Last Updated: August 9, 2017


The Google Drive connector enables use of Globus services to access and share content from a Google Drive associated with a Google account. The Google Drive connector is available as an add-on subscription to organizations with a Globus Standard subscription - please contact us for pricing.

This document describes how to install the Google Drive connector. After the installation is complete, any authorized user can establish a connection to their personal Google Drive by following the steps in this How To.

The installation must be done by a system administrator, and has the following distinct set of steps:

  • Installation of the packages needed for Globus Connect Server version 5 endpoint and the Google Drive connector

  • Registration of the endpoint with Globus to obtain credentials to securely use the Globus service APIs

  • Registration of the endpoint with Google to obtain credentials for the endpoint to securely use the Google Drive APIs for accessing data

  • Configuration of the endpoint to use the Google Drive connector and credentials from Google

  • Firewall configuration

Please contact us at support@globus.org if you have questions or need help with installation and use of the Google Drive connector.


Table of Contents

Endpoint Installation

The Google Drive connector requires Globus Connect Server version 5, a new major release of the server that has to be installed on a separate system from any other Globus Connect Server installations. This version is currently only for use with the Google Drive Connector, and subsequent releases of Globus Connect Server version 5 will add additional capabilities to the server such that it can be used in place of Globus Connect Server version 4.

Important:Currently you will need a separate system to install Globus Connect Server version 5 and existing Globus Connect Server (version 4) installations cannot be upgraded to this new server at this time. Upgrade tools are planned and will be made available in the future.

Supported Linux distributions

  • RHEL 7

  • CentOS 7

Prerequisites

  • You must have administrator (root) privileges on your system to install Globus Connect Server; sudo can be used to perform the installation.

  • The system will need a publicly resolvable DNS name. This name will be used in multiple places in the configuration.

    Note:On an AWS EC2 instance, the publicly resolvable DNS name must NOT be the AWS public DNS name (e.g., the configuration should use gcs.mydomain.com and not ec2-w-x-y-z.us-west-2.compute.amazonaws.com).
  • Firewall policy and required configuration is described here.

  • The EPEL repository and yum-plugin-priorities must be available on the system.

Steps

RHEL7/CentOS 7

wget https://downloads.globus.org/toolkit/gt6/stable/installers/repo/rpm/globus-toolkit-repo-latest.noarch.rpm
yum install globus-toolkit-repo-latest.noarch.rpm
yum-config-manager --enable "Globus Connect Server 5 Stable"
yum-config-manager --enable "Globus Toolkit 6 Stable"
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install epel-release-latest-7.noarch.rpm
yum install yum-plugin-priorities
yum install globus-connect-server

Registration of endpoint with Globus

The Globus Connect Server v5 endpoint needs to be registered as a service with Globus. The registration process will result in a unique id (called client ID) and secret that will allow the endpoint to securely use the Globus APIs.

Prerequisites

You will need a Globus account to complete these steps and the registration will be stored under this Globus account. Note that this account is only for registration and the administrator may use an existing Globus account.

Steps

  1. To register the endpoint, go to https://developers.globus.org/

  2. Choose the option "Register a new Globus Connect Server v5"

  3. If you have never used the registration interface before, it will prompt you to create a new project. Projects allow you to organize your registered applications and services, and grant other users rights to manage registrations within a project. You can learn more about Globus projects at https://docs.globus.org/api/auth/developer-guide/#managing-projects. You can grant other users administrative rights on the project to manage all registrations within the project.

  4. Once you have created a project, select "Add…" then "Add new Globus Connect Server" to register your endpoint:

    1. The Display Name you specify here will be the name your users will see and search for to find your endpoint.

    2. A client ID will be generated for your endpoint

    3. Choose the "Generate New Client Secret" option, enter a description to identify how the secret is used, and click "Generate Secret" to obtain a client secret.

  5. Make note of the Display Name, client ID, and client secret before exiting the page.

Important:This registration step creates the client id and secret for the Globus Connect Server install. To ensure that the credentials (the client id and secret) needed to manage the server are available, this registration should not be deleted. If the registration is deleted, the endpoint cannot be updated or deleted.

