Skip to content

Restrict Guest Collection creation on Mapped Collections

Applies to all UAB RC Mapped Collections!

Problem

On all of our Mapped Collections (except UAB Box), when a user has access to data (directory, bucket) on the underlying storage system, they are also able to create a Guest Collection containing that data. As a result, users who are not authorized to share data are able to share that data.

Solution

Close the gap by restricting who can create Guest Collections. There are different approaches, some of which only work on Posix Mapped Collections. Changes need to be applied at the Mapped Collection level, so every Mapped Collection must be adjusted.

All of the approaches use the globus-connect-server update command.

  • --no-allow-guest-collections globus docs

    This option is "nuclear". It will prevent any Globus users from creating Guest Collections from the Mapped Collection, and will immediately disable all existing Guest Collections from the Mapped Collection, terminating any running transfers. This is likely overly restrictive for the purpose of Globus as it isolates groups and prevents collaboration. Not recommended.

  • --sharing-user-allow USERNAME globus docs

    This option is inflexible and scales poorly because it requires re-running the command each time we need to allow a user. Not recommended.

  • --sharing-user-allow file:PATH globus docs

    This option is more flexible and scales better than the USERNAME variant. We would create and manage a plaintext file in a restricted access directory (such as /data/project/rc/). The local usernames of allowed users are stored in the file, one per line. Facilitation team members can manage allowed users by modifying the file.

  • --posix-share-group-allow GROUPNAME globus docs

    As the parameter name implies, this is POSIX ONLY. People allowed to create Guest Collections would be added to the group using existing group management tools, enabling the facilitation team to manage allowed users by adding to the group.

    This parameter also accepts a file:PATH argument, which functions identically to the --sharing-user-allow file:PATH option, but with POSIX group names, instead of local usernames.

Proposal

Posix Mapped Collections may be managed using any of the following. Other Mapped Collections may only use (1) through (3).

  1. --no-allow-guest-collections
  2. --sharing-user-allow USERNAME
  3. --sharing-user-allow file:PATH
  4. --posix-share-group-allow GROUPNAME
  5. --posix-share-group-allow file:PATH

Options (1) and (2) are not recommended. Option (1) is overly restrictive and prevents collaboration using Globus. Option (2) may require frequently running commands on data transfer nodes, which scales poorly, has highly variable fulfillment time, and has increased risk of misconfiguration due to erroneous command execution.

Options (4) and (5) can be used only for Posix Mapped Collections. Having different management tooling for different kinds of Collections adds unnecessary complexity.

Option (3) provides a uniform management interface across all kinds of Mapped Collections.

Affected Collections

  • UAB RCS Cheaha HPC f9c2a37d-ead7-422d-b156-a646a5d39be1
  • UAB RCS Rstore Legacy af392e51-ddba-4dca-9606-f4b4add08f94
  • Cheaha cluster off-campus (UAB Science DMZ) 7167cb38-9f78-11e6-b0dd-22000b92c261
  • Cheaha cluster on-campus (UAB Science DMZ) 9c8c88c2-ea4a-11e6-b9ba-22000b9a448b
  • UAB Research Computing LTS (Long Term Storage aka S3) 184408b4-d04b-4513-9912-8feeb6adcab3

UAB Box is unaffected because Guest Collections are disabled on the Mapped Collection. (Why? Presumably for data security reasons aligned with what this GitLab issue is about.)

Other Mapped Collections

Proposal

  1. Create a globus-allow-guest-collection posix group.
  2. Run the following command
globus-connect-server update --posix-sharing-group-allow globus-allow-guest-collection <UUID>

We can go through and review who owns which guest collections and add them as part of implementing this proposal.

Benefits

  • Automatically denies guest collection creation for all users unless they are added to the posix group globus-allow-guest-collection
  • Enables facilitation team to manage guest collection creation requests using existing group management controls
  • Enables GPFS shared allocation owners to correctly grant authority to delegates for creating GCs in their shared allocations

Other Thoughts

Reviewing Guest Collection creation access controls should become part of Globus Mapped Collection creation and management processes.

Edited by William E Warriner