Guest Collection Creation Script

The following is a script for a Globus client identity to create a GCSv5 guest collection on an existing mapped collection that it has a valid mapping for. The constants defined do not refer to a real GCSv5 installation, or client identity, so the script cannot be run as is.

This script can be tweaked to use a human user identity instead of a client by changing the authorizer from a ClientCredentialsAuthorizer to an AccessTokenAuthorizer or RefreshTokenAuthorizer using a user token.

The script assumes the mapped collection is on a storage gateway using the POSIX connector. Other connectors may need to have connector specific policy documents passed to create the user credential.

import globus_sdk
from globus_sdk import scopes

# constants
endpoint_hostname = "abc.xyz.data.globus.org"
endpoint_id = "59544bb0-8aa3-4c73-9ce4-06d66887bc89"
mapped_collection_id = "a1c2f515-254a-48a1-a5de-3ea51d783638"
storage_gateway_id = "1b949deb-d608-403c-a226-a533892789c6"

# client credentials
# This client identity must have the needed permissions to create a guest
# collection on the mapped collection, and a valid mapping to a local account
# on the storage gateway that matches the local_username
# If using user tokens, the user must be the one with the correct permissions
# and identity mapping.
client_id = "4de65cd7-4363-4510-b652-f8d15a43a0af"
client_secret = "*redacted*"
local_username = "local-username"

# The scope the client will need, note that primary scope is for the endpoint,
# but it has a dependency on the mapped collection's data_access scope
scope = scopes.GCSEndpointScopeBuilder(endpoint_id).make_mutable("manage_collections")
scope.add_dependency(scopes.GCSCollectionScopeBuilder(mapped_collection_id).data_access)

# Build a GCSClient to act as the client by using a ClientCredentialsAuthorizor
confidential_client = globus_sdk.ConfidentialAppAuthClient(
    client_id=client_id, client_secret=client_secret
)
authorizer = globus_sdk.ClientCredentialsAuthorizer(confidential_client, scopes=scope)
client = globus_sdk.GCSClient(endpoint_hostname, authorizer=authorizer)

# The identity creating the guest collection must have a user credential on
# the mapped collection.
# Note that this call is connector specific. Most connectors will require
# connector specific policies to be passed here, but POSIX does not.
credential_document = globus_sdk.UserCredentialDocument(
    storage_gateway_id=storage_gateway_id,
    identity_id=client_id,
    username=local_username,
)
client.create_user_credential(credential_document)

# Create the collection
collection_document = globus_sdk.GuestCollectionDocument(
    public="True",
    collection_base_path="/",
    display_name="guest_collection",
    mapped_collection_id=mapped_collection_id,
)
response = client.create_collection(collection_document)
guest_collection_id = response["id"]
print(f"guest collection {guest_collection_id} created")