Configuration

On the system where the Globus Connect Server v5 endpoint was installed, you’ll need to edit the configuration file at /etc/globus-connect-server.conf and do the following:

  1. Under the [Globus] section,

    1. set the ClientId field to client ID obtained at registration

    2. set the ClientSecret to client secret generated at registration.

  2. Under the [Endpoint] section,

    1. set the Name field to the Display Name you specified at registration.

Registration of endpoint with Google

The Globus Connect Server v5 endpoint needs to be registered as an application with Google so that users can authorize the endpoint to access their Google Drive on their behalf. The following steps describe how the endpoint can be registered as a Google OAuth client to obtain a client id and secret from Google.

Prerequisites

  • You will need a Google account to complete these steps, and the registration will be stored under that Google account.

    Note:This account is only for registration of the application and has no bearing on Google accounts that will be allowed to use this endpoint to access data. An administrator may use an existing Google account.
  • You will need the fully qualified name of the system where the endpoint is being set up, and it should resolve to a public DNS.

Steps

  1. To register the endpoint with Google, go to their Developer Console (https://console.developers.google.com/projectselector/iam-admin/iam)

  2. If you have never created a project with Google, you will be prompted to create one. If you create a project, you do not have to change the default permissions for the project when given the option to do so.

  3. After you have created or selected a project, go to the Google API Manager Dashboard (https://console.developers.google.com/apis/dashboard) and choose the "Credentials" option to create credentials for use with the endpoint.

  4. Choose the "Create credentials" button and "OAuth client ID" option.

  5. You will be prompted to configure the consent screen that will be shown to the users when they sign in to your endpoint.

  6. Once you have configured the consent screen, you will be prompted to select an application type. Choose "Web application" and configure it as follows:

    1. Name: set a descriptive name to be able to identify the registration of this endpoint in your projects on the Google API Manager. For example, the endpoint Display Name can be used for this.

    2. Authorization redirect URIs: set to https://YOUR_SERVER_FQDN_HOSTNAME/api/v1/authcallback_google where the "YOUR_SERVER_FQDN_HOSTNAME" is the fully qualified host name of the system where the endpoint is installed.

    3. Select "Create".

  7. Make note of the client ID and secret you get from Google for this application, as you will need them to configure the endpoint.

  8. The next step is to enable this registration to use the Google Drive API. Select the "Library" menu, and search for the "Drive API".

  9. Once you have the "Google Drive API" page, select the "Enable" option to allow the endpoint to access the Google Drive API using these credentials.

  10. Google has a quota on the number of calls that can be made to it’s API. We recommend requesting for an increase in the quota for the Google Drive API to improve performance on data transfers to and from Google Drive.

    1. Under Google Drive API, choose the "Quotas" tab.

    2. Choose to edit the "Queries per 100 seconds per user", and that window provides a link to "apply for higher quota".

    3. Using the form you can request for higher API limits per user using the "Explanation" section of the form. Following is an example to serve as guidance:

      Requested max Queries per Day: Default setting, no change requested
      Requested peak QPS: 500

      Explanation: We are using Globus (globus.org) for Google Drive and use is limited by the API quota. Please increase the queries per 100 seconds per user to 10,000 and max queries per 100 seconds to 50000.

      You can also provide additional context about your institution.

      Once this request is approved, note the queries per 100 seconds per user value to configure in the endpoint.

Configuration

On the system where the Globus Connect Server v5 endpoint was installed, you’ll need to edit the configuration file at /etc/globus-connect-server.conf and do the following:

  1. Under the [Google Drive] section,

    1. set ClientId to the client ID obtained from Google in the previous steps

    2. set ClientSecret to the client secret obtained from Google in the previous steps.

  2. If you were approved for a quota increase on the number of queries per 100 seconds per user, under the [Google Drive] section,

    1. set UserAPIRateQuota to be the number of queries per 100 seconds per user

Important:A set of Google credentials can only be used with a single Globus Connect Server v5 endpoint. If you want to install multiple instances you must create a new Google application for each one.

Configure endpoint to use the Google Drive Connector

This section completes the configuration of the endpoint, including steps to obtain certificates.

