Permalink
Switch branches/tags
Nothing to show
Find file Copy path
7f99271 Nov 23, 2015
2 contributors

Users who have contributed to this file

@bester @michaellink
280 lines (238 sloc) 12.1 KB
;----------------------------------------------------------------------------;
; Globus User Configuration
;----------------------------------------------------------------------------;
; These settings configure how to contact Globus when
; creating or modifying an endpoint.
[Globus]
; Globus user name. If not set, or left at its default, then the
; value of GLOBUS_USER environment variable is used, falling back to
; prompting if it is not present.
User = %(GLOBUS_USER)s
; Globus login password. If not set, or left at its default, then the
; value of the GLOBUS_PASSWORD environment variable is used, falling back
; to prompting if it is not present.
Password = %(GLOBUS_PASSWORD)s
;----------------------------------------------------------------------------;
; Globus Endpoint Configuration ;
;----------------------------------------------------------------------------;
; Set these if you want to add or modify the core attributes of the endpoint.
[Endpoint]
; Name of the endpoint. Can be either user#name or name, but if the former,
; the user must match [Globus] User above
; The special value %(SHORT_HOSTNAME)s will substitute the non-qualified
; portion of an ec2 instance's public hostname, falling back to the
; non-qualified hostname portion of the machine's nodename
Name = %(SHORT_HOSTNAME)s
; True or False, determining if the endpoint will be public or private.
; If not specified, this will default to False (non-public).
Public = False
; Default directory when users login to this endpoint (optional).
; If not specified, this will default to /~/.
DefaultDirectory = /~/
;----------------------------------------------------------------------------;
; Security Configuration ;
;----------------------------------------------------------------------------;
; These are the default service security settings, for services which will be
; accessed from Globus (GridFTP and MyProxy).
; There can be an override in the GridFTP or MyProxy sections below.
[Security]
; If this is true, then use the relay.globusonline.org to generate
; a random service credential so that Globus can access this service.
; Otherwise, Globus Connect Server will assume the Certificate and Key have
; been generated by some other method.
; Note that FetchCredentialFromRelay will only work if the key and certificate
FetchCredentialFromRelay = True
; Path to the certificate.
; If FetchCredentialsFromRelay is True, and the fetch conditions are met,
; this CertificateFile value will be overwritten.
; If not specified, this will default to
; /var/lib/globus-connect-server/grid-security/hostcert.pem
;; CertificateFile =
;
; Path to the private key.
; If FetchCredentialsFromRelay is True, and the fetch conditions are met,
; this KeyFile value will be overwritten.
; If not specified, this will default to
; /var/lib/globus-connect-server/grid-security/hostkey.pem
;; KeyFile =
; Path to where the trusted certificate directory. The
; Globus Relay CA will be installed there, as well as the MyProxy
; trust roots and CA if the MyProxy server is running elsewhere.
; If not specified, this will default to
; /var/lib/globus-connect-server/grid-security/certificates/
;; TrustedCertificateDirectory =
; Type of identity provider for the Globus service to use. This may
; be one of the following values:
; MyProxy
; Use the MyProxy server defined in the [MyProxy] section of this
; configuration file
; OAuth
; Use the OAuth server defined in the [OAuth] section of this
; configuration file
; CILogon
; Use the CILogon OAuth server
IdentityMethod = MyProxy
; Authorization method for mapping the grid credential to a local username,
; by default, this is inferred from the IdentityMethod above. If using MyProxy,
; the MyProxyGridmapCallout is used; if using CILogon, the CILogon method
; is used. If the CILogon provides certificates that don't match local policy,
; you might need to use Gridmap to explicitly map the credentials to local
; accounts
; The possible values of the option are MyProxyGridmapCallout, CILogon, or
; Gridmap
;; AuthorizationMethod =
; Path to a grid-mapfile to use with the Gridmap authorization method. The
; default is shown below
;; Gridmap = /etc/grid-security/grid-mapfile
; The name of the identity provider (see https://cilogon.org/ for a list
; of valid names)
;; CILogonIdentityProvider = University of Chicago
;----------------------------------------------------------------------------;
; GridFTP Configuration ;
;----------------------------------------------------------------------------;
; This section configures a GridFTP server. It can be processed on the
; GridFTP server host to generate a GridFTP configuration file, and on
; that or any other host to add a GridFTP server to an endpoint
[GridFTP]
; The host name (and optional port) to contact this GridFTP Server, in the form
; host[:port]. If not set, no gridftp server will be configured. The default
; pulls the server name from EC2 metadata if present, falling back to the local hostname and uses the default port 2811.
Server = %(HOSTNAME)s
; If this is set to True, then assume the Server name is the current machine
; and configure a GridFTP server on this machine, even if it the Server doesn't
; match the current hostname. Also, if ServerBehindNAT is set to True, the
; DataInterface will be set to the Server string automatically.
; If False, globus-connect-server-setup will only configure the gridftp
; server if the Server above matches the local machine's hostname. The default
; is False.
;;ServerBehindNAT = True
; Port range to use for incoming connections. The format is
; "startport,endport". If not set, this will default to 50000,51000
;; IncomingPortRange = 50000,51000
; Port range to use for outgoing connections. The format is
; "startport,endport". Only use this if your firewall restricts outgoing
; ports and gridftp won't work otherwise. The default is not restrict outgoing
; TCP ports
;; OutgoingPortRange = 50000,51000
; Hostname or IP address of the interface to use for data connections. If not
; set in this file, then the default behavior is:
; - When run on an EC2 instance, the data interface will be automatically
; configured to use the public ipv4 address of the instance.
