Globus: Difference between revisions

From Alliance Doc
Jump to navigation Jump to search
No edit summary
No edit summary
 
(81 intermediate revisions by 9 users not shown)
Line 1: Line 1:
<languages />
<languages />
<translate>
<translate>
<!--T:90-->
 
{| class="wikitable"
<!--T:128-->
|+ ANNOUNCEMENT
[https://www.globus.org/ Globus] is a service for fast, reliable, secure transfer of files. Designed specifically for researchers, Globus has an easy-to-use interface with background monitoring features that automate the management of file transfers between any two resources, whether they are on an Alliance cluster, another supercomputing facility, a campus cluster, lab server, desktop or laptop.
|-
! Upcoming decommissioning of Globus v4 endpoints
|-
| Details available here: https://docs.alliancecan.ca/wiki/Globus_v4_to_v5
|}
[https://www.globus.org/ Globus] is a service for fast, reliable, secure transfer of files. Designed specifically for researchers, Globus has an easy-to-use interface with background monitoring features that automate the management of file transfers between any two resources, whether they are at an Alliance cluster, another supercomputing facility, a campus cluster, lab server, desktop or laptop.


<!--T:91-->
<!--T:91-->
Globus leverages GridFTP for its transfer protocol but shields the end user from complex and time consuming tasks related to GridFTP and other aspects of data movement. It improves transfer performance over GridFTP, rsync, scp, and sftp, by automatically tuning transfer settings, restarting interrupted transfers, and checking file integrity.
Globus leverages GridFTP for its transfer protocol but shields the end user from complex and time-consuming tasks related to GridFTP and other aspects of data movement. It improves transfer performance over GridFTP, rsync, scp, and sftp, by automatically tuning transfer settings, restarting interrupted transfers, and checking file integrity.


<!--T:92-->
<!--T:92-->
Globus can be accessed via the main [https://www.globus.org/ Globus website] or via the Alliance Globus portal at [https://globus.alliancecan.ca/ https://globus.alliancecan.ca/].
Globus can be accessed via the main [https://www.globus.org/ Globus website] or via [https://globus.alliancecan.ca/ the Alliance Globus portal].


== Using Globus == <!--T:93-->
== Using Globus == <!--T:93-->
Go to [https://globus.alliancecan.ca/ https://globus.alliancecan.ca/]. Your "existing organizational login" is your CCDB account. Ensure that "Compute Canada" is selected in the drop-down, then click Continue. Supply your CCDB username (not your e-mail address or other identifier) and password on the Compute Canada MyProxy page which appears. This takes you to the web portal for Globus.


<!--T:94-->
<!--T:133-->
[[File:1st-panel.png|400px|thumb|none| CC Globus Authentication page. (Click for larger image.)]]
Since May 21, 2024, Globus is accessed with our present organization name. If you have not re-opened a Globus session since then, close any active session---in the Globus Web GUI, in the command line interface and in any application using the Globus API---and follow the instructions to re-open your session.
 
<!--T:136-->
Go to [https://globus.alliancecan.ca/ the Alliance Globus portal]; the first page illustrated below. Your "existing organizational login" is your CCDB account. Ensure that <i>Digital Research Alliance of Canada</i> is selected in the drop-down box (''not'' Digital Research Alliance of Canada - Staff), then click on <i>Continue</i>.  The second page illustrated below will appear.  Supply your CCDB ''username'' (not your e-mail address or other identifier) and password there. This takes you to the web portal for Globus.
 
<!--T:134-->
[[File:Globus-Login-Organization.png|400px|thumb|none| Choose Digital Research Alliance of Canada for Globus Organization dropdown (click on image to enlarge)]]
 
<!--T:135-->
[[File:DRAC-Shibboleth-Login.png|400px|thumb|none| Digital Research Alliance of Canada Globus authentication page (click on image to enlarge)]]


=== To start a transfer === <!--T:95-->  
=== To start a transfer === <!--T:95-->  


<!--T:96-->
<!--T:96-->
Globus transfers happen between collections (formerly known as <i>endpoints</i> in previous Globus versions).  Most Alliance clusters have some standard collections set up for you to use.  To transfer files to and from your computer, you need to create a collection for it. This requires a bit of set up initially, but once it has been done, transfers via Globus require little more than making sure the Globus Connect Personal software is running on your machine. More on this below under [[#Personal Computers|Personal Computers]].
Globus transfers happen between collections (formerly known as <i>endpoints</i> in previous Globus versions).  Most Alliance clusters have some standard collections set up for you to use.  To transfer files to and from your computer, you need to create a collection for them. This requires a bit of set up initially, but once it has been done, transfers via Globus require little more than making sure the Globus Connect Personal software is running on your machine. More on this below under [[#Personal computers|Personal computers]].




Line 34: Line 35:


<!--T:98-->
<!--T:98-->
[[File:Globus-file-manager.png|400px|thumb|none| Globus File Manager. (Click for larger image.)]]
[[File:Globus-file-manager.png|400px|thumb|none| Globus File Manager (click on image to enlarge)]]




<!--T:99-->
<!--T:99-->
On the top right of the page there are three buttons labelled "Panels". Select the second button (this will allow you to see two collections at the same time).
On the top right of the page, there are three buttons labelled <i>Panels</i>. Select the second button (this will allow you to see two collections at the same time).


<!--T:100-->
<!--T:100-->
Find collections by clicking where the page says "Search" and entering a collection name.  
Find collections by clicking where the page says <i>Search</i> and entering a collection name.  


<!--T:101-->
<!--T:101-->
[[File:Globus-select-collection.png|400px|thumb|none| Selecting a Globus collection. (Click for larger image.)]]
[[File:Globus-select-collection.png|400px|thumb|none| Selecting a Globus collection (click on image to enlarge)]]




<!--T:102-->
<!--T:102-->
You can start typing a collection name to select it. For example, if you want to transfer data to or from the Béluga cluster, type "beluga", wait two seconds for a list of matching sites to appear, and select <code>computecanada#beluga-dtn</code>.  
You can start typing a collection name to select it. For example, if you want to transfer data to or from the Béluga cluster, type <i>beluga</i>, wait two seconds for a list of matching sites to appear, and select <code>computecanada#beluga-dtn</code>.  




