Some users need unauthenticated access of data from NCAR storage systems to share that data or to accommodate their workflows. Common use cases include:
Guest collections enable unauthenticated data access by pointing to a specified subset of data stored in a mapped collection like NCAR GLADE. They can be created by anyone with authenticated access to NCAR storage systems. Creating a guest collection is similar to creating a sharing endpoint, which will be familiar to you if you have used the NCAR Data Sharing Service. If you have, you may find that you no longer need that service.
Once a guest collection is created, it can be used in place of a mapped collection as a transfer endpoint in the web interface, Globus CLI, or Globus Python API. Users can also bypass the Globus transfer interface entirely by creating a URL to an individual file contained within a guest collection. The URL will give specified individuals download access to the data from a browser or terminal utility like wget or curl.
While the Globus CLI supports the use of guest collections as transfer endpoints (see this note for more on endpoint vs collection nomenclature), it does not provide commands to create new guest collections or file URLs. Those actions must be done in the web interface.
To create a guest collection using the Globus web interface, log in and navigate to a mapped collections like NCAR GLADE. Then:
Once your collection is created, it will be assigned an ID you can use for both web and CLI transfers. You can modify collection properties by selecting Collections on the left toolbar, then following these steps:
You can also now add read-write permission for yourself to enable unattended workflows via this guest collection (using the Globus CLI or Python API).
Globus allows you to create a sharable URL (web link) to any file in your guest collection or a mapped collection. This means that you can share files from supported file systems without the other user needing to interact at all with Globus itself. The individual can simply use a browser and your URL to download the files.
The web links will be subject to the permissions model of the collection being used. If you create a link using a mapped collection like NCAR GLADE, the recipients will need to be able to authenticate to the collection as well. If you obtain a link using a guest collection that permits the recipient read-access, they will be able to open the link regardless of their ability to access the rest of the original mapped collection.
To create a URL:
The features described above make data sharing easy, but they also bypass the traditional data safeguards (two-factor authentication) that users and administrators rely on to protect data. Using guest collections, it is quite possible to grant access to data unintentionally or even allow unknown users to delete your data. To avoid these situations, consider the following recommendations:
It is also wise to avoid changes to guest collection metadata – especially the collection name – once it has been shared with others. The text name is useful in both the web and command-line interfaces for collection discoverability, so changing it and other metadata may break workflows or result in a loss of reproducibility (e.g., when providing data for publication requirements).
Users of your guest collections will access data in one of the following two ways, depending on how you have configured your collections.
If you have set up your collection to provide access to individual users or groups, or all Globus users, they will be able to find and open your collection using the Globus website, CLI, or Python API.
If they do not already have a Globus account, they will need to create one to log into the Globus service itself. NCAR/UCAR staff should use their Google login credentials. Universities may have their own guidance about which type of account to use.
Once a user is logged in, no further authentication will be required to see data that you have made accessible in your collection. Alternatively, you can create web URLs to specific files that will allow permitted users to access the files either in the Globus web interface or via direct download, depending on how you have configured the URL.
If you have configured your collection to be accessible to public (anonymous) users, you can create direct-download URLs as described above, but those users will not need to have a Globus account to open them.
This method is the easiest for end users but has some limitations. For example, instead of having a file browser view with metadata, users will simply download the file as if it were hosted on a web server.