Merge pull request #2 from AARNet/eres-541

Eres 541 - All changes for Advanced Globus Workshop

Author: steelecooke

.gitignore

@@ -3,4 +3,6 @@ Gemfile.lock
 _site/
 code/examples/globus_ansible/roles/globus/defaults/main.yml
 code/examples/globus_ansible/inventory/host_vars/globus-test-host.yml
-code/examples/globus_ansible/inventory/all.yml
+code/examples/globus_ansible/inventory/all.yml
+globus-sdk-python/
+temp/

code/examples/globus_ansible/README.md

@@ -11,6 +11,8 @@ Please follow the instructions at the [Globus Automated Endpoint Deployment Guid
 
 Additional information is available at [Globus How To Use Application Credentials or Service Accounts to Automate Data Transfer](https://docs.globus.org/guides/recipes/automate-with-service-account/).
 
+NB: You will need to make sure that your service user is a valid subscription manager if you have a non-empty `globus_subscription_id` value.
+
 ### SSH keys
 You will also need to have a valid SSH public key installed in authorized_hosts on the target machine for the remote Ansible user, and the private key accessible on the Ansible host with this repository.
 

code/examples/globus_ansible/roles/globus/tasks/collection.yml

@@ -46,10 +46,10 @@
   when: globus_endpoint_status.subscription_id != None
   block:
     - name: Permit guest collections (Subscription only)
-      ansible.builtin.command: "{{ globus_gcs_binary }} collection update --allow-guest-collections {{ collection_id }}"
+      ansible.builtin.command: "{{ globus_gcs_binary }} collection update --allow-guest-collections {{ collection_details.id }}"
 
     - name: Get new collection metadata
-      ansible.builtin.command: "{{ globus_gcs_binary }} collection show {{ collection_id }} --format json"
+      ansible.builtin.command: "{{ globus_gcs_binary }} collection show {{ collection_details.id }} --format json"
       changed_when: false
       register: _globus_cmd_output
 

code/examples/globus_ansible/roles/globus/tasks/config.yml

@@ -15,10 +15,21 @@
       ansible.builtin.set_fact:
         globus_endpoint_status: "{{ _globus_cmd_output.stdout | from_json }}"
 
-    - name: Add Globus Endpoint to specified subscription
-      ansible.builtin.command: "{{ globus_gcs_binary }} endpoint set-subscription-id {{ globus_subscription_id }}"
+    - name: Add Globus Endpoint to specified subscription and update endpoint status
       when: globus_endpoint_status.subscription_id == None and globus_subscription_id != ""
-      changed_when: true
+      block:
+        - name: Add Globus Endpoint to specified subscription
+          ansible.builtin.command: "{{ globus_gcs_binary }} endpoint set-subscription-id {{ globus_subscription_id }}"
+          changed_when: true
+
+        - name: Reheck Globus Endpoint status
+          ansible.builtin.command: "{{ globus_gcs_binary }} endpoint show --format=json"
+          changed_when: false
+          register: _globus_cmd_output
+
+        - name: Update globus_endpoint_status fact
+          ansible.builtin.set_fact:
+            globus_endpoint_status: "{{ _globus_cmd_output.stdout | from_json }}"
 
     - name: Check Globus Endpoint roles
       ansible.builtin.command: "{{ globus_gcs_binary }} endpoint role list --format json"