<!--T:103-->
<!--T:103-->
All resources have names prefixed with <code>computecanada#</code>. For example, [https://globus.alliancecan.ca/file-manager?origin_id=278b9bfe-24da-11e9-9fa2-0a06afd4a22e <code>computecanada#beluga-dtn</code>], [https://globus.alliancecan.ca/file-manager?origin_id=c99fd40c-5545-11e7-beb6-22000b9a448b <code>computecanada#cedar-dtn</code>],  [https://globus.alliancecan.ca/file-manager?origin_id=07baf15f-d7fd-4b6a-bf8a-5b5ef2e229d3 <code>computecanada#graham-globus</code>] or [https://globus.alliancecan.ca/file-manager?origin_id=77506016-4a51-11e8-8f88-0a6d4e044368 <code>computecanada#niagara</code>] (note that 'dtn' stands for 'data transfer node').
All resources have names prefixed with <code>computecanada#</code>. For example, [https://globus.alliancecan.ca/file-manager?origin_id=278b9bfe-24da-11e9-9fa2-0a06afd4a22e <code>computecanada#beluga-dtn</code>], [https://globus.alliancecan.ca/file-manager?origin_id=8dec4129-9ab4-451d-a45f-5b4b8471f7a3 <code>computecanada#cedar-globus</code>],  [https://globus.alliancecan.ca/file-manager?origin_id=07baf15f-d7fd-4b6a-bf8a-5b5ef2e229d3 <code>computecanada#graham-globus</code>], [https://globus.alliancecan.ca/file-manager?origin_id=885f1a95-b2f6-4f8b-a09a-252553ae390e <code>alliancecan#niagara</code>] or [https://globus.alliancecan.ca/file-manager?origin_id=c55ce750-19d6-4a42-9c30-6a58f06bec7a <code>alliancecan#hpss</code>] (note that 'dtn' stands for <i>data transfer node</i>).




<!--T:104-->
<!--T:104-->
You may be prompted to authenticate to access the collection, depending on which site is hosting the collection. For example, if you are activating a collection hosted on Graham, you will be asked for your Alliance username and password.  The authentication of a collection remains valid for some time - typically one week for CC collections while personal collections do not expire.
You may be prompted to authenticate to access the collection, depending on which site it is hosted. For example, if you are activating a collection hosted on Graham, you will be asked for your Alliance username and password.  The authentication of a collection remains valid for some time, typically one week for CC collections, while personal collections do not expire.




Line 64: Line 65:


<!--T:106-->
<!--T:106-->
Once a collection has been activated you should see a list of directories and files. You can navigate these by double-clicking on directories and using the ''up one folder'' button. Highlight a file or directory that you want to transfer by single-clicking on it. Control-click to highlight multiple things. Then click one of the big blue buttons with white arrowheads to initiate the transfer. The transfer job will be given a unique ID and will begin right away. You will receive an email when the transfer is complete. You can also monitor in-progress transfers and view details of completed transfers by clicking on the [https://globus.alliancecan.ca/activity ''Activity'' button] on the left-hand side.
Once a collection has been activated, you should see a list of directories and files. You can navigate these by double-clicking on directories and using the 'up one folder' button. Highlight a file or directory that you want to transfer by single-clicking on it. Control-click to highlight multiple things. Then click on one of the big blue buttons with white arrowheads to initiate the transfer. The transfer job will be given a unique ID and will begin right away. You will receive an email when the transfer is complete. You can also monitor in-progress transfers and view details of completed transfers by clicking on the [https://globus.alliancecan.ca/activity <i>Activity</i> button] on the left.




<!--T:107-->
<!--T:107-->
[[File:Globus-Initiate-Transfer.png|400px|thumb|none| Initiating a transfer.  Note the highlighted file in the left hand pane. (Click for larger image.)]]
[[File:Globus-Initiate-Transfer.png|400px|thumb|none| Initiating a transfer.  Note the highlighted file in the left pane (click on image to enlarge)]]




Line 78: Line 79:


<!--T:110-->
<!--T:110-->
Globus provides several other options in the "Transfer & Sync Options" in between the two "Start" buttons in the middle of the screen. Here you can direct Globus to
Globus provides several other options in <i>Transfer & Sync Options</i> between the two <i>Start</i> buttons in the middle of the screen. Here you can direct Globus to
* sync - only transfer new or changed files
* sync to only transfer new or changed files
* delete files on destination that do not exist on source
* delete files on destinations that do not exist in source
* preserve source file modification times
* preserve source file modification times
* verify file integrity after transfer (on by default)
* verify file integrity after transfer (on by default)
Line 94: Line 95:


<!--T:113-->
<!--T:113-->
There are links on the [https://www.globus.org/globus-connect-personal Globus Connect Personal] page which walk you through the setup of globus connect personal on the various operating systems, including setting it up from the command line on Linux. If you are running Globus Connect Personal from the command line on linux, this [https://docs.globus.org/faq/globus-connect-endpoints/#how_do_i_configure_accessible_directories_on_globus_connect_personal_for_linux FAQ on the Globus site] describes configuring which paths you share and their permissions.
There are links on the [https://www.globus.org/globus-connect-personal Globus Connect Personal] page which walks you through the setup of Globus Connect Personal on the various operating systems, including setting it up from the command line on Linux. If you are running Globus Connect Personal from the command line on Linux, this [https://docs.globus.org/faq/globus-connect-endpoints/#how_do_i_configure_accessible_directories_on_globus_connect_personal_for_linux FAQ on the Globus site] describes configuring which paths you share and their permissions.


