Endpoint Management
1. Overview
Endpoints are named entities that represent a gridftp or other file transfer
service server. They have a globally unique id, and a not necessarily unique
display name. The API for manipulating endpoint definitions is located under
/endpoint/
.
For operations that can be performed on an endpoint’s filesystem, see File Operations.
For delegating rights for managing various aspects of the endpoint’s administration to other users, see Endpoint Roles.
For getting list of endpoints matching a name or other categories, see Endpoint Search.
1.1. Linked Identities
Authorization is based on the capabilities granted to any of the linked identities associated with the Globus Auth token used to authenticate to the REST API, combined with capabilities granted to any of the groups any of the linked identities belong too. For example, a private endpoint will be visible if any of the linked identities own the endpoint, or if any of the linked identities has an appropriate effective role on the endpoint (see role documentation for details on which roles grant this visibility).
When an endpoint is created, the owner_id
and owner_string
are set based
on the primary identity. Note that owner_string
can be changed; see
the field documentation for details.
1.2. "Managed" Endpoints
Some advanced endpoint features, for example hosting shared endpoints and
using the Advanced Endpoint Management API, require a
Globus subscription. To enable
these features for an endpoint, the endpoint must be set as "managed" by
setting the subscription_id
field on the endpoint to the id for the
subscription. Once this is set, the endpoint is considered "managed".
A shared endpoint is considered "managed" if it’s host endpoint has a
non-null subscription_id
.
2. Document Types
2.1. Endpoint Document
The "endpoint" document type represents a single transfer endpoint, and contains a list of "server" documents in the "DATA" section, representing the GridFTP server or servers used to access the endpoint.
2.1.1. Types of Endpoints
Globus Connect Server endpointsThis category includes manually configured GridFTP servers, and servers
configured using the Globus Connect Server package. These endpoints will
have is_globus_connect
set to "false", host_endpoint_id
equal to "null",
and s3_url
equal to "null". To function, they must have at least one
server
sub-document.
Globus Connect Personal endpoints have is_globus_connect
set to "true",
and the server sub-documents are virtual and can’t be set by the user. The
gcp_connected
field can be used to
determine if the Globus Connect Personal client is currently running and
connected to Globus.
Shared endpoints will have host_endpoint_id
set to a non-null value.
They have no server sub-documents, and must always be public
.
S3 endpoints will have s3_url
set to a non-null value. They have no server
sub-documents.
{ "DATA_TYPE": "endpoint", "id": "096a65b1-3e90-44e6-9cb4-550b2d5401c0", "display_name": "myserver", "organization": "My Org", "username": "auser", "description": "Example gridftp endpoint.", "public": false, "is_globus_connect": false, "globus_connect_setup_key": null, "gcp_connected": null, "gcp_paused": null, "s3_url": null, "s3_owner_activated": false, "host_endpoint_id": null, "host_path": null "disable_verify": false, "force_encryption": false, "myproxy_server": null, "myproxy_dn": null, "oauth_server": null, "default_directory": null, "activated": false, "expires_in": 0, "expire_time": "2000-01-02 03:45:06+00:00", "shareable": true, "acl_available": false, "acl_editable": false, "in_use": false, "DATA": [ { "DATA_TYPE": "server", "hostname": "gridftp.example.org", "uri": "gsiftp://gridftp.example.org:2811", "port": 2811, "scheme": "gsiftp", "id": 985, "subject": "/O=Grid/OU=Example/CN=host/girdftp.example.org" } ], }
2.1.2. Endpoint Fields
Field Name | JSON Type | Description |
---|---|---|
DATA_TYPE |
string |
Always has value "endpoint" to indicate this document type. |
id |
string |
36 character unique identifier string for the endpoint. |
display_name |
string |
Friendly name for the endpoint, not unique.
Unicode string, max 128 characters, no new lines (\r or \n).
