This document discusses how to leverage the Globus platform in web applications. It describes the Globus platform as providing secure and reliable data orchestration and transfer capabilities. It outlines several key Globus services like Auth, Transfer, and Helper Pages and provides examples of how they can be used to build applications. It also summarizes the Globus APIs and provides code examples of accessing endpoints, submitting tasks, and more.

1. Leveraging the Globus Platform in
your Web Applications
Vas Vasiliadis
vas@uchicago.edu
CHPC National Conference
December 5, 2019

2. Globus serves as…
A platform for building science
gateways, web portals and
other applications in support of
research and education
2

3. Research Data Apps: Canonical Example
docs.globus.org/mrdp

4. MRDP: Key elements
Science DMZ
Fast, clean data path
fasterdata.es.net/
science-dmz
Data Transfer Node
Purpose-built data mover
fasterdata.es.net/
science-dmz/DTN
Globus Platform
Secure, reliable data
orchestration
Globus Connect
Storage system enabler

5. Legacy Architecture
10GE
Border Router
WAN
Firewall
Enterprise
perfSONAR
perfSONAR
Filesystem
(data store)
10GE
Portal
Server
Browsing path
Query path
Data path
Portal server applications:
· web server
· search
· database
· authentication
· data service

6. Current best practice
10GE10GE
10GE
10GE
Border Router
WAN
Science DMZ
Switch/Router
Firewall
Enterprise
perfSONAR
perfSONAR
10GE
10GE
10GE
10GE
DTN
DTN
API DTNs
(data access governed
by portal)
DTN
DTN
perfSONAR
Filesystem
(data store)
10GE
Portal
Server
Browsing path
Query path
Portal server applications:
· web server
· search
· database
· authentication
Data Path
Data Transfer Path
Portal Query/Browse Path

7. Science DMZ
Fast, clean data path
fasterdata.es.net/
science-dmz
Data Transfer Node
Purpose-built data mover
fasterdata.es.net/
science-dmz/DTN
Globus Connect
Storage system enabler
✓
✓✓
Globus Platform-as-a-Service
Globus Platform
Secure, reliable data
orchestration
Globus Auth
(identity and access management)
…
GlobusAPIs
(Transfer,Search,Groups,…)
Data Automation
File Sharing
File Transfer, Sync

8. Example web apps that leverage Globus
8

9. Globus Platform
Auth API

10. Globus Auth addresses security challenges
• Makes it easy for developers to provide login for
their apps (web, mobile, desktop, command line)
• …and protect all REST API communications
o App à Globus service (MRDP, Jupyter Notebook)
o App à non-Globus service (graph service in MRDP)
o Service à Service
• …while
– Not introducing yet another identity
– Providing a platform to consolidate existing identities
– Providing a least privileges security model (via consents)
– Being web friendly and language/framework agnostic
10

11. Based on widely used web standards
• OAuth 2.0 Authorization Framework (a.k.a. OAuth2)
• OpenID Connect Core 1.0 (a.k.a. OIDC)
• Access via OAuth2 and OIDC libraries of your choice
– Google OAuth Client Libraries, Apache mod_auth_openidc, etc.
– Globus Python SDK
11
docs.globus.org/api/auth

12. Globus Platform
Transfer API

13. Globus Transfer API
• Globus Web App consumes public Transfer API
• REST API: Resources/actions named by URL
– Query params allow refinement (e.g. filter=<filter_string>)
• Globus APIs use JSON for documents and resource
representations
• Requests authorized via Globus Auth issued access
token (Authorization: Bearer aedf1d258ffcdafea4d)
docs.globus.org/api/transfer
13

14. Globus Python SDK
• Python client library for the Globus Auth and Transfer
REST APIs
• globus_sdk.TransferClient class handles
connection management, security, framing,
marshaling
from globus_sdk import TransferClient
tc = TransferClient()
globus.github.io/globus-sdk-python
14

15. TransferClient low-level calls
• Thin wrapper around REST API
– post(), get(), update(), delete()
get(path, params=None, headers=None, auth=None,
response_class=None)
o path – path for the request, with or without leading slash
o params – dict to be encoded as a query string
o headers – dict of HTTP headers to add to the request
o response_class – class response object, overrides the client’s
default_response_class
o Returns: GlobusHTTPResponse object
15