====To install Globus Connect Personal==== <!--T:114-->  
====To install Globus Connect Personal==== <!--T:114-->  
Line 100: Line 101:


<!--T:115-->
<!--T:115-->
[[File:GetGlobusConnectPersonal.png|400px|thumb|none| Finding the installation button. (Click for larger image.)]]
[[File:GetGlobusConnectPersonal.png|400px|thumb|none| Finding the installation button (click on image to enlarge)]]




Line 108: Line 109:


<!--T:117-->
<!--T:117-->
# From the File Manager screen click on the "Collections" icon on the left hand side.
# From the <i>File Manager</i> screen click on the <i>Collections</i> icon on the left.
# Click "Get Globus Connect Personal" in the top right of the screen
# Click on <i>Get Globus Connect Personal</i> in the top right of the screen.
# Click on the download link for your operating system (click on "Show me other supported operating systems" if downloading for another computer)
# Click on the download link for your operating system (click on <i>Show me other supported operating systems</i> if downloading for another computer).
# Install Globus Connect Personal
# Install Globus Connect Personal.
# You should now be able to access the endpoint through Globus. The full endpoint name is [your username]#[name you give setup]; for example, smith#WorkPC.
# You should now be able to access the endpoint through Globus. The full endpoint name is [your username]#[name you give setup]; for example, smith#WorkPC.


Line 123: Line 124:


<!--T:26-->
<!--T:26-->
Note that if the Globus Connect Personal program at your endpoint is closed during a file transfer to or from that endpoint, the transfer will stop. To restart the transfer, simply reopen the program.
Note that if the Globus Connect Personal program at your endpoint is closed during a file transfer to or from that endpoint, the transfer will stop. To restart the transfer, simply re-open the program.


====Transfer between two personal endpoints==== <!--T:27-->
====Transfer between two personal endpoints==== <!--T:27-->


<!--T:28-->
<!--T:28-->
Although you can create endpoints for any number of personal computers, transfers between two personal endpoints is not enabled by default.  If you need this capability, please contact   
Although you can create endpoints for any number of personal computers, transfer between two personal endpoints is not enabled by default.  If you need this capability, please contact   
[mailto:globus@tech.alliancecan.ca globus@tech.alliancecan.ca] to set up a "Globus Plus" account.
[mailto:globus@tech.alliancecan.ca globus@tech.alliancecan.ca] to set up a Globus Plus account.


<!--T:17-->
<!--T:17-->
Line 137: Line 138:
* [https://docs.globus.org/how-to/globus-connect-personal-linux Globus Connect Personal for Linux]
* [https://docs.globus.org/how-to/globus-connect-personal-linux Globus Connect Personal for Linux]


== Globus Sharing == <!--T:18-->
== Globus sharing == <!--T:18-->


<!--T:19-->
<!--T:19-->
Line 152: Line 153:
   |title=Globus sharing is disabled on Niagara.
   |title=Globus sharing is disabled on Niagara.
   |content=
   |content=
Globus sharing is disabled on Niagara.
}}
}}


Line 160: Line 160:
   |title=Project requires permission to share
   |title=Project requires permission to share
   |content=
   |content=
To create a Globus Share on project for our other clusters, the PI will need to contact [mailto:globus@tech.alliancecan.ca globus@tech.alliancecan.ca] with:
To create sharing on /project for our other clusters, the PI will need to contact [mailto:globus@tech.alliancecan.ca globus@tech.alliancecan.ca] with:


<!--T:75-->
<!--T:75-->
* Yes they want Globus sharing enabled  
* confirmation that Globus sharing should be enabled,
* The path to enable  
* the path to enable,
* Whether the sharing will be read only, or sharing can be read and write
* whether the sharing will be read only, or sharing if it can be read and write.


<!--T:76-->
<!--T:76-->
Data to be shared will need to be moved or copied into this path. Creating a symbolic link to the data will not allow access to the data.
Data to be shared will need to be moved or copied to this path. Creating a symbolic link to the data will not allow access to the data.


<!--T:77-->
<!--T:77-->
Otherwise you will receive the error:
Otherwise you will receive the error:  


<!--T:61-->
<!--T:61-->
"The backend responded with an error: You do not have permission to create a shared endpoint on the selected path. The administrator of this endpoint has disabled creation of shared endpoints on the selected path."
:: <i>The backend responded with an error: You do not have permission to create a shared endpoint on the selected path. The administrator of this endpoint has disabled creation of shared endpoints on the selected path.</i>


<!--T:62-->
<!--T:62-->
Globus sharing is enabled for the home directory. By default we disable sharing on project to prevent users accidentally sharing other user's files. If you would like to test a Globus share you can create one in your home directory.
Globus sharing is enabled for the /home directory. By default, we disable sharing on /project to prevent users accidentally sharing other users' files. If you would like to test a Globus share you can create one in your /home directory.


<!--T:63-->
<!--T:63-->
Line 183: Line 183:


<!--T:64-->
<!--T:64-->
/project/my-project-id/Sharing
<code>/project/my-project-id/Sharing</code>


<!--T:65-->
<!--T:65-->
Once we have enabled sharing on the path you will be able to create a new Globus shared endpoint for any sub directory under that path. So for example you will be able to create the sub directories:
Once we have enabled sharing on the path, you will be able to create a new Globus shared endpoint for any subdirectory under that path. So for example, you will be able to create the subdirectories:


<!--T:66-->
<!--T:66-->
/project/my-project-id/Sharing/Subdir-01
<code>/project/my-project-id/Sharing/Subdir-01</code>


<!--T:67-->
<!--T:67-->
Line 195: Line 195:


<!--T:68-->
<!--T:68-->
/project/my-project-id/Sharing/Subdir-02
<code>/project/my-project-id/Sharing/Subdir-02</code>


<!--T:69-->
<!--T:69-->
Line 205: Line 205:


<!--T:31-->
<!--T:31-->
Log into [https://globus.alliancecan.ca the Alliance Globus portal] with your Globus credentials. Once you are logged in, you will see a transfer window. In the ‘endpoint’ field, type the endpoint identifier for the endpoint you wish to share from (e.g. computecanada#beluga-dtn, computecanada#cedar-dtn, computecanada#graham-globus, computecanada#niagara etc.) and activate the endpoint, if asked to.  
Log into [https://globus.alliancecan.ca the Alliance Globus portal] with your Globus credentials. Once you are logged in, you will see a transfer window. In the <i>endpoint</i> field, type the endpoint identifier for the endpoint you wish to share from (e.g. computecanada#beluga-dtn, computecanada#cedar-dtn, computecanada#graham-globus, alliancecan#niagara etc.) and activate the endpoint if asked to.