globus-community-australasia/workshops/advanced_globus_workshop/README.md

@@ -0,0 +1,270 @@
+{
+ "cells": [
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "bd810913-f6a1-4c4b-8aa0-7471e01845ea",
+   "metadata": {},
+   "outputs": [],
+   "source": [
+    "\"\"\"\n",
+    "Script to automatically set up RO & RW guest collections on the host(s) specified in GLOBUS_HOSTS. A small directory of test files will be\n",
+    "transferred into the RO guest collection\n",
+    "There is logic to prevent the creation of duplicate guest collections, and the standard test files are copied into the RO guest collection.\n",
+    "The script assumes that each endpoint has exactly one storage gateway and exactly one public mapped collection.\n",
+    "Anyone with write permissions to the public mapped collection can run this script.\n",
+    "\"\"\"\n",
+    "\n",
+    "import globus_sdk\n",
+    "from globus_sdk import TransferClient, TransferAPIError\n",
+    "from globus_sdk.scopes import TransferScopes\n",
+    "from globus_sdk.globus_app import UserApp\n",
+    "from pprint import pprint\n",
+    "\n",
+    "########################################################################################################\n",
+    "# USER TO COMPLETE - Enter UserApp Client UUID - UserApp needs to be created first\n",
+    "NATIVE_CLIENT_ID = \"xxxx\"\n",
+    "\n",
+    "# USER TO COMPLETE - Enter Endpoint hostname shown by \"globus-connect-server endpoint show\" command\n",
+    "# Hostname is found in the \"GCS Manager URL\" value\n",
+    "GLOBUS_HOSTS = [\n",
+    "    \"xxxx.gaccess.io\",\n",
+    "]\n",
+    "\n",
+    "# USER TO COMPLETE - Enter Globus User UUID for write permissions\n",
+    "GLOBUS_USER_UUID = \"xxxx\"\n",
+    "########################################################################################################\n",
+    "\n",
+    "# AARNet Globus Endpoint NSW (ARTM) POSIX Gateway Public RO Guest Collection\n",
+    "# https://app.globus.org/file-manager?origin_id=9e472d3a-ac18-42d0-bac8-3c9220801fbe&two_pane=true\n",
+    "SRC_COLLECTION = \"9e472d3a-ac18-42d0-bac8-3c9220801fbe\"\n",
+    "SRC_PATH = \"/standard_test_files/5MB-in-tiny-files\"\n",
+    "DST_PATH = \"/5MB-in-tiny-files\"\n",
+    "\n",
+    "# # Could also use original files from CERN (slower)\n",
+    "# # https://app.globus.org/file-manager/collections/722751ce-1264-43b8-9160-a9272f746d78\n",
+    "# SRC_COLLECTION = \"722751ce-1264-43b8-9160-a9272f746d78\"\n",
+    "# SRC_PATH = \"/5MB-in-tiny-files\"\n",
+    "# DST_PATH = \"/5MB-in-tiny-files\"\n",
+    "\n",
+    "\n",
+    "def main():\n",
+    "    user_app = UserApp(\"create-guest-collections\", client_id=NATIVE_CLIENT_ID)\n",
+    "    # pprint(user_app.__dict__)\n",
+    "    for globus_host in GLOBUS_HOSTS:\n",
+    "        gcs_client = globus_sdk.GCSClient(globus_host, app=user_app)\n",
+    "        # pprint(gcs_client.__dict__)\n",
+    "        endpoint_id = gcs_client._endpoint_client_id\n",
+    "\n",
+    "        storage_gateways = list(gcs_client.get_storage_gateway_list())\n",
+    "        # pprint(storage_gateways)\n",
+    "\n",
+    "        if len(storage_gateways) != 1:\n",
+    "            print(f\"Unable to determine unique storage gateway for {globus_info['hostname']}\")\n",
+    "            exit(1)\n",
+    "\n",
+    "        storage_gateway_id = storage_gateways[0]['id']\n",
+    "\n",
+    "        collections = list(gcs_client.get_collection_list())\n",
+    "        # pprint(collections)\n",
+    "\n",
+    "        # Find public mapped collection (assumes only one)\n",
+    "        mapped_collections = [collection for collection in collections if collection['collection_type'] == 'mapped' and collection['public']]\n",
+    "        if len(storage_gateways) != 1:\n",
+    "            print(f\"Unable to determine unique public mapped collection for {globus_info['hostname']}\")\n",
+    "            exit(1)\n",
+    "\n",
+    "        mapped_collection = mapped_collections[0]\n",
+    "\n",
+    "        transfer_client = TransferClient(app=user_app).add_app_data_access_scope(mapped_collection['id'])\n",
+    "        # pprint(transfer_client.__dict__)\n",
+    "\n",
+    "        guest_collections = [\n",
+    "            collection for collection in collections\n",
+    "            if collection['collection_type'] == 'guest'\n",
+    "            and collection['public']\n",
+    "            and collection['mapped_collection_id'] == mapped_collection['id']\n",
+    "            ]\n",
+    "\n",
+    "        # pprint(guest_collections)\n",
+    "\n",