16. TransferClient higher-level calls
• One method for each API resource and HTTP verb
• Largely direct mapping to REST API
endpoint_search(filter_fulltext=None,
filter_scope=None,
num_results=25,
**params)
16

17. Globus Helper Pages
• Globus pages designed for use by your web apps
– Browse Endpoint
– Activate Endpoint
– Select Group
– Manage Identities
– Manage Consents
– Logout
docs.globus.org/api/helper-pages
17

18. API walkthrough using Jupyter Notebook
• Use the Globus JupyterHub: jupyter.demo.globus.org
– Sign in with Globus and verify the consents
– Click “Start My Server” (this will take about a minute)
– Navigate to: globus-jupyter-notebooks
– Open Platform_Introduction_Native_App_Auth.ipynb
• If you misstep and want to start over…
– Close your notebook and navigate back to the root folder
– Open and run the NotebookPuller.ipynb notebook
• Access Globus notebooks outside of our JupyterHub:
github.com/globus/globus-jupyter-notebooks
18

19. Authorization Code Grant
19
Client
(Web Portal,
Application,
Jupyter notebook)
Globus Transfer
(Resource Server)
Globus Auth
(Authorization
Server)
5. Authenticate using client id
and secret, send authorization
code
Browser (User)
1. Access
portal
2.
Redirects
user
3. User authenticates and
consents
4. Authorization
code
6. Access token(s)
7. Authenticate with access
token(s) to give the client
the authority invoke the
transfer service
Identity
Provider

20. Endpoint Search
• Plain text search for endpoint
– Searches owner, display name, keywords, description,
organization, department
– Full word and prefix match
• Limit search to pre-defined scopes
– all, my-endpoints, recently-used, in-use, shared-
by-me, shared-with-me
• Returns: List of endpoint documents
20

21. Endpoint Management
• Get endpoint (by id)
• Update endpoint
• Create & delete (shared) endpoints
• Manage endpoint servers
21

22. Endpoint Activation
• Activating endpoint means binding a credential to an
endpoint for login
• Server endpoints that have MyProxy or MyProxy
OAuth identity provider require login via web
• Auto-activate
– Globus Connect Personal and Shared endpoints use Globus-
provided credential
– Must auto-activate before any API calls to endpoints
22

23. File operations
• List directory contents (ls)
• Make directory (mkdir)
• Rename
• Note:
– Path encoding & UTF gotchas
– Don’t forget to auto-activate first
23

24. Task submission
• Asynchronous operations
– Transfer
o Sync level option
– Delete
• Get submission_id, followed by submit
– Once and only once submission
24

25. Task management
• Get task by id
• Get task_list
• Update task by id (label, deadline)
• Cancel task by id
• Get event list for task
• Get task pause info
25

26. Shared endpoints and access rules (ACL)
• Shared Endpoint – create / delete / get info / get list
• Administrator role required to delegate access managers
• Access manager role required to manage
permissions/ACL
• Operations:
– Get list of access rules
– Get access rule by id
– Create access rule
– Update access rule
– Delete access rule
26

27. Management API
• Allow endpoint administrators to monitor and manage
all tasks with endpoint
– Task API is essentially the same as for users
– Information limited to what they could see locally
• Cancel tasks
• Pause rules
27

28. Globus PaaS developer resources
Python SDK
Sample
Application
docs.globus.org/api github.com/globus
Jupyter Notebook

29. Support resources
• Globus documentation: docs.globus.org
• Sample code: github.com/globus
• Helpdesk and issue escalation: support@globus.org
• Customer engagement team
• Globus professional services team
– Assist with portal/gateway/app architecture and design
– Develop custom applications that leverage the Globus platform
– Advise on customized deployment and integration scenarios

30. Join the Globus community
• Access the service: globus.org/login
• Create a personal endpoint: globus.org/app/endpoints/create-gcp
• Documentation: docs.globus.org
• Engage: globus.org/mailing-lists
• Subscribe: globus.org/subscriptions
• Need help? support@globus.org
• Follow us: @globusonline