<!--T:70-->
<!--T:70-->
Select a folder that you wish to share, then click the "Share" button to the right of the folder list.
[[File:Globus SharedEndpoint1-1024x607.png|thumbnail|Open the <i>Share</i> option (click on image to enlarge)]]
[[File:Globus SharedEndpoint1-1024x607.png|thumb|Open "Share" option (Click for larger image.)]]
Select a folder that you wish to share, then click the <i>Share</i> button to the right of the folder list.
<br clear=all>


<!--T:71-->
<!--T:71-->
Click on the "Add a Guest Collection" button in the top right corner of the screen.
[[File:Globus SharedEndpoint2.png|thumbnail|Click on <i>Add a Guest Collection</i> (click on image to enlarge)]]
[[File:Globus SharedEndpoint2.png|thumbnail|Click on "Add a Guest Collection" (Click for larger image.)]]
Click on the <i>Add Guest Collection</i> button in the top right corner of the screen.
<br clear=all>


<!--T:72-->
<!--T:72-->
Give the new share a name that is easy for you and the people you intend to share it with to find. You can also adjust from where you want to share using the "Browse" button. Note that path in this case is relative to the share and that in many cases you simply want to share the endpoint, so the path will be just <code>"/"</code>.  
[[File:Globus SharedEndpoint3-1024x430.png|thumbnail|Managing a shared collection (click on image to enlarge)]]
[[File:Globus SharedEndpoint3-1024x430.png|thumbnail|Managing a Shared Endpoint]]
Give the new share a name that is easy for you and the people you intend to share it with to find. You can also adjust from where you want to share using the <i>Browse</i> button.
<br clear=all>


===Managing access=== <!--T:32-->
===Managing access=== <!--T:32-->
Once the endpoint is created, you will be shown the current access list, with only your account on it. Since sharing is of little use without someone to share with, click the ‘Add Permissions -- Share With’ button to add people or groups that you wish to share with.
[[File:Globus ManagingAccess-1024x745-changed.png|thumbnail|Managing shared collection permissions (click on image to enlarge)]]
Once the shared collection is created, you will be shown the current access list, with only your account on it. Since sharing is of little use without someone to share with, click on the <i>Add Permissions -- Share With</i> button to add people or groups that you wish to share with.
<br clear="all">
 
<!--T:73-->
[[File:Globus-Add-Permissions.png|thumb|Send an invitation to a share (click on image to enlarge)]]
 
<!--T:137-->
In the following form, the <i>Path</i> is relative to the share and because in many cases you simply want to share the whole collection, the path will be <code>/</code>. However, if you want to share only a subdirectory called "Subdir-01" with a specific group of people, you may specify <code>/Subdir-01/</code> or use the <i>Browse</i> button to select it.


<!--T:33-->
<!--T:33-->
You will now be prompted to select whether to share with people via email, username, or group.
Next in the form, you are prompted to select whether to share with people via email, username, or group.
* E-mail is a good choice if you don’t know a person’s username on Globus. It will also allow you to share with people who do not currently have a Globus account, though they will need to create one to be able to access your share.
* <i>User</i> presents a search box that allows you to provide an email address or to search by name or by Globus username.
* User presents a search box that allows you to search by name or Globus username. This is best if someone already has a Globus account, as it does not require any action on their part to be added to the share. Enter a name or Globus username (if you know it), and select the appropriate match from the list, then click ‘Use Selected’
** Email is a good choice if you don’t know a person’s username on Globus. It will also allow you to share with people who do not currently have a Globus account, though they will need to create one to be able to access your share.
* Group allows you to share with a number of people simultaneously. You can search by group name or UUID. Group names may be ambiguous, so be sure to verify you are sharing with the correct one. This can be avoided by using the group’s UUID, which is available on the Groups page (See Groups Section)
** This is best if someone already has a Globus account, as it does not require any action on their part to be added to the share. Enter a name or Globus username (if you know it), and select the appropriate match from the list, then click <i>Use Selected</i>.
[[File:Globus ManagingAccess-1024x745.png|thumbnail|Managing Shared Endpoint Permissions]]
* <i>Group</i> allows you to share with a number of people simultaneously. You can search by group name or UUID. Group names may be ambiguous, so be sure to verify you are sharing with the correct one. This can be avoided by using the group’s UUID, which is available on the Groups page (see the section on groups)
To add or remove write permissions from a user, click the checkbox next to their name under the write column. It is not possible to remove read access.


<!--T:73-->
<!--T:138-->
[[File:Globus-Add-Permissions.png|thumb|Send an invitation to a share]]
To enable the write permissions, click on the <i>write</i> checkbox in the form. Note that it is not possible to remove read access. Once the form is completed, click on the <i>Add Permission</i> button. In the access list, it is also possible to add or remove the write permissions by clicking the checkbox next to the name under the <i>WRITE</i> column.


<!--T:34-->
<!--T:34-->
Line 237: Line 247:


===Removing a shared collection=== <!--T:35-->
===Removing a shared collection=== <!--T:35-->
You can remove shared collections once you no longer need it. [https://globus.alliancecan.ca/collections?scope=shared-by-me To do this, click on endpoints, and click on the "Shareable by You" tab.]
[[File:Globus RemovingSharedEndpoint-1024x322.png|thumbnail|Removing a shared collection (click on image to enlarge)]]
You can remove a shared collection once you no longer need it. To do this:


<!--T:36-->
<!--T:36-->
Click on the title of the "Shared Collection" you want to remove. Click on the "Delete Endpoint" on the right hand side of the screen. Confirm deleting it by clicking on the red button.
* Click on <i>Collections</i> on the left side of the screen, then click on the [https://globus.alliancecan.ca/collections?scope=shared-by-me <i>Shareable by You</i> tab], and finally click on the title of the <i>Shared Collection</i> you want to remove;
[[File:Globus RemovingSharedEndpoint-1024x322.png|thumbnail|Removing a Shared Endpoint]]
* Click on the <i>Delete Collection</i> button on the right side of the screen;
* Confirm deleting it by clicking on the red button.


