Configuration of auth method in cta-admin-grpc

Let's discuss how we want to specify which authentication method will be used by cta-admin-grpc : JWT (case for scripts) or Kerberos (case for operators)?

The XRootD/SSI way

Currently, the XRootD/SSI implementation chooses this based on environment variables, specifically XrdSecPROTOCOL. It is the XRootD/SSI framework that checks the value of this env variable and chooses to use the corresponding authentication method.

On the client side, if for example SSS is to be used, then we are required do the following:

export XrdSecPROTOCOL=sss
export XrdSecSSSKT=/etc/cta/eos.sss.keytab
cta-admin tape ls

and if Kerberos is to be used, then do:

kinit user@REALM
export XrdSecPROTOCOL=krb5
cta-admin tape ls

The gRPC way - what we need to discuss

I propose to mirror what XRootD/SSI does and use environment variables as well. Something like CTA_ADMIN_GRPC_AUTH_METHOD:

For JWT:

export CTA_ADMIN_GRPC_AUTH_METHOD=jwt
cta-admin tape ls

For Kerberos:

kinit user@REALM
export CTA_ADMIN_GRPC_AUTH_METHOD=krb5
cta-admin tape ls

And, perhaps, if nothing is specified, we can use one of the two as the default?

Edited Oct 22, 2025 by Konstantina Skovola