If not specified, will default to |
organization |
string |
Organization that runs the server(s) represented by the endpoint. Optional to preserve backward compatibility, but will eventually be required and all clients are encouraged to require users to specify it. Unicode string, max 1024 characters, no new lines. Searchable. |
department |
string |
Department within organization that runs the server(s). Searchable. Optional. Unicode string, max 1024 characters, no new lines. Searchable. |
keywords |
string |
Comma separated list of search keywords for the endpoint. Optional. Unicode string, max 1024 characters. Searchable. |
name |
string |
[DEPRECATED] Legacy friendly name for the endpoint. Limited
to 128 characters, and must match the regex
|
canonical_name |
string |
[DEPRECATED] The username qualified endpoint name, of the
form USERNAME#ENDPOINTNAME. The username portion must match
the current user. Use |
username |
string |
[DEPRECATED] Use |
owner_id |
string |
Identity id of the endpoint owner. Can’t be updated. |
owner_string |
string |
Identity name of an endpoint administrator. This is initially set to the owner, but it can be changed later to any administrator that is set by a user-identity role (and that role may not be deleted). For security, the new administrator must perform the update. This field is included in the fulltext query index used by the Endpoint Search API. |
description |
string |
A description of the endpoint. Unicode string, max length 4096 characters. Included in fulltext search. |
contact_email |
string |
Email address of the support contact for the server(s) represented by the endpoint. Optional. ASCII string, must be a valid email address. |
contact_info |
string |
Other non-email contact information for the endpoint, e.g. phone and mailing address. Optional. Unicode string, can contain new lines, max 4096 characters. |
info_link |
string |
Link to a web page with more information about the endpoint. ASCII string with an http or https URL. Basic checking is done to make sure this is a valid URL, but the administrator is responsible for running a website at this URL and verifying that it’s accepting public connections. |
public |
boolean |
True if the endpoint definition should be visible to other Globus users. |
subscription_id |
string |
If the endpoint is "managed", this will be a UUID string,
otherwise it will be null.
PUT can accept the special string "DEFAULT" to use your default subscription id.
Note that certain features like setting |
default_directory |
string |
Default directory to display when an endpoint is first
accessed on the globus.org web interface. The default
is |
force_encryption |
boolean |
Forces encryption of all network data for transfers to and from the endpoint. If this is set on the endpoint or its host, all transfer to or from the endpoint will have the encryption option automatically turned on regardless of the user’s initial submission options. If this is not set, users can decide whether or not to enable encryption. Default: false. |
disable_verify |
boolean |
This option indicates that the endpoint does not support
computing MD5 checksums, needed for the verify_checksum
option of transfer. When this is set on the endpoint or
its host, new transfer submissions will default to not
use the |
expire_time |
string |
Date and time the endpoint activation expires, or null if not activated. Formatted as ISO 8601 but with space instead of "T" separating the date and time portions. |
expires_in |
int |
Seconds until the endpoint expires, 0 if the endpoint is expired or not activated, or -1 if the endpoint never expires (for endpoints that use globus online credentials). |
activated |
boolean |
"true" if the endpoint is activated, "false" otherwise. |
myproxy_server |
string |
The default MyProxy server to use when activating this endpoint, or "null" if no associated proxy server. |
myproxy_dn |
string |
A non-standard subject DN to use with the default MyProxy server. This is only necessary if the subject DN in the server’s certificate does not match its hostname. Can be "null". |
oauth_server |
string |
hostname of server for getting credentials via oauth. For this to work, the oauth server must be registered with Globus Nexus and have the appropriate paths set up. Contact support@globus.org for more information. |
is_globus_connect |
boolean |
"true" if the endpoint was created for Globus Connect Personal, "false" otherwise. Note that this will be "false" for Globus Connect Server endpoints. |
globus_connect_setup_key |
string |
Key needed to complete Globus Connect Personal installation. "null" when installation/setup is complete. The key can only be used once. Always "null" for non personal endpoints. |
