Skip to content

[Tools] Add Kerberos support for cta-admin commands

Konstantina Skovolarequested to merge
kerberos-auth-for-cta-admin-grpc into main

Description

This commit integrates the Kerberos authentication implementation, provided by the dCache team, with the cta frontend.

Main points

The gRPC server now has a Negotiation service that provides the Negotiate rpc.

Admin commands authenticating with Kerberos first make a Negotiate call, then receive a token that they attach as custom call metadata. On a successful Kerberos Negotiation, this token is stored on the server side.

Therefore, on the subsequent admin command call, the token is extracted by the server and if found on the server’s token storage, authentication with Kerberos succeeds. Tokens are not kept beyond an admin call’s duration.

Checklist

  • Documentation reflects the changes made.
  • Merge Request title is clear, concise, and suitable as a changelog entry. See our contributing docs

References

Closes #1297 (closed)

Edited by Konstantina Skovola

Merge request reports