOSTNAME)s

	; If this is set to True, then assume the Server name is the current machine
	; and configure a OAuth server on this machine, even if it the Server doesn't
	; match the current hostname.
	; If False, globus-connect-server-setup will only configure the OAuth
	; server if the Server above matches the local machine's hostname. The default
	; is False.
	;;ServerBehindNAT = True

	; A cascading stylesheet file to use with OAuth server web pages. The
	; stylesheet will be used to style the MyProxy OAuth web interface. If not set,
	; then the default Globus-look web style will be used.
	;; Stylesheet =
	;
	; An image file to use as the logo of the MyProxy OAuth server. If not set,
	; the Globus logo image is used.
	;; Logo =

	; vim: filetype=dosini : nospell :