host_endpoint |
string |
[DEPRECATED] Standard endpoint hosting the shared
endpoint; "null" for non-shared endpoints. Use
|
host_endpoint_id |
string |
Id of standard endpoint hosting the shared endpoint; "null" for non-shared endpoints. Note that this will be set on all shared endpoints, regardless of whether the user has permission to get details of the endpoint or whether the endpoint has been deleted. |
host_endpoint_display_name |
string |
If the host endpoint has not been deleted and the user
has authorization for
Get endpoint by id on the host
endpoint, this will be set to the |
host_path |
string |
Root path being shared on the host endpoint, if the endpoint is a shared endpoint and if the user has the "administrator" effective role on the shared endpoint or the "activity_monitor" effective role on the host endpoint. "null" if the host endpoint has been deleted, if the user does not have one of the required effective roles, or if the endpoint is not a shared endpoint. |
s3_url |
string |
[ALPHA] For S3 endpoints, the url to the S3 bucket |
s3_owner_activated |
boolean |
[ALPHA] For S3 endpoints, true if the endpoint is activated by the owner with Amazon credentials, and can be auto-activated by other users. |
acl_available |
boolean |
[ALPHA] "true" for endpoints that support the ACL resources |
acl_editable |
boolean |
[DEPRECATED] True if the user has the "access_manager"
role on the endpoint. This is deprecated, and
|
in_use |
boolean |
"true" if any active tasks owned by the user are using the endpoint |
my_effective_roles |
list of string |
[ALPHA] List of effective roles the current user has on the endpoint. |
gcp_connected |
boolean |
If |
gcp_paused |
boolean |
If |
network_use |
string |
This field may only be changed on managed endpoints. If a
managed endpoint becomes unmanaged, the "normal" level will
be automatically used. On shared endpoints, this field will
be null. Allowed values for
|
location |
string |
"Automatic" or comma separated floats in the form "LATITUDE,LONGITUDE". "null" for shared endpoints. |
min_concurrency |
integer |
Can be |
preferred_concurrency |
integer |
Can be |
min_parallelism |
integer |
Can be |
preferred_parallelism |
integer |
Can be |
local_user_info_available |
boolean |
Indicates whether the endpoint exposes information about the local user on the endpoint to the Globus service. This is set internally, and can’t be updated. For new endpoints it will start out as null. When a task is run against the endpoint, local user information is requested from the GridFTP server, and if found, this flag will be set to true on the endpoint. If it fails, this will be set to false. Note that there are cases where the server may return a value, but because of the local filesystem and DSI, the value is not particularly useful for searching, but this will still be set to true. On shared endpoints, the value is inherited from the host endpoint. For S3 endpoints, this will always be false. |
https_server |
string |
If non-null, indicates that the endpoint has https support at the specified URL.
Must be of the form |
2.2. Server Document
The server document represents a network service that provides access to
a filesystem. The most common type is a GridFTP server, which is
represented by scheme
"gsiftp". This is also the default scheme
.
{ "DATA_TYPE": "server", "id": 985, "scheme": "gsiftp", "hostname": "gridftp.example.org", "port": 2811, "subject": "/O=Grid/OU=Example/CN=host/girdftp.example.org" }
2.2.1. Server Fields
Only hostname
is required on create.
Field Name | JSON Type | Description |
---|---|---|
DATA_TYPE |
string |
Always has value "server" to indicate this document type. |
id |
int |
Unique identifier for a server in an endpoint. |
hostname |
string |
Hostname of the server. |
port |
int |
Port the server is listening on. Default: 2811. |
scheme |
string |
URI scheme (protocol) used by the endpoint. Must be "gsiftp" or "ftp". Default: "gsiftp". |
subject |
string |
subject of the x509 certificate of the server. If not specified, the CN in the subject must match its hostname. |
incoming_data_port_start |
int |
Start (inclusive) of port range allowed for incoming
GridFTP data connections. The purpose of this field is to
indicate to firewall administrators at other sites how to
allow traffic between this endpoint and their own endpoints.
If "null", indicates that the endpoint administrator
has not specified the configuration (the allowed range is
unknown).
A range of 1024-65535 indicates a completely open
configuration. Must be a subset of 1024-65535
(privileged ports below 1024 are not allowed by GridFTP).