+    "        # Remove this line if the mapped collection is high assurance\n",
+    "        attach_data_access_scope(gcs_client, mapped_collection['id'])\n",
+    "\n",
+    "        ensure_user_credential(gcs_client, storage_gateway_id)\n",
+    "\n",
+    "        for collection_type in ['Public RO Guest', 'Public RW Guest']:\n",
+    "            # Create display name and base path - this is a little ugly and should be improved\n",
+    "            display_name = mapped_collection['display_name'].replace('Public Mapped', collection_type)\n",
+    "            collection_base_path = f\"/{collection_type.replace(' ', '_')}_Collection\"\n",
+    "\n",
+    "            try:\n",
+    "                response = transfer_client.operation_mkdir(mapped_collection['id'], collection_base_path)\n",
+    "                # pprint(response)\n",
+    "                print(f'Created directory \"{collection_base_path}\" in collection \"{mapped_collection[\"display_name\"]}\"')\n",
+    "            except TransferAPIError as e:\n",
+    "                # pprint(e.__dict__)\n",
+    "                if e.code == 'ExternalError.MkdirFailed.Exists':\n",
+    "                    print(f'Directory \"{collection_base_path}\" already exists in collection \"{mapped_collection[\"display_name\"]}\"')\n",
+    "                else:\n",
+    "                    raise e\n",
+    "\n",
+    "            collection_request = globus_sdk.GuestCollectionDocument(\n",
+    "                public=True,\n",
+    "                collection_base_path=collection_base_path,\n",
+    "                display_name=display_name,\n",
+    "                mapped_collection_id=mapped_collection['id'],\n",
+    "            )\n",
+    "            # pprint(collection_request)\n",
+    "\n",
+    "            found_collections = [\n",
+    "                collection for collection in collections \n",
+    "                if collection['collection_type'] == 'guest' \n",
+    "                and collection['public']\n",
+    "                and collection['display_name'] == display_name\n",
+    "                ]\n",
+    "\n",
+    "            if found_collections:\n",
+    "                print(f'Public guest collection \"{display_name}\" already exists.')\n",
+    "                if len(found_collections) == 1:\n",
+    "                    collection = found_collections[0]\n",
+    "                else:\n",
+    "                    print(f'Unable to determine unique match for collection \"{display_name}\"')\n",
+    "                    exit(1)\n",
+    "\n",
+    "                # Unable to update collection_base_path (immutable), so we can't change that\n",
+    "                print(f'Updating existing guest collection \"{display_name}\" with collection ID {collection[\"id\"]}')\n",
+    "                gcs_client.update_collection(collection['id'], collection_request)\n",
+    "\n",
+    "            else:\n",
+    "                collection = gcs_client.create_collection(collection_request)\n",
+    "                print(f'Created new guest collection \"{display_name}\" with collection ID {collection[\"id\"]}')\n",
+    "\n",
+    "            # Add read permissions for all authenticated users on all collections\n",
+    "            rule_data = {\n",
+    "                'DATA_TYPE': 'access',\n",
+    "                'path': '/',\n",
+    "                'permissions': 'r',\n",
+    "                'principal': '',\n",
+    "                'principal_type': 'all_authenticated_users',\n",
+    "            }\n",
+    "            try:\n",
+    "                result = transfer_client.add_endpoint_acl_rule(collection[\"id\"], rule_data)\n",
+    "                # pprint(result)\n",
+    "                print('Added \"r\" permissions for \"all_authenticated_users\"')\n",
+    "            except TransferAPIError as e:\n",
+    "                # pprint(e.__dict__)\n",
+    "                if e.code == 'Exists':\n",
+    "                    print('Permissions already exist for \"all authenticated users\"')\n",
+    "                else:\n",
+    "                    raise e\n",
+    "\n",
+    "            # Add read/write permissions for specified user on RW collection\n",
+    "            # Note that this is actually superfluous if the UUID is for the same user who owns the collection\n",
+    "            if ' RW ' in collection_type:\n",
+    "                rule_data = {\n",
+    "                    'DATA_TYPE': 'access',\n",
+    "                    'path': '/',\n",
+    "                    'permissions': 'rw',\n",