<!--T:74-->
<!--T:74-->
The endpoint is now deleted. Your files will not be affected by this action, nor will those others may have uploaded.
The collection is now deleted. Your files will not be affected by this action, nor will those others may have uploaded.


===Sharing security=== <!--T:37-->
===Sharing security=== <!--T:37-->
Line 252: Line 264:


<!--T:87-->
<!--T:87-->
*Make sure you have permission to share the files, if you are not the data’s owner
*If you are not the data’s owner, make sure you have permission to share the files.
*Make sure you are sharing with only those you intend to. Verify the person you add to the access list is the person you think, there are often people with the same or similar names. Remember that Globus usernames are not linked to Alliance usernames. The recommended method of sharing is to use the email address of the person you wish to share with, unless you have the exact account name.
*Make sure you are sharing with only those you intend to. Verify the person you add to the access list is the person you think, there are often people with the same or similar names. Remember that Globus usernames are not linked to Alliance usernames. The recommended method of sharing is to use the email address of the person you wish to share with, unless you have the exact account name.
*If you are sharing with a group you do not control, make sure you trust the owner of the group. They may add people who are not authorized to access your files.
*If you are sharing with a group you do not control, make sure you trust the owner of the group. They may add people who are not authorized to access your files.
Line 258: Line 270:
*It is highly recommended that sharing be restricted to a subdirectory, rather than your top-level home directory.
*It is highly recommended that sharing be restricted to a subdirectory, rather than your top-level home directory.


== Globus Groups == <!--T:20-->
== Globus groups == <!--T:20-->
Globus groups provide an easy way to manage permissions for sharing with multiple users. When you create a group, you can use it from the sharing interface easily to control access for multiple users.  
Globus groups provide an easy way to manage permissions for sharing with multiple users. When you create a group, you can use it from the sharing interface easily to control access for multiple users.  


=== Creating a Group === <!--T:39-->
=== Creating a group === <!--T:39-->
Click on the [https://globus.alliancecan.ca/groups "Groups" button] on the left hand sidebar. Click on the "Create New Group" button on the top right of the screen. Pressing this button brings up the ‘Create New Group’ window.
Click on the [https://globus.alliancecan.ca/groups <i>Groups</i> button] on the left sidebar. Click on the <i>Create New Group</i> button on the top right of the screen; this brings up the <i>Create New Group</i> window.
[[File:Globus CreatingNewGroup-1024x717.png|thumbnail|Creating a Globus Group]]
[[File:Globus CreatingNewGroup-1024x717.png|thumbnail|Creating a Globus group (click on image to enlarge)]]
*Enter the name of the group in the ‘Group Name’ field
*Enter the name of the group in the <i>Group Name</i> field
*Enter the group description in the ‘Group Description’ field
*Enter the group description in the <i>Group Description</i> field
*Select if the group is visible to only group members (private group) or all Globus users.
*Select if the group is visible to only group members (private group) or all Globus users.
*Click ‘Create Group’ to add the group.
*Click on <i>Create Group</i> to add the group.


=== Inviting Users === <!--T:40-->
=== Inviting users === <!--T:40-->
Once a group has been created, users can be added by selecting ‘Invite users’, and then either entering an email address (preferred) or searching for the username. Once users have been selected for invitation, click the add button and they will be sent an email inviting them to join. Once they’ve accepted, they will be visible in the group.
Once a group has been created, users can be added by selecting <i>Invite users</i>, and then either entering an email address (preferred) or searching for the username. Once users have been selected, click on the Add button and they will be sent an email inviting them to join. Once they’ve accepted, they will be visible in the group.


=== Modifying Membership === <!--T:41-->
=== Modifying membership === <!--T:41-->
Click on a user to modify their membership. You can change their Role and Status. Role allows you to grant permissions to the user, including Admin (Full access), Manager (Change user roles), or Member (no management functions). The ‘Save Changes’ button commits the changes.
Click on a user to modify their membership. You can change their role and status. Role allows you to grant permissions to the user, including Admin (full access), Manager (change user roles), or Member (no management functions). The <i>Save Changes</i> button commits the changes.


==Command Line Interface (CLI) == <!--T:45-->
==Command line interface (CLI) == <!--T:45-->
===Installing===
===Installing===
The Globus command line interface is a python module which can be installed using pip. Below are the steps to install Globus CLI on one of our clusters.
The Globus command line interface is a Python module which can be installed using pip. Below are the steps to install Globus CLI on one of our clusters.
# Create a virtual environment to install the Globus CLI into (see [[Python#Creating_and_using_a_virtual_environment|creating and using a virtual environment]]).<source lang='console>$ virtualenv $HOME/.globus-cli-virtualenv</source>
# Create a virtual environment to install the Globus CLI into (see [[Python#Creating_and_using_a_virtual_environment|creating and using a virtual environment]]).<source lang='console>$ virtualenv $HOME/.globus-cli-virtualenv</source>
# Activate the virtual environment <source lang='console>$ source $HOME/.globus-cli-virtualenv/bin/activate</source>
# Activate the virtual environment. <source lang='console>$ source $HOME/.globus-cli-virtualenv/bin/activate</source>
# Install Globus CLI into the virtual environment (see [[Python#Installing_modules| installing modules]]).<source lang='console>$ pip install globus-cli</source>
# Install Globus CLI into the virtual environment (see [[Python#Installing_modules| installing modules]]).<source lang='console>$ pip install globus-cli</source>
# Then deactivate the virtual environment.<source lang='console'>$ deactivate</source>
# Then deactivate the virtual environment.<source lang='console'>$ deactivate</source>
# To avoid having to load that virtual environment every time before using Globus, you can add it to your path. <source lang='console>$ export PATH=$PATH:$HOME/.globus-cli-virtualenv/bin
# To avoid having to load that virtual environment every time before using Globus, you can add it to your path. <source lang='console>$ export PATH=$PATH:$HOME/.globus-cli-virtualenv/bin
$ echo 'export PATH=$PATH:$HOME/.globus-cli-virtualenv/bin'>>$HOME/.bashrc</source>
$ echo 'export PATH=$PATH:$HOME/.globus-cli-virtualenv/bin'>>$HOME/.bashrc</source>
See the Globus docs page on [https://docs.globus.org/cli/installation/ installation] for information on installing on different platforms, updating, and uninstalling.