Must be set along with |
incoming_data_port_end |
int |
End (inclusive) of port range allowed for incoming data
connections. Must be greater or equal to
|
outgoing_data_port_start |
int |
Like |
outgoing_data_port_end |
int |
Like |
uri |
string |
[DEPRECATED] URI of the server. This is a derived field combining the scheme, hostname, and port, and is not used when creating servers. |
is_connected |
boolean |
[DEPRECATED] Use |
is_paused |
boolean |
[DEPRECATED] Use |
2.3. Shared Endpoint Document
The shared endpoint document is a subtype of the "endpoint" document used to create shared endpoints only. Once created, a shared endpoint is accessed and updated using the standard endpoint resources.
server
documents can’t be added or removed from shared endpoints; the server
used depends entirely on the host endpoint.
host_endpoint
to create a shared endpoint, but
use host_endpoint_id
to look up a shared endpoint or to
distinguish it from other types of endpoints.{ "DATA_TYPE": "shared_endpoint", "display_name": "myshare", "host_endpoint": "2ebc7b58-de6f-46a3-ac36-2f2613aa32ba", "host_path": "/~/", "description": "Share my home directory on Globus Tutorial Endpoint 1", "organization": "my org" }
The "shared_endpoint" document can include other informational fields like
contact_email
and keywords
, and option fields like force_encryption
(see the updatable field list and
full endpoint field list for details). Note that
shared endpoints are always public, and the location
and network_use
related feilds are inhereted from the host and not settable. The identity
provider related fields, myproxy_server
and oauth_server
, can’t
be set on shared endpoints, because they are authenticated using Globus
credentials.
3. Path Arguments
Name | Type | Description |
---|---|---|
endpoint_xid |
string |
The |
4. Common Query Parameters
Name | Type | Description |
---|---|---|
fields |
string |
Comma separated list of fields to include in the response. This can be used to save bandwidth on large list responses when not all fields are needed. |
5. Common Errors
The resources in this document use old error codes conventions, with a dotted code hierarchy.
Code | HTTP Status | Description |
---|---|---|
EndpointNotFound |
404 |
If <endpoint_xid> not found |
PermissionDenied |
403 |
If user does not have privileges to get, modify, or delete the specified endpoint(s). |
EndpointDeleted |
409 |
See Get endpoint by id.
The error document contains a |
ClientError.Conflict |
409 |
If an endpoint with the same name already exists or if a role assignment with the same principal and role already exists. |
ServiceUnavailable |
503 |
If the service is down for maintenance. |
6. Operations
6.1. Get endpoint by id
Get a single endpoint by id. All fields are included by default, including the
server
subdocuments, but the fields
query parameter can be used to fetch
only specific fields. Use "server" in the fields list to include server
subdocuments in a limited field list. For backward compatibility, an endpoint
canonical_name can be specified instead of the endpoint id, but this feature is
deprecated and all clients should migrate to using the id.
Requires that the endpoint is public or that the user has the "administrator" or "activity_monitor" effective role on the endpoint.
URL |
/endpoint/<endpoint_xid> |
---|---|
Method |
GET |
Response Body |
6.2. Create endpoint
Create an endpoint. Which fields are required depends on the type of endpoint.
Note that name
and canonical_name
are deprecated and supported only for
backward compatibility; display_name
should be used instead of, or in
addition to, these fields. If canonical_name
is not set, it will default to
"USERNAME#ENDPOINT_UUID". At least one of them must be specified.
The result will include an id
field containing the globally unique endpoint
id, which should be used to further manipulate the endpoint document, and to
perform transfers and other operations on the endpoint’s filesystem.
At least one of display_name
and canonical_name
is required, but at least
one "server" sub document must be created for it to function.
Requires display_name
or canonical_name
, and is_globus_connect
must be
set to "true".
Once created, the setup key can be obtained from the endpoint document
in field globus_connect_setup_key
.
Shared endpoints are created using a different resource, see [Create shared endpoint].
S3 endpointsThe REST API does not yet support creating S3 endpoints, this must be done using the CLI.
URL |
/endpoint |
---|---|
Method |
POST |
Request Body |
|
Response Body |
Result document, including an |
6.3. Create shared endpoint
Create a shared endpoint.
AuthorizationRequires that the host endpoint is managed. For Globus Connect Personal endpoints, creating a shared endpoint is also allowed if the user has the "administrator" effective role on the host endpoint.