+    "                    'principal': GLOBUS_USER_UUID,\n",
+    "                    'principal_type': 'identity',\n",
+    "                }\n",
+    "                try:\n",
+    "                    result = transfer_client.add_endpoint_acl_rule(collection[\"id\"], rule_data)\n",
+    "                    # pprint(result)\n",
+    "                    print(f'Added \"rw\" permissions for user \"{GLOBUS_USER_UUID}\"')\n",
+    "                except TransferAPIError as e:\n",
+    "                    # pprint(e.__dict__)\n",
+    "                    if e.code == 'Exists':\n",
+    "                        print(f'Permissions already exist for user \"{GLOBUS_USER_UUID}\"')\n",
+    "                    else:\n",
+    "                        raise e\n",
+    "\n",
+    "            # Transfer standard test files into RO collection\n",
+    "            elif ' RO ' in collection_type:\n",
+    "                try:\n",
+    "                    response = transfer_client.operation_mkdir(collection[\"id\"], DST_PATH) # Error if directory already exists\n",
+    "                    # pprint(response)\n",
+    "                    print(f'Created directory \"{DST_PATH}\" in collection \"{collection[\"display_name\"]}\"')\n",
+    "\n",
+    "                    transfer_request = globus_sdk.TransferData(\n",
+    "                        source_endpoint=SRC_COLLECTION,\n",
+    "                        destination_endpoint=collection[\"id\"],\n",
+    "                    )\n",
+    "                    transfer_request.add_item(SRC_PATH, DST_PATH)\n",
+    "\n",
+    "                    task = transfer_client.submit_transfer(transfer_request)\n",
+    "                    print(f\"Submitted transfer of standard test files to {DST_PATH}. Task ID: {task['task_id']}.\")\n",
+    "                except TransferAPIError as e:\n",
+    "                    # pprint(e.__dict__)\n",
+    "                    if e.code == 'ExternalError.MkdirFailed.Exists':\n",
+    "                        print(f'Directory \"{DST_PATH}\" already exists in collection \"{collection[\"display_name\"]}\"')\n",
+    "                    else:\n",
+    "                        raise e\n",
+    "\n",
+    "\n",
+    "def attach_data_access_scope(gcs_client, collection_id):\n",
+    "    \"\"\"Compose and attach a ``data_access`` scope for the supplied collection\"\"\"\n",
+    "    endpoint_scopes = gcs_client.get_gcs_endpoint_scopes(gcs_client.endpoint_client_id)\n",
+    "    collection_scopes = gcs_client.get_gcs_collection_scopes(collection_id)\n",
+    "\n",
+    "    manage_collections = globus_sdk.Scope(endpoint_scopes.manage_collections)\n",
+    "    data_access = globus_sdk.Scope(collection_scopes.data_access, optional=True)\n",
+    "\n",
+    "    manage_collections.add_dependency(data_access)\n",
+    "\n",
+    "    gcs_client.add_app_scope(manage_collections)\n",
+    "\n",
+    "\n",
+    "def ensure_user_credential(gcs_client, storage_gateway_id):\n",
+    "    \"\"\"\n",
+    "    Ensure that the user has a user credential on the client.\n",
+    "    This is the mapping between Globus Auth (OAuth2) and the local system's permissions.\n",
+    "    \"\"\"\n",
+    "    # Depending on the endpoint & storage gateway, this request document may need to\n",
+    "    # include more complex information such as a local username.\n",
+    "    # Consult with the endpoint owner for more detailed info on user mappings and\n",
+    "    # other particular requirements.\n",
+    "    req = globus_sdk.UserCredentialDocument(storage_gateway_id=storage_gateway_id)\n",
+    "    try:\n",
+    "        gcs_client.create_user_credential(req)\n",
+    "    except globus_sdk.GCSAPIError as err:\n",
+    "        # A user credential already exists, no need to create it.\n",
+    "        if err.http_status != 409:\n",
+    "            raise\n",
+    "\n",
+    "if __name__ == '__main__':\n",
+    "    main()"
+   ]
+  },
+  {
+   "cell_type": "code",
+   "execution_count": null,
+   "id": "27199d94-d278-4dd0-a8e2-deb88d5013c4",
+   "metadata": {},
+   "outputs": [],
+   "source": []
+  }
+ ],
+ "metadata": {
+  "kernelspec": {
+   "display_name": "Python 3 (ipykernel)",
+   "language": "python",
+   "name": "python3"
+  },
+  "language_info": {
+   "codemirror_mode": {
+    "name": "ipython",
+    "version": 3
+   },
+   "file_extension": ".py",
+   "mimetype": "text/x-python",
+   "name": "python",
+   "nbconvert_exporter": "python",
+   "pygments_lexer": "ipython3",
+   "version": "3.11.11"
+  }
+ },
+ "nbformat": 4,
+ "nbformat_minor": 5
+}