  1. Edit /etc/globus-connect-server.conf to set the following parameters:

    1. In the [Google Drive] section, set Domains to be a comma separated list of Google domains from which Google Drive can be made accessible via this endpoint. When set, only users who have an account from one of these Google domains can link their Google Drive to this endpoint and make it accessible. For example, if you would like restrict the use of this endpoint such that only users who have an account from uchicago.edu, the value will be set to "uchicago.edu". We recommend that the identity used to register this application be from the same Google domain that is set here. If the domains you add here are different from the domain that was used to register the application, users will see an "unverified application" error. You will need to follow the steps in https://developers.google.com/apps-script/guides/client-verification to get your application verified.

    2. In the [LetsEncrypt] section,

      1. Set Email to an administrator’s email address. This address will also receive notifications regarding the Let’s Encrypt certs in use on the endpoint.

      2. Set [LetsEncrypt].AgreeToS = True to agree to the LetsEncrypt Terms and Conditions.

    3. In the [Endpoint] section, set ServerName to the publicly resolvable DNS name of the system. Note: On an AWS EC2 instance, the publicly resolvable DNS name must NOT be the AWS public DNS name

  2. Run the following setup command to create the endpoint definition and configure the GCS services locally:

    $ globus-connect-server-setup

    Once this is successful, an endpoint with the Google Drive connector is added to Globus and the UUID of the endpoint is returned.

  3. The endpoint needs to be set as managed for it be usable. Please email support@globus.org with the UUID of your endpoint, so it can be set as managed. The UUID of the endpoint is displayed when the setup script runs successfully.

  4. Once your endpoint has been set as managed, grant the Administrator Role for your new endpoint to one of your identities; you may also grant the role to other Globus users. To grant the Administrator Role run the /opt/globus/bin/add_admin_role script:

    $  /opt/globus/bin/add_admin_role --identity abc@uchicago.edu

    It is recommended that you grant administrator role on the endpoint to other system administrators in your organization to ensure multiple trusted personnel have access to manage the endpoint.

  5. Once the role has been granted, you can log into Globus with the identity, and find the endpoint. (https://www.globus.org/app/endpoints?scope=administered-by-me) You should see the identity as administrator. You can now edit the endpoint definition and fill in other fields in the Overview tab of the endpoint.

The endpoint is now ready for users to login and access content on Google Drive. For more information on how to access a Google Drive with Globus, see this How To.

Note:

When Globus Connect Server version 5 is configured to use Let’s Encrypt certificates a new daily cron job will be set up on your system the first time that the globus-connect-server-setup command is run. This cron job will check your certificates and renew them as needed. You can also force this check at any time by manually running the job using the /etc/cron.daily/gcs-letsencrypt-renew command.

Without this cron job, the Let’s Encrypt certificates being used by your endpoint will expire 90 days after they were created, and your endpoint will stop functioning properly.

Globus Connect Server v5 Firewall Policy Requirements

If your system is behind a firewall, select TCP ports must be open for Globus to work. You may need to coordinate with your network or security administrator to open the ports. The TCP ports that must be open for the default Globus Connect Server version 5 installation, together with brief descriptions of each, are listed here:

  • Port 2811 inbound from 54.237.254.192/29

    • Used for GridFTP control channel traffic.

  • Ports 50000—51000 inbound and outbound to/from Any

    • Used for GridFTP data channel traffic.

    • The use of the default port range is strongly recommended (you can read why here).

    • Data channel traffic is sent directly between endpoints—it is not relayed by the Globus service.

  • Port 443 outbound to Any

    • Used to communicate with the Globus service via its REST API.

    • Used to communicate with Google Drive servers.

    • Used to pull Globus Connect Server install packages from the Globus repository.

  • Port 443 inbound from Any

    • Used by GCS Manager Service.

    • Used to communicate with Google Drive servers.

    • Used to register for certificates with Let’s Encrypt service.

Note:The transfer service IP addresses provided here are subject to change. We strive to keep the IP block stable, but if changes are expected, information will be published on the Globus blog and email will be sent to the Globus admin discuss list.

Updating Globus Connect Server version 5 install

To update your Globus Connect Server v5 endpoint, run the following command:

$ yum update \*globus\*

After updating your packages, be sure to restart the services and ensure that the update takes full effect by running:

$ globus-connect-server-setup

© 2010- The University of Chicago Legal