Kerberos authentication implementation for cta-admin-grpc

Two proposed solutions:

1. Use existing implementation (provided by Jacek).

This implements the Negotiation/Negotiate service/rpc on the CTA Frontend - gRPC server. Obtain a (Kerberos) token by making an rpc call to the Negotiation service, and attach the token to the rpc made for the actual command execution. This token is kept on the server side, see

  m_streamState = StreamState::FINISH;
  m_response.set_is_complete(true);
  m_response.set_challenge("");
  /*
   * The token can be of any type
   * now KRB token is used
   */
  m_response.set_token(std::string(reinterpret_cast<const char*>(gssRecvToken.value), gssRecvToken.length));
  m_asyncServer.tokenStorage().store(std::string(reinterpret_cast<const char*>(gssRecvToken.value), gssRecvToken.length), m_request.service_principal_name());
  m_rwNegotiation.Write(m_response, m_tag);

When the actual grpc cta-admin command is submitted, the server checks that it has stored this token, which means that it was able to successfully identify the client with Kerberos.

Note: add deletion logic for the token once it's no longer needed. Simplest: delete it right after validating it. Perhaps add a periodic cleanup to ensure (if there are any) unused tokens get deleted, too.

2. Use Keycloak to obtain the Kerberos token.

We already have a Keycloak deployment, on which we rely to obtain JWT used in authentication for WFE. We also rely on Keycloak to provide a JWT to be used in cta-admin authentication, when we prefer this method to Kerberos.

Keycloak also supports Kerberos authentication.