===Using=== <!--T:86-->
===Using=== <!--T:86-->
* See the Globus [https://docs.globus.org/cli/ Command Line Interface (CLI) documentation] to learn about using the CLI.
* See the Globus [https://docs.globus.org/cli/ Command Line Interface (CLI) documentation] to learn about using the CLI.
* Also see the Globus [https://docs.globus.org/cli/legacy/ Hosted Command Line Interface (Legacy) documentation], which allows authentication with SSH keys instead of requiring web based authentication.
===Scripting===
===Scripting===
* There is also a Python API, see the [https://globus-sdk-python.readthedocs.io/en/stable/ globus sdk python documentation].
* There is also a Python API, see the [https://globus-sdk-python.readthedocs.io/en/stable/ Globus SDK for Python documentation].


== Virtual Machine (Cloud VMs such as Arbutus, Cedar, East Cloud, Graham) == <!--T:79-->
== Virtual machines (cloud VMs such as Arbutus, Cedar, Graham) == <!--T:79-->
Globus Endpoints exist for the cluster systems (Beluga, Cedar, Graham, Niagara etc.) but not for Cloud VMs. The reason for this is that there isn't a singular storage for each VM so we can't create a single endpoint for everyone.
Globus endpoints exist for the cluster systems (Beluga, Cedar, Graham, Niagara, etc.) but not for cloud VMs. The reason for this is that there isn't a singular storage for each VM so we can't create a single endpoint for everyone.




<!--T:120-->
<!--T:120-->
If you need a Globus Endpoint on your VM and can't use another transfer mechanism there are two options for installing a Globus Endpoint: Globus Connect Personal, and Globus Connect Server.
If you need a Globus endpoint on your VM and can't use another transfer mechanism, there are two options for installing an endpoint: Globus Connect Personal, and Globus Connect Server.


=== Globus Connect Personal === <!--T:81-->
=== Globus Connect Personal === <!--T:81-->
Line 304: Line 314:


<!--T:121-->
<!--T:121-->
Install Globus Connect Personal on Windows:
* [https://docs.globus.org/how-to/globus-connect-personal-windows/ Install Globus Connect Personal on Windows].
https://docs.globus.org/how-to/globus-connect-personal-windows/


<!--T:122-->
* [https://docs.globus.org/how-to/globus-connect-personal-linux/ Install Globus Connect Personal on Linux].


<!--T:122-->
Install Globus Connect Personal on Linux:
https://docs.globus.org/how-to/globus-connect-personal-linux/


=== Globus Connect Server === <!--T:123-->
=== Globus Connect Server === <!--T:123-->
Server is designed for headless (command line only, no gui) installations and has some additional features I don't think you would use (such as ability to add multiple servers to the endpoint). It does require opening some ports to allow transfers to occur (see https://docs.globus.org/globus-connect-server/v5/#open-tcp-ports_section).
Server is designed for headless (command line only, no GUI) installations and has some additional features you most probably would not use (such as the ability to add multiple servers to the endpoint). It does require opening some ports to allow transfers to occur (see https://docs.globus.org/globus-connect-server/v5/#open-tcp-ports_section).


== Support and More Information == <!--T:124-->
== Support and more information == <!--T:124-->
If you would like more information on the Alliance’s use of Globus, or require support in using this service, please send an email to [mailto:globus@tech.alliancecan.ca globus@tech.alliancecan.ca] and provide the following information:
If you would like more information on the Alliance’s use of Globus, or require support in using this service, please send an email to [mailto:globus@tech.alliancecan.ca globus@tech.alliancecan.ca] and provide the following information:



Latest revision as of 17:01, 28 June 2024

Other languages:

Globus is a service for fast, reliable, secure transfer of files. Designed specifically for researchers, Globus has an easy-to-use interface with background monitoring features that automate the management of file transfers between any two resources, whether they are on an Alliance cluster, another supercomputing facility, a campus cluster, lab server, desktop or laptop.

Globus leverages GridFTP for its transfer protocol but shields the end user from complex and time-consuming tasks related to GridFTP and other aspects of data movement. It improves transfer performance over GridFTP, rsync, scp, and sftp, by automatically tuning transfer settings, restarting interrupted transfers, and checking file integrity.

Globus can be accessed via the main Globus website or via the Alliance Globus portal.

Using Globus[edit]

Since May 21, 2024, Globus is accessed with our present organization name. If you have not re-opened a Globus session since then, close any active session---in the Globus Web GUI, in the command line interface and in any application using the Globus API---and follow the instructions to re-open your session.

Go to the Alliance Globus portal; the first page illustrated below. Your "existing organizational login" is your CCDB account. Ensure that Digital Research Alliance of Canada is selected in the drop-down box (not Digital Research Alliance of Canada - Staff), then click on Continue. The second page illustrated below will appear. Supply your CCDB username (not your e-mail address or other identifier) and password there. This takes you to the web portal for Globus.

Choose Digital Research Alliance of Canada for Globus Organization dropdown (click on image to enlarge)
Digital Research Alliance of Canada Globus authentication page (click on image to enlarge)

To start a transfer[edit]

Globus transfers happen between collections (formerly known as endpoints in previous Globus versions). Most Alliance clusters have some standard collections set up for you to use. To transfer files to and from your computer, you need to create a collection for them. This requires a bit of set up initially, but once it has been done, transfers via Globus require little more than making sure the Globus Connect Personal software is running on your machine. More on this below under Personal computers.


If the File Manager page in the Globus Portal is not already showing (see image), select it from the left sidebar.

Globus File Manager (click on image to enlarge)


On the top right of the page, there are three buttons labelled Panels. Select the second button (this will allow you to see two collections at the same time).