URL |
/shared_endpoint |
---|---|
Method |
POST |
Request Body |
|
Response Body |
Result document, including an |
6.4. Update endpoint by id
Update an endpoint. This can be done using a partial document by specifying
only DATA_TYPE
and the fields to be updated, or doing a GET
on the
endpoint, changing the appropriate fields, and doing a PUT
of the full
document. Using a partial document is preferred.
Requires the "administrator" effective role on the endpoint.
URL |
/endpoint/<endpoint_xid> |
---|---|
Method |
PUT |
Request Body |
Partial endpoint document |
Response Body |
Result document |
Which fields can be updated depends on the type of endpoint:
Type | Updatable fields |
---|---|
All Endpoint Types |
DEPRECATED: |
Globus Connect Server |
|
Globus Connect Personal |
|
Shared endpoint |
|
S3 endpoint |
|
6.5. Delete endpoint by id
Delete an endpoint by id or canonical name (the latter is deprecated). Note
that all data associated with the endpoint, including roles and the ACL, will
be deleted as well. If the hostname of the server has changed, the server
document(s) in the endpoint should be changed rather than deleting and
recreating the endpoint with different servers.
Requires the "administrator" effective role on the endpoint.
URL |
/endpoint/<endpoint_xid> |
---|---|
Method |
DELETE |
Response Body |
Result document |
6.6. Get my effective endpoint pause rules
Get all pause rules on an endpoint that affect the current user, with sensitive administrator only fields removed.
See also: pause_rule_limited document.
URL |
/endpoint/<endpoint_xid>/my_effective_pause_rule_list |
---|---|
Method |
GET |
Response Body |
List of "pause_rule_limited" documents |
6.7. Get endpoint server list
Get a list of all servers belonging to the specified endpoint. Note that this is the same as the server list included under the "DATA" key of the endpoint document.
AuthorizationRequires that the endpoint is public or that the user has the "administrator" or "activity_monitor" effective role on the endpoint.
URL |
/endpoint/<endpoint_xid>/server_list |
---|---|
Method |
GET |
Response Body |
List of server documents |
6.8. Get endpoint server by id
Get a specific server belonging to the specified endpoint.
AuthorizationRequires that the endpoint is public or that the user has the "administrator" or "activity_monitor" effective role on the endpoint.
URL |
/endpoint/<endpoint_xid>/server/<server_id> |
---|---|
Method |
GET |
Response Body |
A "server" document |
6.9. Add endpoint server
Add a server to the specified endpoint. The hostname
field is required,
scheme
and port
default to "gsiftp" and 2811, and subject
defaults
to "null". The derived fields and boolean status fields are ignored, and
should not be included in the request body.
Returns a result document containing the id
of the newly added server.
Requires the "administrator" effective role on the endpoint.
URL |
/endpoint/<endpoint_xid>/server |
---|---|
Method |
POST |
Response Body |
Server document without the id. |
Response Body |
{ "DATA_TYPE": "endpoint_server_add_result", "id": 123, "code": "Created", "message": "Server added to endpoint successfully", "resource": "/endpoint/347a942d-3bf6-4d43-98e0-16e29cfb1d82/server", "request_id": "ABCdef789" } |
6.10. Update endpoint server by id
Update a server belonging to the specified endpoint. Include only the
fields to be updated in the request body - any of hostname
, scheme
,
port
, and subject
can be updated.
Requires the "administrator" effective role on the endpoint.
URL |
/endpoint/<endpoint_xid>/server/<server_id> |
---|---|
Method |
PUT |
Request Body |
Partial server document. |
Response Body |
Result document |
6.11. Delete endpoint server by id
Delete a server belonging to the specified endpoint.
AuthorizationRequires the "administrator" effective role on the endpoint.
URL |
/endpoint/<endpoint_xid>/server/<server_id> |
---|---|
Method |
DELETE |
Response Body |
Result document |
6.12. Get shared endpoint list
Get a list of shared endpoints for which the user has the "administrator" or "access_manager" effective role. hosted by a given GridFTP or Globus Connect Personal endpoint. Returns a "BadRequest" error if called on an endpoint that can’t host shared endpoints.
URL |
/endpoint/<endpoint_xid>/my_shared_endpoint_list |
---|---|
Method |
GET |
Response Body |
An "endpoint_list" document |