; - When run on a non-EC2 instance, if ServerBehindNAT is True, then
; the hostname of the Server string is used. If this resolves to a private
; IP adddress, a warning will be issued.
; - Otherwise, this will not be set, and the gridftp server will tell clients
; to connect to the IP address that the control connection was established
; on.
;; DataInterface =
; Restricted path configuration.
; A comma separated list of full paths that clients may access. Each path may
; be prefixed by R and/or W, denoting read or write access, or N to explicitly
; deny access to a path. If a given path is a directory, all contents and
; subdirectories will be given the same access. Order of paths does not matter
; -- the permissions on the longest matching path will apply. The special
; character '~' will be replaced by the authenticated user's home directory,
; and * may be used for simple wildcard matching.
; By default all paths are allowed, and access control is handled by the OS.
; Examples:
; Allow read access to /data and full access to the user's home directory:
; RestrictPaths = RW~,R/data
; Allow full access to the home directory, but deny hidden files there:
; RestrictPaths = RW~,N~/.*
RestrictPaths =
;
; Require an encrypted data connection for all transfers. Transfers attempted
; without encryption will result in error.
;; RequireEncryption = False
;
; Enable sharing with Globus for this server.
; If not specified, this will default to False.
;
; NOTE: In order to use sharing, the endpoint will need to be a
; managed endpoint associated with a Globus subscription uuid. Additional
; configuration must be done using the endpoint-manage globus cli command.
;; Sharing = True
; ------------------------
; ADVANCED SHARING OPTIONS
; ------------------------
; Using the same syntax as RestrictPaths above, this defines additional
; restrictions which paths that sharing clients may access.
;; SharingRestrictPaths =
; Path of a directory where GridFTP will store files used to control
; sharing access to individual accounts. The variables $USER and $HOME
; should be used in order to define a unique path per user.
; If not specified, this will default to "$HOME/.globus/sharing".
;
; For instance, with SharingStateDir = "/var/globusonline/sharing/$USER",
; user "bob" would be enabled for sharing only if a path exists with the
; name "/var/globusonline/sharing/bob/" and is writable by bob.
;
;;SharingStateDir =
; Allow or Deny sharing for specific users or groups.
; Each option takes a comma separated list of user or group names.
; Users named in SharingUsersDeny and members of groups named in
; SharingGroupsDeny will be denied sharing features.
; If SharingUsersAllow or SharingGroupsAllow is set, only those users
; or group members may share, and all other users will be denied.
; Any user for which sharing is denied will not be allowed to create shares,
; and existing shares owned by that user will not be accessible.
; By default these options are not set, and all users are allowed to share.
;; SharingUsersAllow =
;; SharingGroupsAllow =
;;
;; SharingUsersDeny =
;; SharingGroupsDeny =
;-----------------------------------------------------------------------------
; MyProxy Configuration ;
;-----------------------------------------------------------------------------
; This section configures a MyProxy server. It can be processed on the
; MyProxy server host to generate myproxy-server configuration files and
; a MyProxy CA, or can be used on a GridFTP server host to determine how
; to fetch trust roots, or to associate the MyProxy server with a
; Globus endpoint
[MyProxy]
; The contact URI of the MyProxy server. The format is host[:port], with
; a default port of 7512 if not present
; If not set, then no myproxy server will be configured. The special value
; %(HOSTNAME)s will substitute an ec2 instance's public hostname, falling back
; to the machine's nodename
Server = %(HOSTNAME)s
; If this is set to True, then assume the Server name is the current machine
; and configure a MyProxy server on this machine, even if it the Server doesn't
; match the current hostname.
; If False, globus-connect-server-setup will only configure the MyProxy
; server if the Server above matches the local machine's hostname. The default
; is False.
;;ServerBehindNAT = True
; Directory in which to place the MyProxy CA files,
; including the cacert and key, and the set of signed certificates.
; If not present, the default is /var/lib/globus-connect-server/myproxy-ca
;
;; CADirectory = /var/lib/globus-connect-server/myproxy-ca
; Path to store the myproxy service configuration file.
; If not specified, the default is
; /var/lib/globus-connect-server/myproxy-server.conf
;
;; ConfigFile = /var/lib/globus-connect-server/myproxy-server.conf
[OAuth]
; The public host name of the MyProxy OAuth server.
; If not set, then no MyProxy Oauth server will be configured. The special value
; %(HOSTNAME)s will substitute an ec2 instance's public hostname, falling back
; to the machine's nodename
;; Server = %(HOSTNAME)s
; If this is set to True, then assume the Server name is the current machine
; and configure a OAuth server on this machine, even if it the Server doesn't
; match the current hostname.
; If False, globus-connect-server-setup will only configure the OAuth
; server if the Server above matches the local machine's hostname. The default
; is False.
;;ServerBehindNAT = True
; A cascading stylesheet file to use with OAuth server web pages. The
; stylesheet will be used to style the MyProxy OAuth web interface. If not set,
; then the default Globus-look web style will be used.
;; Stylesheet =
;
; An image file to use as the logo of the MyProxy OAuth server. If not set,
; the Globus logo image is used.
;; Logo =
; vim: filetype=dosini : nospell :