Find collections by clicking where the page says Search and entering a collection name.

Selecting a Globus collection (click on image to enlarge)


You can start typing a collection name to select it. For example, if you want to transfer data to or from the Béluga cluster, type beluga, wait two seconds for a list of matching sites to appear, and select computecanada#beluga-dtn.


All resources have names prefixed with computecanada#. For example, computecanada#beluga-dtn, computecanada#cedar-globus, computecanada#graham-globus, alliancecan#niagara or alliancecan#hpss (note that 'dtn' stands for data transfer node).


You may be prompted to authenticate to access the collection, depending on which site it is hosted. For example, if you are activating a collection hosted on Graham, you will be asked for your Alliance username and password. The authentication of a collection remains valid for some time, typically one week for CC collections, while personal collections do not expire.


Now select a second collection, searching for it and authenticating if required.


Once a collection has been activated, you should see a list of directories and files. You can navigate these by double-clicking on directories and using the 'up one folder' button. Highlight a file or directory that you want to transfer by single-clicking on it. Control-click to highlight multiple things. Then click on one of the big blue buttons with white arrowheads to initiate the transfer. The transfer job will be given a unique ID and will begin right away. You will receive an email when the transfer is complete. You can also monitor in-progress transfers and view details of completed transfers by clicking on the Activity button on the left.


Initiating a transfer. Note the highlighted file in the left pane (click on image to enlarge)


See also How To Log In and Transfer Files with Globus at the Globus.org site.

Options[edit]

Globus provides several other options in Transfer & Sync Options between the two Start buttons in the middle of the screen. Here you can direct Globus to

  • sync to only transfer new or changed files
  • delete files on destinations that do not exist in source
  • preserve source file modification times
  • verify file integrity after transfer (on by default)
  • encrypt transfer

Note that enabling encryption significantly reduces transfer performance, so it should only be used for sensitive data.

Personal computers[edit]

Globus provides a desktop client, Globus Connect Personal, to make it easy to transfer files to and from a personal computer running Windows, MacOS X, or Linux.


There are links on the Globus Connect Personal page which walks you through the setup of Globus Connect Personal on the various operating systems, including setting it up from the command line on Linux. If you are running Globus Connect Personal from the command line on Linux, this FAQ on the Globus site describes configuring which paths you share and their permissions.

To install Globus Connect Personal[edit]

Finding the installation button (click on image to enlarge)


Go to the Alliance Globus portal and log in if you have not already done so.

  1. From the File Manager screen click on the Collections icon on the left.
  2. Click on Get Globus Connect Personal in the top right of the screen.
  3. Click on the download link for your operating system (click on Show me other supported operating systems if downloading for another computer).
  4. Install Globus Connect Personal.
  5. You should now be able to access the endpoint through Globus. The full endpoint name is [your username]#[name you give setup]; for example, smith#WorkPC.

To run Globus Connect Personal[edit]

The above steps are only needed once to set up the endpoint. To transfer files, make sure Globus Connect Personal is running, i.e., start the program, and ensure that the endpoint isn't paused.

Globus Connect Personal application for a personal endpoint.

Note that if the Globus Connect Personal program at your endpoint is closed during a file transfer to or from that endpoint, the transfer will stop. To restart the transfer, simply re-open the program.

Transfer between two personal endpoints[edit]

Although you can create endpoints for any number of personal computers, transfer between two personal endpoints is not enabled by default. If you need this capability, please contact globus@tech.alliancecan.ca to set up a Globus Plus account.

For more information see the Globus.org how-to pages, particularly:

Globus sharing[edit]

Globus sharing makes collaboration with your colleagues easy. Sharing enables people to access files stored on your account on an Alliance cluster even if the other user does not have an account on that system. Files can be shared with any user, anywhere in the world, who has a Globus account. See How To Share Data Using Globus.

Creating a shared collection[edit]

To share a file or folder on an endpoint first requires that the system hosting the files has sharing enabled.


Globus sharing is disabled on Niagara.



Project requires permission to share

To create sharing on /project for our other clusters, the PI will need to contact globus@tech.alliancecan.ca with:

  • confirmation that Globus sharing should be enabled,
  • the path to enable,
  • whether the sharing will be read only, or sharing if it can be read and write.

Data to be shared will need to be moved or copied to this path. Creating a symbolic link to the data will not allow access to the data.

Otherwise you will receive the error:

The backend responded with an error: You do not have permission to create a shared endpoint on the selected path. The administrator of this endpoint has disabled creation of shared endpoints on the selected path.

Globus sharing is enabled for the /home directory. By default, we disable sharing on /project to prevent users accidentally sharing other users' files. If you would like to test a Globus share you can create one in your /home directory.

We suggest using a path that makes it clear to everyone that files in the directory might be shared such as:

/project/my-project-id/Sharing

Once we have enabled sharing on the path, you will be able to create a new Globus shared endpoint for any subdirectory under that path. So for example, you will be able to create the subdirectories:

/project/my-project-id/Sharing/Subdir-01

and

/project/my-project-id/Sharing/Subdir-02

Create a different Globus Share for each and share them with different users.

If you would like to have a Globus Share created on /project for one of these systems please email globus@tech.alliancecan.ca.


Log into the Alliance Globus portal with your Globus credentials. Once you are logged in, you will see a transfer window. In the endpoint field, type the endpoint identifier for the endpoint you wish to share from (e.g. computecanada#beluga-dtn, computecanada#cedar-dtn, computecanada#graham-globus, alliancecan#niagara etc.) and activate the endpoint if asked to.

Open the Share option (click on image to enlarge)

Select a folder that you wish to share, then click the Share button to the right of the folder list.

Click on Add a Guest Collection (click on image to enlarge)

Click on the Add Guest Collection button in the top right corner of the screen.

Managing a shared collection (click on image to enlarge)

Give the new share a name that is easy for you and the people you intend to share it with to find. You can also adjust from where you want to share using the Browse button.

