Skip data_access scopes on HA Globus Collections and add CLI option for session required domains

[gpauloski]

Description

This fixes an issue collaborators had using ProxyStore's GlobusConnector at OLCF which uses high assurance collections which do not have data_access scopes. This would produce an "Unknown scopes" error when following the link to perform the Globus auth token exchange.

The get_transfer_client() method now checks the type of the collection before adding data_access scopes and the CLI help message has been updated to instruct users not to include HA collections.

This wasn't quite enough to fix the OLCF use case though. It turns out the session tokens also need to require an associated identity from a specific domain. The CLI has been updated to provide require domains that get passed along to the scope creation.

Fixes

• Fixes Do not request data_access scopes for HA Globus Endpoints #679

Type of Change

• Breaking Change (fix or enhancement which changes existing semantics of the public interface)
• Enhancement (new features or improvements to existing functionality)
• Bug (fixes for a bug or issue)
• Internal (refactoring, style changes, testing, optimizations)
• Documentation update (changes to documentation or examples)
• Package (dependencies, versions, package metadata)
• Development (CI workflows, pre-commit, linters, templates)
• Security (security related changes)

Testing

Added unit tests and tested using a Globus HA test collection.

from proxystore.connectors.globus import GlobusConnector, GlobusEndpoint


eagle = GlobusEndpoint(
    uuid='05d2c76a-e867-4f67-aa57-76edeb0beda0',
    endpoint_path='/proxystore/globus-transfer-test',
    local_path='/eagle/proxystore/globus-transfer-test',
    host_regex='polaris.*',
)
flare = GlobusEndpoint(
    uuid='f39a7a0f-5bfc-46ce-9615-ba9f8592814f',
    endpoint_path='/proxystore/jgpaul/globus-transfer-test',
    local_path='/flare/proxystore/jgpaul/globus-transfer-test',
    host_regex='aurora.*',
)
ha = GlobusEndpoint(
    uuid='...',
    endpoint_path='/gcs_users/jgpauloski/globus-transfer-test',
    local_path='/gcs_users/jgpauloski/globus-transfer-test',
    host_regex='temp.*',
)

def main() -> int:
    connector = GlobusConnector([flare, ha])
    key = connector.put(b'hello!')
    assert connector.exists(key)
    print('Transfer done!')
    connector.close(clear=False)

    return 0


if __name__ == '__main__':
    raise SystemExit(main())

Pull Request Checklist

• I have read the Contributing and PR submission guides.

Please confirm the PR meets the following requirements.

• Tags added to PR (e.g., breaking, bug, enhancement, internal, documentation, package, development, security).
• Code changes pass pre-commit (e.g., mypy, ruff, etc.).
• Tests have been added to show the fix is effective or that the new feature works.
• New and existing unit tests pass locally with the changes.
• Docs have been updated and reviewed if relevant.