Managing access[edit]

Managing shared collection permissions (click on image to enlarge)

Once the shared collection is created, you will be shown the current access list, with only your account on it. Since sharing is of little use without someone to share with, click on the Add Permissions -- Share With button to add people or groups that you wish to share with.

Send an invitation to a share (click on image to enlarge)

In the following form, the Path is relative to the share and because in many cases you simply want to share the whole collection, the path will be /. However, if you want to share only a subdirectory called "Subdir-01" with a specific group of people, you may specify /Subdir-01/ or use the Browse button to select it.

Next in the form, you are prompted to select whether to share with people via email, username, or group.

  • User presents a search box that allows you to provide an email address or to search by name or by Globus username.
    • Email is a good choice if you don’t know a person’s username on Globus. It will also allow you to share with people who do not currently have a Globus account, though they will need to create one to be able to access your share.
    • This is best if someone already has a Globus account, as it does not require any action on their part to be added to the share. Enter a name or Globus username (if you know it), and select the appropriate match from the list, then click Use Selected.
  • Group allows you to share with a number of people simultaneously. You can search by group name or UUID. Group names may be ambiguous, so be sure to verify you are sharing with the correct one. This can be avoided by using the group’s UUID, which is available on the Groups page (see the section on groups)

To enable the write permissions, click on the write checkbox in the form. Note that it is not possible to remove read access. Once the form is completed, click on the Add Permission button. In the access list, it is also possible to add or remove the write permissions by clicking the checkbox next to the name under the WRITE column.

Deleting users or groups from the list of people you are sharing with is as simple as clicking the ‘x’ at the end of the line containing their information.

Removing a shared collection[edit]

Removing a shared collection (click on image to enlarge)

You can remove a shared collection once you no longer need it. To do this:

  • Click on Collections on the left side of the screen, then click on the Shareable by You tab, and finally click on the title of the Shared Collection you want to remove;
  • Click on the Delete Collection button on the right side of the screen;
  • Confirm deleting it by clicking on the red button.

The collection is now deleted. Your files will not be affected by this action, nor will those others may have uploaded.

Sharing security[edit]

Sharing files entails a certain level of risk. By creating a share, you are opening up files that up to now have been in your exclusive control to others. The following list is some things to think about before sharing, though it is far from comprehensive.

  • If you are not the data’s owner, make sure you have permission to share the files.
  • Make sure you are sharing with only those you intend to. Verify the person you add to the access list is the person you think, there are often people with the same or similar names. Remember that Globus usernames are not linked to Alliance usernames. The recommended method of sharing is to use the email address of the person you wish to share with, unless you have the exact account name.
  • If you are sharing with a group you do not control, make sure you trust the owner of the group. They may add people who are not authorized to access your files.
  • If granting write access, make sure that you have backups of important files that are not on the shared endpoint, as users of the shared endpoint may delete or overwrite files, and do anything that you yourself can do to a file.
  • It is highly recommended that sharing be restricted to a subdirectory, rather than your top-level home directory.

Globus groups[edit]

Globus groups provide an easy way to manage permissions for sharing with multiple users. When you create a group, you can use it from the sharing interface easily to control access for multiple users.

Creating a group[edit]

Click on the Groups button on the left sidebar. Click on the Create New Group button on the top right of the screen; this brings up the Create New Group window.

Creating a Globus group (click on image to enlarge)
  • Enter the name of the group in the Group Name field
  • Enter the group description in the Group Description field
  • Select if the group is visible to only group members (private group) or all Globus users.
  • Click on Create Group to add the group.

Inviting users[edit]

Once a group has been created, users can be added by selecting Invite users, and then either entering an email address (preferred) or searching for the username. Once users have been selected, click on the Add button and they will be sent an email inviting them to join. Once they’ve accepted, they will be visible in the group.

Modifying membership[edit]

Click on a user to modify their membership. You can change their role and status. Role allows you to grant permissions to the user, including Admin (full access), Manager (change user roles), or Member (no management functions). The Save Changes button commits the changes.

Command line interface (CLI)[edit]

Installing[edit]

The Globus command line interface is a Python module which can be installed using pip. Below are the steps to install Globus CLI on one of our clusters.

  1. Create a virtual environment to install the Globus CLI into (see creating and using a virtual environment).
    $ virtualenv $HOME/.globus-cli-virtualenv
    
  2. Activate the virtual environment.
    $ source $HOME/.globus-cli-virtualenv/bin/activate
    
  3. Install Globus CLI into the virtual environment (see installing modules).
    $ pip install globus-cli
    
  4. Then deactivate the virtual environment.
    $ deactivate
    
  5. To avoid having to load that virtual environment every time before using Globus, you can add it to your path.
    $ export PATH=$PATH:$HOME/.globus-cli-virtualenv/bin
    $ echo 'export PATH=$PATH:$HOME/.globus-cli-virtualenv/bin'>>$HOME/.bashrc
    

Using[edit]

Scripting[edit]

Virtual machines (cloud VMs such as Arbutus, Cedar, Graham)[edit]

Globus endpoints exist for the cluster systems (Beluga, Cedar, Graham, Niagara, etc.) but not for cloud VMs. The reason for this is that there isn't a singular storage for each VM so we can't create a single endpoint for everyone.


If you need a Globus endpoint on your VM and can't use another transfer mechanism, there are two options for installing an endpoint: Globus Connect Personal, and Globus Connect Server.

Globus Connect Personal[edit]

Globus Connect Personal is easier to install, manage and get through the firewall but is designed to be installed on laptops / desktops.



Globus Connect Server[edit]

Server is designed for headless (command line only, no GUI) installations and has some additional features you most probably would not use (such as the ability to add multiple servers to the endpoint). It does require opening some ports to allow transfers to occur (see https://docs.globus.org/globus-connect-server/v5/#open-tcp-ports_section).

Support and more information[edit]

If you would like more information on the Alliance’s use of Globus, or require support in using this service, please send an email to globus@tech.alliancecan.ca and provide the following information:


  • Name
  • Compute Canada Role Identifier (CCRI)
  • Institution
  • Inquiry or issue. Be sure to indicate which sites you want to transfer to and from.